The Worst Time to Plan for a Breach? After One Has Already Occurred.

Your organization has been hit with a catastrophic ransomware attack. Most of the critical digital systems that your business needs in order to function—at the most basic level—are offline. Your CEO has received a ransom note demanding money. If no payment is sent, the attack will continue indefinitely, and the company may never regain access to much or all of the compromised data.

The Chairman calls an emergency meeting of the Board.

Board Chair:  “I have a motion on the floor that we instruct the CFO to transfer $3.4 million USD into Bitcoin in order to facilitate the payment of ransom to an unknown criminal or criminal organization who has seized control of our critical systems and completely crippled our ability to function. There is no guarantee that paying the ransom will allow us to reverse the damage.”

Would anyone care to second this motion?

I certainly wouldn’t.

Far from Fiction

Think this situation is completely fictional? Consider that, in early 2016, Hollywood Presbyterian Medical Center in Los Angeles was hit with malware that shut down organization-wide access to email, digital patient records, and some Internet-connected medical devices for nearly two weeks. It’s believed the hackers had originally demanded $3.4 million USD; the hospital eventually paid 40 Bitcoins (approximately $16,900 USD) to have its systems restored.

So while the opening situation is fictional, it’s not inconceivable that it could happen to your organization. Let’s break down the components of what this fictional board of directors is up against:

1. A catastrophic breach has just occurred and the organisation is completely crippled. Emotions are running high, bordering on panic, and no one has any context or experience that can be applied to comprehend the situation let alone provide strategic guidance and sound governance. This is the worst possible state for making a critical decision without some sort of plan in place to help guide the process.

2. Is it even possible to transfer $3.4 million USD into Bitcoin? What are the risks associated with doing so? Does the organization have that kind of cash immediately available should it decide to pay the ransom? What effects will the loss of these funds and the decision to pay the ransom have on the organization long term? Damaged consumer trust? Diminished Wall Street confidence? Possible lawsuits?

3. Is it even legal to pay a ransom?

4. How can anyone be certain that the people demanding the ransom are in fact the people directing the attack?

5. What would happen if the organization paid the ransom and the attackers either didn’t fix the problem or, worse still, demanded more money?

How would this fictional Board, CEO, and CFO possibly untangle all of this and make good decisions under the glaring spotlight of intense media attention? The answer is they can’t and they won’t.

And even if the motion were to pass, how exactly would the CEO and CFO actually go about implementing the directive from the Board?

From Worst to Better

While there is no way whatsoever that any organization can prepare for every possible cyber attack scenario, the fact remains that the worst time to plan for a breach response is after it has already occurred.

Knowing that you can’t possibly prepare for every scenario and that any plan you do develop won’t survive first contact with a real-world breach anyway, there are still a number of things you can do to prepare your organization. To start, you can develop an incident response plan today—while you have time to rationally think about and test it.

Here are a few things to consider when developing your plan:

1. Train employees: When an employee discovers a breach, whom do they tell and what do they do? Remember, not all breaches are as dramatic as the example described above and could be ignored or overlooked without clear direction. Employees need to be trained on how to recognize that something bad has happened and then given direction on who to tell and what to do about it. This should include an assurance that no on will “shoot the messenger” and that reporting an incident will not result in repercussions or cyber-shaming.

2. Assemble an incident response team: When a breach is identified, the team should be ready to go to assess and begin implementation of a coordinated response. This team should include representatives from across the organization, not just the Information Technology department. Consider including public relations, human resources, facilities management, and representatives from other departments. And remember that the Board will need to assist in coordinating and implementing a response.

3. Prepare breach guidelines. Have a notification plan and establish relationships and guidelines before a breach occurs. This should include law enforcement contacts. Who exactly should employees call? What information will respondents need? These are discussions that have to happen up front and be well documented. A good example of why this is critical is that while employees are responding to the indecent and trying to recover files, they may inadvertently destroy evidence that law enforcement needs to catch and convict the attacker. How can teams best mitigate the immediate problem without inhibiting a future criminal investigation?

4. Enlist incident mitigation services prior to a breach. The best time to negotiate competitive rates with third-party vendors who provide cyber security incident mitigation services is not while company information is being held for ransom. It takes time to develop these relationships and put in place legal agreements and procurement processes related to these services. After an organization’s been hacked is not the best time to run an RFP.

5. Run routine tests. Preparedness training and running practice scenarios with the incident response team will help identify gaps in plans and an organization’s overall security posture. This should include every level of the organization, right up to the board of directors.

While we can’t prepare for any and all potential threats, having a plan in place and routinely testing that plan with new scenarios before the worst happens is your best chance for averting or mitigating an otherwise devastating cyber attack.