Ransomware Preparedness Checklist
A ransomware attack is one of the most serious events that a business can experience. A cybercriminal locking up computer systems can bring operations to a standstill for weeks, months, or even longer. Sensitive business data is often stolen, ransomed, and possibly leaked. Does your organization have a comprehensive and foolproof plan in place if hit? If not, here are some things to consider.
Having a plan to stop the bleeding and prevent further damage
A business should have cyber legal counsel on standby, along with a strategy to immediately secure its network.
- Protecting communications/written work product from subpoena and discovery. Cyber counsel is immediately needed so that any communications/written work product concerning an attack are privileged from subpoena or discovery in future litigation or government investigations. Cyber counsel will in turn engage a computer forensics team, security engineers, and professional negotiators to assist with incident response.
- Securing the environment. An organization should also have a plan to identify which systems have been hacked and need to be secured from further unauthorized activity. The goal is to prevent additional data theft and malware infection of other systems. Simply pulling computer plugs from the wall typically will not suffice.
Operational logistics
Preparedness also includes having a plan to conduct four basic business functions:
- Communications: if email and work phones are knocked out of service, how will the business communicate with consumers or business clients, and colleagues?
- Workflow/product: if mission critical data and systems are locked up, what workarounds—if any—are available to prepare and get deliverables out the door and into customer hands?
- Payroll: if payroll systems are not functional, is there a plan to timely issue employee pay in a way that complies with wage and hour laws?
- Getting back up and running: what steps will a business take to resume normal operations? Will we need to bring in computer engineers to help restore systems? Who are the right professionals to bring in? Additionally, it is critically important to remember that cybercriminals often lock up both data and its backup copies. A business should plan for the possibility that even its backup data is not usable.
Substantive communications and disclosures
Preparedness also necessitates planning what to say after an attack. Bear in mind that business contracts and strict state and federal laws govern cyberattack disclosures’ timing, content, and substance.
- If a business decides to be forthcoming and disclose the attack, it must artfully do so in a way that avoids causing panic to employees, customers, and business partners and without inviting government scrutiny.
- If a business decides to withhold information about an attack, how will it lawfully do so without misleading stakeholders? And if word of an attack leaks, how will the business explain its prior statements?
The decision to pay a ransom
A business should have a plan to deal with every possible contingency surrounding ransom payments. Two major ones follow.
- A business should have a plan to comply with red tape surrounding ransom payments.
- Strict federal laws and regulations prohibit ransom payments to specific individuals and groups.
- Some states prohibit paying ransoms or even communicating with ransomware cybercriminals at all.
- Ransom payments must promptly be reported to the appropriate authorities consistent with U.S. Treasury guidelines.
- Violating these ransom payment laws can carry strict civil and criminal penalties.
- A business must also plan for the fact that some hackers are just not good for the money. Some cybercriminals do not deliver on the promise to delete stolen data or provide a decryption tool (or a secret password) to unlock data.
Stated differently, what is a business to do if caught between a rock and a hard place where the law prohibits the business from paying a ransom despite the fact that it needs to in order to unlock mission critical data or to prevent sensitive data from being leaked?
A business’ response plan must be dynamic
Ransomware attacks are becoming more and more complicated, disruptive, destructive, and common. Fortunately, having a comprehensive and dynamic plan to deal with one will substantially minimize a ransomware attack’s impact.
Attorneys from McDonald Hopkins’ national data privacy and cybersecurity practice group are available to help businesses prepare ransomware incident response plans and respond to known or suspected ransomware attacks.