What CIOs should do post a ransomware attack

The world is grappling with an increased number of cyberattacks as industries continue to undergo digital transformations and advancements. The repercussions of these cyberattacks can be devastating, causing disruption, financial loss and reputational damage.

According to a report by Think Teal, 74% of Indian CIO's stated that cyberattacks were the main cause of business disruption in today’s digitised business world. The report revealed that 80% of ransomware attacks specifically target an organisation’s backup infrastructure and 70% of Indian CISOs agreed that the non-alignment of IT and Backup teams was the primary reason for increased ransomware attacks. 

While cyberattacks will continue to proliferatie with the increasing uptake of new technologies such as generative AI, and the challenges and pressures on CIOs continue to rise, we suggest four crucial steps for an efficient response following a cyberattack.

Observe

When experiencing a ransomware attack, our initial instinct from a security perspective is to eliminate the threat and resolve the issue. However, this isn’t the best approach.

Instead, a CIO should first focus on isolating the bad actors within the environment. Sequestering them without removal is helpful because you can observe and understand the bad actor’s actions while preventing further harm to other parts of the business. Immediately removing or resolving the threat is tempting, but it often removes the ability to analyse the threat actor’s behaviour, which can reveal insights about their intent, target and strategy, in addition to the company’s own vulnerabilities. It is also important to understand the extent of the compromise both from a systems and data perspective.

Critical observation will provide CIOs with a better understanding of the threat actor’s approach. This knowledge can then be leveraged to help develop an improved, proactive strategy to defend against the next ransomware attack.

Correct

After taking the necessary steps to collate valuable data on the attacker, the business can implement corrective measures.

‘Corrective measures entail removing the threat, patching the attack vector, recovering systems and data, and getting employees back online efficiently to minimise business disruption. When removing the threat, CIOs should do so while preventing any immediate re-attack through the original point of breach or any other potential vulnerability. In the ideal situation, businesses should have a robust, well-defined and tested recovery plan. This will not only ensure business continuity, but also avoid confusion around processes during and after an attack.

After the attacker has been removed, the CIO should initiate a full assessment of the damage, checking through data, backups and logs to determine what is missing and whether it can be recovered, if there is a copy or if further action is required.

Prevent

In the third step, CIOs can kick off preventative measures to prevent a similar attack in future. Assessing security measures will help identify immediate gaps or vulnerabilities in your attack surface.

While an attacker may not return to the scene of the crime for a repeat attack, knowing their point of entry can help patch the vulnerability and protect against another threat. When reviewing the attacker’s criminal profile, a CIO should focus on several key variables: the target, the attacker’s identity, the actions they took, and the impact they caused. These factors are crucial to determining strategies to minimise future risks. Identify the pattern of behaviour to determine if similar activity could cause another, or wider, breach.

Although cyberattacks are often seen as a technical concern, human error is in fact one of the biggest risk factors. Many successful attacks occur through social engineering, such as phishing scams that take advantage of distracted employees. This is why ongoing employee training that involves phishing simulations is extremely valuable in changing how employees think and react, thereby minimising the risk of human error.

After completing all the steps above to reduce or eliminate further threats, CIOs can progress to stage four: relaying the news.

Notify

It’s never fun breaking the news of a ransomware attack to your stakeholders. However, transparency is key to retaining trust and loyalty while keeping the industry informed about emerging threats.

You must be purposeful in your notification. A lack of strategy when sharing information not only puts the company at reputational risk, it also leaves the business vulnerable to future attacks. A better approach involves reaching out to key parties as an initial step. This may include the board, the company’s legal team and business stakeholders. If customer data has been lost or stolen, this can open the door to legal repercussions. Therefore, CIOs should coordinate with the legal team and board to align messaging on what information is shared, with whom, and when.

Engaging with and internal or external public relations or communications team can also be extremely valuable for professional guidance on messaging. It is recommended that these teams are engaged before an attack occurs to ensure sufficient time for planning and strategy development.

It can take days to weeks to address an attack sequentially and thoughtfully. By this time, you will likely have the information to reassure customers of your company’s commitment to protecting their data and inform them of the actionable steps taken to prevent more attacks. Doing so demonstrates customer value which helps retain customer loyalty and trust.

What Comes Next?

While ransomware attackers don’t usually target the same gap twice, they can, and likely will, strike again. Taking a backward approach and securing already-breached zones is a flawed approach. Instead, CIOs should focus on identifying and addressing potential vulnerabilities and targets across the whole business.

In the end, CIOs that follow the post-ransomware attack procedure, in whatever capacity, should operate with a primary goal in mind: To secure the future of the company.

Having a clear and consistent cyber strategy that incorporates employee education, cross-team communication, and a robust business continuity plan to ensure efficient recovery is essential. Further, regularly maintaining the security of users, networks and data can reduce the chances of getting hacked and minimise data recovery time in the case of a breach.

(The article has been co-authored by Nate Curtz, CIO, Veeam Software)

---