Imagine that you sat down at your desk with your morning coffee and before you could stop yourself you clicked a link that came in your email. Next thing you know your computer is frozen and you have received a ransom note. Do you know who to call first? This is an uncomfortable exercise to a degree, but one that every leader should do with their team.
Sooner or later, this situation is probably going to occur. One only has to look at recent headlines from the Colonial Pipeline attack that caused disruptions across the United States, to the Solar Winds attack which is still revealing victims. So role-playing this scenario is something that can be quite helpful to home in on your weak spots.
The first thing you should do is make sure everyone on your team knows the plan. Do you have a cyber incident response plan? Typically, this is a document that lists how the teams should get organized, who to get involved in the response team, and to whom to reach out to, e.g. the data protection authorities
The next question, particularly for the leadership team, is what would you do if you received a ransom note? The ideal answer is of course that no one should ever pay a ransom, but in today’s world we know that is simply not the case. Organizations have been known to pay millions of dollars in these situations. The main reason they do this is lack of appropriate preparations, especially backups.
In the best-case scenario, your data is encrypted. Even if hackers could exfiltrate the data, they are not likely to profit from it. But what if there is no encryption? Then you are faced with the risk of double extortion – this implies that hackers demand a ransom from you in exchange for giving you access back to your data, yet at the same time they will be planning on selling all the data they could steal on the dark web. In any case, you are most likely to fall back on your back-ups and rebuild your systems for a clean slate. This is the best way to make sure hackers did not leave anything else behind. Surely, this takes time. Are you prepared for this? Are you confident in your back-up systems? If not, what can you do to improve?
If you do choose to pay the ransom you are validating the hackers business model, but if you don’t how are you going to move forward? There is no guiding policy on this right now. The situation gives rise to more questions: if you do choose to pay a ransom should you tell people? I’d argue that you should be as transparent as possible, show your lessons learned and say what you are doing to make sure it never happens again. We need to get over the stigma around discussing ransomware incidents. It happens to the best of us, what matters is how quickly you get up back on your feet after the hack.
While role playing this scenario out may seem dramatic, think of it like a fire drill. You have to run the scenario to prepare the best you can. Of course, every situation is going to have variants depending on the business, but the less you feel caught off guard, the better you will be able to make decisions.
Register for IbyIMD+ to continue reading this article
CHF 18 / per month or CHF 120 per year
Already a subscriber? Log in
Explore first person business intelligence from top minds curated for a global executive audience