It's not if it will happen, it's when it will happen.
Will you be ready?
When a Ransomware attack happens time is your enemy. The clock is ticking. You have to start making quick decisive decisions. The only way to do that is by asking the questions in advance.
Consider these questions:
Will you pay the ransom?
Pay or Not to Pay?
Any cybersecurity professional would urge you not to pay the ransom as this would only encourage the attackers to continue targeting your organization. However, many organizations that are affected by ransomware find themselves wanting to solve this problem as quickly as possible and start weighing the price of the ransom compared to the value of the data that is encrypted. While initially, organizations say they wouldn’t pay the ransom; the majority will.
Leaders at organizations across the globe are witnessing the alarming rise of ransomware threats, leaving them with the sobering thought that an attack on their business maybe not be a matter of if, but when.
The stakes are becoming higher. Hackers aren’t just demanding money, they’re threatening to reveal sensitive or valuable information if companies don’t pay up.
Performing a Risk Assessment will help you understand if might have to pay a Ransom or it might show that by restoring data, you may only have a minimal loss.
Here is a quick example:
As part of a Risk Assessment, you ask about your backups and backup tests. Your backup engineer tells you they test backups all the time on a periodic basis. The next question is what was tested. Was a full restore of all data sets tested? Remember, this is probably going to be a rebuild. Depending on the response on the test of the restores and the kinds of tests done will be part of the calculations needed to understand if you have to pay the ransom.
If your restores are going to take a few days to restore you may decide that this is what you will be doing.
Remember, paying a ransom will take a few days. Then decrypting the data may also take a few more. This all depends on the size of your data sets.
This is where a Risk Assessment come in to help quantify your decisions.
Will Cyber Insurance Cover Ransom Payment?
Caution, include firms' council when asking these questions.
Here is why you want to have a conversation with your insurance company. Not all insurance is the same. Not all insurance will pay if the firm is lacking in its cybersecurity posture. You need to know this upfront. Insurance companies now provide their Lawyers, Forensics Team, and Breach Coaches.
Many states now require notification of a breach within 72 hours. Depending on the breach, you may need to perform a notification to the States Attorney General's office.
Will you need to notify?
This is where you get your money's worth from the insurance company. This is also why the Insurance Company will bring in its forensic and lawyer teams. When the forensics team is complete, the lawyers will help you make an informed decision.
Do you have a Breach Coach?
Breach Coaches are essential in today's world. They understand the steps needed during a breach and recovery process and when the recovery process can begin. Including a breach coach during your assessments will help you ask the right question to make educated decisions.
Ransom payment negotiation.
Some insurance companies provide a ransom negotiating team. When you receive the Ransom notification, a Bitcoin payment is displayed. It is usually a pretty high number. Some Ransomware hackers will renegotiate the ransom, but you have to respond quickly. The insurance company's negotiating team has done this before and so understand what they can negotiate and what they can't. Having an experienced Ransomware negotiator will go a long way in getting the issue resolved more quickly.
Making the payment.
Here again some insurance companies will provide these services. Setting up a Bitcoin account could take a couple of days. This is time lost for the business. Using you insurance companies resources would speed up that process.
As you can see, there are so many questions to be answered. This is why having these discussion ahead of time may save you valuable time.
During a recent Ransomware incident, a law firm had many of terabytes of litigation data. Millions of individual 45kb tiff files. The firm decided to not pay the Ransom and so started the process of restoration. After two days of restoration, it was determined that the restoration of this one system was going to take two weeks to restore. The firm never tested a full restoration or bothered to calculate what it would take to restore the data. The time it would take to restore the data was more costly than paying the Ransom.
Restores have to be tested in full to truly understand the impact of your Disaster Recovery Plan.
Did you know that if you start restoring systems, you may be destroying evidence? You may be held liable and the worst-case scenario could be that the insurance company may not pay. Then your client's data shows up on the dark web, and the client is now suing you and your insurance company is holding you the CISO or IT Director responsible for destroying evidence. Then the state attorney general wants to know why a breach notification was not performed. More fines.
Anyone involved in the destruction of evidence can be held liable including your IT consultants. I heard one insurance company say to an IT consultant, I am coming after you for the destruction of evidence that would helped us understand that data was exfiltrated.
If you don't pay the ransom what systems do I bring up first?
When asking these questions you need not only the input from the IT staff but you also want to include different business units.
When dealing with the law firm the two most needed systems will be Accounting and Conflicts followed by a myriad of other information systems. This may differ for different law firms which bring up the reason for a Risk Assessment.
Risk Assessments deal with these questions by putting quantitative values and impact on the business in a way that is understandable to the stakeholders of the business.
Businesses understand the impact on a business when it comes to dollars lost. The better way to handle this is to minimize the impact of dollars lost in a way that everyone can agree on.
Perform a thorough Risk Assessment then build the Disaster Recovery Plan.