Large enterprise and small to medium-sized organizations that have fallen victim to ransomware and cyber extortion incidents have faced the phases of grief post-cyberattack. The phases of grief can be difficult, including denial, anger, bargaining and acceptance. In many ways, the stages of grief are avoidable, but for too many companies, it is too late. 

Companies can no longer prioritize speedy decision-making at the sacrifice of their company’s cybersecurity posture. They need to evolve from the phases of grief to phases of resilience because it is not a matter of if, but when (perhaps, again?) they will experience a ransomware and/or cyber extortion event. 

The phases of grief post-ransomware

• Denial: The first phase of grief is one which security leaders relate to the most, and which brings the most repercussions. It is admitting there is a problem after an issue comes to light, but not looking at the bigger picture. The question that should be senior decision-makers’ north star in this process is, “What got us here that needs to be fixed, so we can ensure a more seamless journey for our business moving forward?” instead of “How do we make sure this problem goes away quickly?” 
• Anger: The second phase of grief may involve the identification of culpable parties. Trying to quickly place blame detracts from taking a true look at what happened. It is a sensitive exercise that might bear some harsh truths, but those truths need to be told. 
• Bargaining: Next is the phase that has received so much attention of late, the “decision phase” — whether or not to pay the ransom or extortion demand. This is always a calculated, risk-based decision for victims. 
• Acceptance: The final phase is the response after the ransomware or cyber extortion incident reaches its conclusion — or the belief of its conclusion. The missteps made in earlier phases of grief have a direct impact on this final phase because of the potential repercussions that reverberate through the organization in the months and even years that follow.

The worst moves before, during and after experiencing ransomware

As we have seen major incidents play out, it is a reminder to re-evaluate ransomware and cyber extortion response plans to determine if a plan meets the standards for current threats. 

The chaos during an incident is always hard to navigate, with key stakeholders receiving advice from many different voices. A major misstep can occur by listening to the wrong voices. Everything should be a balance, and the scale should lean toward taking sound advice from experienced legal and digital forensics and incident response teams. These teams need to collaborate and take a holistic approach to evaluating all of the evidence to prevent the organization from being exposed to additional and future risks. 

After the incident, the first inclination is to continue to invest in a cyber preparedness plan. On the surface, this may seem correct, but having now experienced a significant incident, the focus needs to include investing in cyber resilience. If or when an organization wants to update their cyber insurance policy, insurance providers will be paying more attention to the latter, not the former. Traditional cyber preparedness is important, but having solid cyber resilience practices can materially demonstrate the ability to navigate a ransomware event. 

What the phases of resilience look like 

1. Embrace the marathon. A cyber resilience plan is not a one-and-done checklist. It is a living playbook that is constantly re-evaluated. Prioritizing “quick win” actions over methodical implementations can backfire. From the start, organizations need to set up realistic, specific and measurable goals so they can feasibly reach cyber maturity and resilience milestones. Outsourcing may be a necessary option, while keeping internal leadership accountable for what needs to be completed.
2. Prioritize the critical controls that the opportunistic ransomware and cyber extortion groups are targeting. Investing in technology alone to reduce risks is not enough; building cyber resilience to include specific and measurable outcomes, such as key performance indicators, is needed to address critical controls.
3. Practice. Security teams need to be ready when the organization is impacted by a cybercriminal. Ask questions, such as:
   1. Where is the data?
   2. Is it regulated?
   3. Is it backed up?
   4. Do the backups work, and what happens if this critical business system goes offline? 
   5. What if business-to-business customers are impacted? 
   6. What happens if data is exposed during merger activity?

There isn’t a single news article, video or podcast that is going to prepare organizations for the nuances that often present themselves when an incident occurs. During a cyber incident, there are multiple project streams that are working together, all with various degrees of complexity. Be ready for when this happens. Have a plan. Build resilience.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.