Ransomware, to a company, is just as dangerous as a fire. But does your organization have a playbook ready? Such an emergency plan can make a world of difference for you as an IT person when criminals attack.
The fire alarm is going off! In no time you will see the company’s emergency response team speeding through the hallway. But you already know what you need to do: drop everything and go outside through the nearest exit! Just like the other employees. Moments later, everyone is safe. When the fire department arrives on scene with howling sirens the company’s emergency response officers have already extinguished the fire. Everyone heads back inside content. Past years’ training exercises were not for nothing. The playbook did its job.
How would that go with another big threat: ransomware? An employee reports something unusual: he cannot access the files on a certain server. You try it yourself, and indeed: all files on the server turn out to be encrypted. Ransomware!
Now what? While the adrenaline starts pumping through your body, you decide that there is nothing else to it: to stop the ransomware, everything need to be locked down. You tell your people they need to shut down the company network within 15 minutes.
Quickly, you write an email, directed to all employees. The wording is off, but speed is of utmost importance right now.
After less than a minute the phone rings. It’s the CEO himself! Not an easy person…
He asks if you have lost your mind. Shut down the network? Immediately? Of all possibilities in the busiest week of the year? Because of a little server issue? No way!
Shocked, you gesture to your people that they will have to wait a little. It is going to be a difficult and long conversation.
And while you are desperately trying to convince the CEO, the ransomware is steadily spreading across the company network.
This scenario can turn into reality at a lot of companies. Because there are still very few organizations that have a playbook ready for dealing with ransomware attacks. If things then go wrong, everyone has to improvise. In a race against time!
This not only goes for you, but also for the business managers and regular employees. No one knows what is going on or how they should respond. How do you prevent such chaos?
Among others, ISO 27001/27002 can provide guidance here. This standard describes which controls should be included in a solid playbook for security incidents. Some examples:
- Where people can report an incident;
- How it is analyzed and logged;
- Who has which tasks and responsibilities;
- What messages should be sent out, and to whom;
- What measures should be taken to prevent spreading;
- How the damage will be repaired.
Especially the reporting part is often overseen. But it is essential. Not just for you, to get an overview and make the right changes afterwards. But also for the emergency services. Because, just how the fire department can be called in the event of a fire, you can also call for the help from a Computer Emergency Response team (CERT). Tracking down and removing malware is a specialty that requires continuous education after all. If you can provide clear information, the CERT can get to work right away.
Another similarity between ransomware and fire is of course the need to practice acting out the playbook. Regularly and at all levels! For management and IT there are crisis simulations. During those activities, everyone learns what could go wrong and who will then have the authorization to make certain decisions. The regular employees, in their turn, must learn to recognize ransomware and other irregularities. So that they will not fall victim, but rather sound the alarm immediately.
How do you keep out ransomware?
The right tools
To be able to adequately respond, you need the right software. The software will immediately provide an overview of what is going on: where the threats are coming from, and what kinds of connections there are between suspicious activities on the network. Everything from a single console, with intuitive software. This way no time is wasted on coordination issues. Subsequently you need to be able to isolate the malware. Preferably by shutting down specific segments, instead of shutting down the entire network. After all, the security cameras do not need to be connected to the company’s financial department, and many more logical partitions.
By introducing network segmentation we also arrive at the preventive measures. Because, here too, prevention is better than cure. If you want to give ransomware and other types of malware no room, it is extremely advisable to organize the following correctly:
- Authorization: both employees and systems cannot be given more authorizations and access than necessary for their position or purpose. This reduces risks associated with hacks.
- Multi-Factor Authentication (MFA): a password has not been enough by itself in a long time. The best addition is an authentication app on the employees’ smartphones.
- Endpoint Detection and Response (EDR): this modern software on the laptops recognizes suspicious activities, even when it comes to malware that is still unknown.
- Backup: in case things still get out of hand, you have to be able to rely on a backup that has not been erased or encrypted by the criminals. And, this backup should be able to be restored within a couple of minutes up to several hours at the most.
But, you probably do not have to be told all of this. You have all of this covered, right?