For further details on managing the threat of a ransomware attack and mounting an effective response, there are further articles available on our cybersecurity hub
Question: Has there been an increase in cyberattacks since the start of the Covid-19 pandemic?
Yes, there was a fivefold increase in cyberattacks in 2020 over 2019 levels. The destructiveness of the attacks is also increasing. Seven years ago, less than 1% of all cyberattacks were disruptive or destructive in nature, that figure rose to more than 18% in 2020.
Question: Are cybercriminals becoming more sophisticated in their methods?
There has been some increase in sophistication but not of any great significance. When cybersecurity events are investigated the methods tend to be quite rudimentary. While malware can be tricky and can evade certain defences, organisations can still protect themselves through quite basic hygiene measures. Ensuring that systems are kept up to date and patched is part of that. But building a culture of cyber awareness among employees is probably most important.
Question: How can organisations embed a culture of cyber vigilance?
Tone at the top is critically important. It starts with the Board and the C-Suite and their administration staff. They have to be seen to role model the right behaviours and communicate what good cybersecurity looks like. That is key to establishing a culture of security by design in an organisation.
Question: What other measures can organisations take to defend themselves against cyberattacks?
There is clear evidence of a strong link between IT hygiene and security excellence. Studies show that the organisations with fewest serious cyber breaches tend to be those that had invested in methodologies like IT Infrastructure Library (ITIL). These are not security frameworks they are IT optimisation frameworks. They enable organisations to understand their assets, to patch them when necessary, manage their configuration and update them. One of the first places to start to fix the security problem is within the IT department and striving for excellence in the management of the IT infrastructure.
Question: Is there such a thing as a complete defence against cyberattack?
No. That’s not possible unless an organisation has no IT infrastructure at all. Organisations can’t exist without some incidents and if they do, it’s difficult to see how they can effectively use IT to support the business because they have locked themselves down so tightly. The key KPI to look for from your security team is increasing attack numbers – that reflects what’s happening in the real world. It shows that the IT team is aware and tuned in to the threat landscape. And the number of impactful events should be going down as a result of your security measures.
Question: What should an organisation do in response to a ransomware attack?
There are certain basic IT steps to take such as taking a photograph of the ransom note, isolating the workstation where it appeared, making sure back-ups haven’t been affected and so on. Ultimately, every organisation needs a ‘Response Run-book’, that takes over to deal with the shock and implement the initial best course of action.
Beyond IT, the first thing to do is call either external or internal legal counsel. You should establish if communications in relation to the event enjoy legal privilege and the implications of that. Do you need non-disclosure agreements signed by people within the organisation as well as external partners?
You should also work with the PR and marketing departments to ensure they are ready to proactively or reactively address the communication requirements with external stakeholders.
Your insurers need to be called in as they will have a key role to play in any ransom decisions. Third party forensic expertise should also be enlisted to assist in the investigation into the incident.
Question: Who should lead the response? Should it be the CEO, CISO or some other executive?
It doesn’t really matter who leads the response. They don’t even necessarily need to have IT expertise as long as they possess certain key characteristics. They have to be calm, the type of person who is able to manage lots of spinning plates at the same time. They need to be able to tell people what to do and what not to do in a calm fashion. They also need to be comfortable telling the truth. It’s a frenetic time and the board and the c-suite are going to demand answers in relation to what happened and how it has impacted the organisation. The answer has to be that you don’t know and you’re probably not going to know for at least three weeks and the full picture could take months or years to emerge. 90% of incidents never get to a conclusion as the organisations simply don’t have the logs and evidence required to ever get to an answer.
Question: What are the practical steps to recovery after a ransomware attack?
It’s a three-part journey with all elements occurring in parallel. The first is to get in an expert negotiator who will work with the attackers. They will get samples of data or decryption keys to establish ‘proof of life’ – that these people are who they say they are.
The second is to look at your back-ups and establish if they can be used for recovery. It may not be a question of using the last good backup, the hacker may have got into earlier back-ups or into the storage system so you may have to go back three or four versions. You also have to establish if you can bring back the data without access to the infrastructure and applications that hosted it.
The third is to look at what ‘starting from scratch’ looks like if that offers real prospects for recovery and how long it would take.
You have to test all three and establish what is best for your organisation.