Ransomware: How to prepare and respond

Wesleyan

This article is part of the Greater Birmingham Chambers of Commerce’s Raise the BAR (Business Adaptability & Resilience) Campaign, sponsored by Western Union Business Solutions. For more campaign content click here. This campaign provides Chamber members with a platform to share learning and inspiration on this agenda. All views and opinions expressed below are those of the author only. 

By Dave Loewy, Group Information Security Manager, Wesleyan

Ransomware: The scale of the challenge for UK businesses

This is a difficult one to gauge as many companies who are attacked choose not to disclose the attack for one reason or another. The security industry currently reports that bulk, indiscriminate Ransomware has decreased in favour of other types of malware such as Trojans, Phishing and Cryptomining. Threat actors still currently pursuing Ransomware attacks seem to have progressed to more specific, higher worth targets.

How businesses can prepare for an attack:

At a high-level there are a number of steps that can help; 

• Educate - develop user awareness training. Colleagues are a great line of defence and the more educated they are, the harder it is for the bad guys
• Patch - have a patching process, ensure patching is timely, structured and up to date across your IT estate
• Test – develop a penetration testing schedule, run vulnerability scans and rehearse incident response, disaster recovery and business continuity processes
• Plan – put an incident response plan and playbooks together, decide what you’re going to do, who needs to be involved, how you’re going to make decisions and rehearse it

The systems at greatest risk of cyber attack:

This really depends on the motives behind the attack. In the main ransomware is designed to cause disruption and prevent access to systems and data; therefore, inhibiting a firm’s ability to trade until the ransom is paid. However, in some cases ransomware has been used to mask other malicious activity such as data theft or data destruction.

Firms should assess their own systems and data by taking a risk based approach. Look at monitoring and protecting systems and data that is critical to customers and the operation of the individual business. When you understand the risks, you can determine impact and likelihood and therefore make decisions around resources and security spend.

What to do if your business is affected by ransomware:

You need to be realistic and take a look at your capability to respond and recover. If you’ve planned and practiced then it’s time to act. Assess the impact, get the plan out, raise the recovery teams and kick off disaster recovery and business continuity.

Sounds simple, but unfortunately in many cases it’s not. This is where strong clear leadership comes in and some hard decisions may need to be made. It may be worth seeking external help by engaging a security company or signing up to an incident response retainer. Even large businesses accept that they need help with serious cyber incidents due to the complexities involved in the attack and recovery process.

If you’re a regulated business you need to consider how, what and when you communicate to your regulator. External agencies may also need to be involved such as the Information Commissioner, Action Fraud and the National Cyber Security Centre.

A consideration may even be to pay the ransom. There is a lot of guidance out there stating that this is not good practice; can you trust criminals? However, some businesses have done this and have been able to recover. Unfortunately, this and many others are one of those hard decisions that you need to weigh up on an individual basis. At least if you’ve planned and practiced you can make some considered decisions.