A call comes in from the helpdesk: A user reports that she has a red screen on her desktop asking for a cryptocurrency payment and that she cannot get into any of her applications and files. There is a clock ticking in the upper right-hand corner of the screen, indicating that if she does not pay by the time the clock expires, the cost will double. She wants to know what to do.
The helpdesk’s call for guidance is typically to IT, but it might go to legal, human resources, auditing, or the chief operating officer. Regardless, people are unsure what to do next. The clock is literally ticking.
While someone searches for the incident response plan, the helpdesk supervisor calls again, saying that phones are ringing off the hook with users reporting the same problem. Just as the company’s incident response plan is found, that screen goes red.
What happens now?
The above scenario is typical of what occurs during a ransomware attack. These attacks occur every 14 seconds in the United States and then spread rapidly to all systems in an enterprise (per Cybersecurity Ventures). During some attacks, 30,000 systems can be compromised in less than 45 minutes. The usual reaction is chaos and panic, but it does not have to be.
What Management Should Do
First, understand that being able to effectively manage a cyber-attack requires a great deal of preparation, testing, and readiness. Second, an organization must speak with one public voice during the attack and remediation. Third, the organization must have the following in place:
- An incident response team with a designated leader
- An incident response plan
- A cybersecurity retainer agreement with a firm that specializes in helping organizations respond to cyberattacks
- A hard copy of the incident response plan located in all the critical support functions, including auditing, business leadership, communications, the executive suite, human resources, information security, IT, and legal
- A predesignated site for the incident response team to gather. (This can be on- or off-site.)
Already, many organizations will see some self-imposed obstacles to this strategy—the incident response plan may be unlocatable; it may be out of date; the designated team members may no longer be in the organization; there may be no plan at all. In addition, there may be no cybersecurity retainer in place. In such a case, the following best practices can help manage the seemingly unmanageable:
- Designate a leader and a deputy leader and have them confirmed by the CEO or COO.
- Designate one person and one backup to act as the communication point to the markets and the press.
- Call law enforcement (local police and the FBI).
- Call a cyber-response firm (often, law enforcement can recommend one).
- Accept the fact that business will be lost and costs will be incurred.
- Get ahead of the bad news and manage the problem, not the blame.
What Auditors Should Do
Auditors will be tasked with providing guidance on best practices to protect the organization moving forward. They may also need to help keep egos in check and focus everyone on creating the best outcome. Raw emotions will be expressed. It is important to keep the focus on the problem at hand and remind everyone that whatever happens while addressing the incident shouldn’t live past the incident.
Auditors also will want to document the key risk factors observed during the process, as the key task after resolving the incident will be to either build or improve the incident response plan. The auditors’ guidance regarding the risk factors will be important to remediating the root causes of the attack and improving the organization’s resiliency to future attacks. In addition, the auditor’s voice will be the one most heard by law enforcement. Contacting law enforcement immediately after the attack will encourage them to view the company as the victim and act accordingly. Waiting will only make law enforcement think there is something to hide.
Lastly, auditors should be prepared to either author or review and approve the post-attack report. As information is vetted, be sure to address all of the remediation recommendations as thoroughly as possible, focusing on the identified weaknesses. Review any notes from the incident response. If the proposed go-forward strategy does not adequately address a weakness, flag it, advocate for the correct strategy, and withhold approval until management agrees.
Most of all, accept that all of this will occur at some point. No business is immune from attack; the question is no longer if there will be an attack, but when. Successfully managing such a crisis will have long-term positive impact on the business.