Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

A 3-step approach to cyber defense: Before, during and after a ransomware attack

By Andy Stone
incident-response-freepik1170x658v6.jpg
May 3, 2022

It was not too long ago when ransomware attacks were at the bottom of everyone’s radar. Today, cyberattacks — specifically ransomware attacks — dominate headlines as they’ve become more sophisticated, direr and more frequent. What warranted less than 10 minutes on the agenda in the C-suite is now arguably among the most pressing issues that organizations face around the world. 


As we’ve seen with the cyberattacks on the Colonial Pipeline, Springhill Medical Center and JBS Foods, the effects of cybercrime go beyond a hefty price tag. Oftentimes, lives and livelihoods are also at stake. Although organizations have recognized the clear risks that cyberattacks pose, there is still a gap in understanding the security measures that need to be in place to mitigate these attacks in the first place as well as what to do when they happen — because they will happen.


In my own experience, formulating a before, during and after approach is key to organizational sanity and survival in a world increasingly dominated by ransomware attacks. In this article, I’ll walk you through the template I use to assess each phase of my ransomware mitigation plan. 


Before: Beware Business as Usual

For organizations that have never experienced a cyberattack, the preparation phase often can fall behind. Yet preparation is paramount to mitigate the growing risks of a ransomware attack in today’s digital world. Companywide buy-in is the first step to bolstering defenses and ensuring a quick response when faced with an attack. When implementing preventative measures, here are the five core areas to keep top of mind:


●    IT hygiene: Once threat actors gain access to an environment, they look to exploit key systems and sensitive data. Performing good data hygiene and having a well-defined patch management program are crucial to preventing breaches. Often, by the time a vendor releases a patch, cybercriminals have already been made aware of a vulnerability. Given this tight timeframe, critical patches should be made within 24 hours, while other levels of criticality range in the timeframe expected, but should be made no more than 30 days later.

●    Multi-factor authentication: It has been said that employees are the weakest link in cybersecurity as poor password management practices can create vulnerabilities. With multi-factor authentication, an added layer of security protects against issues that arise when the same password is used across multiple accounts.

●    Admin credential vaulting: In addition to poor password management practices, improperly secured shared resources can create vulnerabilities. Vaulting credentials and admin credentials provide extra safeguards for credentials of shared resources on your network, offering a repository with passwords automatically refreshed after each login.

●    Consistent logging: Security and access logs are crucial before and after an attack. They provide critical indicators of compromise to help identify a potential adversary before an attack is launched. Additionally, a good logging solution can help identify the source of an attack and provide required proof of compliance to regulatory agencies. However, it’s not enough to just maintain security logs, they need to be protected as well.

●    Fast analytics: Quick, real-time analytics leveraging security logs will help spot suspicious behavior and send timely alerts on potential attacks. Implementing a fast analytic platform across three vectors: the endpoint, the network and the end user, can help you spot indicators of compromise and allow threat hunters to eradicate threats before an attack is launched and data is compromised.

●    Critical employee training: Set clear Internet and email policies and issue relevant end-user awareness training for employees across the organization. Follow up-to measure efficacy and use that information to identify weak spots where additional training may be needed. However, it’s critical to understand that employee education isn’t enough. Executive management and boards must also be trained via tabletop exercises on how events will unfold and how to respond during a cyber attack.


During: As the Attack Unfolds

An organization’s exact business continuity and disaster recovery plan will depend on its business and the specific breach, however, there are steps that should be taken across the board regardless of industry or sector. As an attack plays out, the organization’s business continuity and disaster recovery plan will need to be put into action. At this point, containing the attack and locking down the environment is the first step. Isolate impacted systems on the network without fully shutting down systems or turning off the power as this could reduce the ability to forensically analyze those devices later. In addition, here are four other steps you should take:


  1. Put your backup communications plan into action: If your email systems are down, continue communications within your organization using your backup communications plan. Use this method to inform leaders and internal stakeholders of the attack.
  2. Mobilize your emergency response team: This team will look different depending on your organization, but each person on the team should have clear marching orders. This team may include legal counsel, forensic experts, corporate communications and other key players.
  3. Initiate your external communications plan: Get in contact with authorities, cyber insurance providers, regulators, media and other critical partners to inform them of the situation. The plan should also include notifications to affected customers and businesses. Be sure to have a clear statement drafted that details the situation and your subsequent plan of action.    
  4. Start the forensic process: Triage impacted devices for forensic review. The sooner your team can identify what type of attack was launched and its severity, the sooner your team can apply patches. 


After: Steps to Recovery

There’s only one thing that matters after an attack, and that’s SPEED. While having the proper precautions in place to prevent an attack and respond to an attack are essential, it’s equally as critical that organizations plan for recovery. As part of a solid disaster recovery plan, organizations should have a recovery environment that has been staged, tested and ready to go, providing a tried-and-true way to get back online right after an event. Once an attack has run its course, you may be faced with a choice to pay a ransom. Whether you decide to pay or not, at this point, you’re also working to minimize damage and get back online as quickly as possible.


Of note, in many cases, an organization will not be able to reuse production devices that may have been implicated in an attack. As a result, having a clear line of sight into an additional recovery kit should also be planned. 


Based on your response plan, you’ll need to prioritize which systems should be recovered and restored first. There will be a number of application dependencies that will need to be worked through. As you continue the forensic process, it will be important to work in tandem with the proper authorities, including regulatory agencies and authorities. As you begin the restoration process, make sure to do so in an offline environment that allows teams to identify and eradicate any persistent malware infections.


Throughout the whole recovery process, communication will be key. Be sure to consistently communicate progress each step of the way to all affected parties. This includes but is not limited to employees, customers, investors and business partners. It’s also important to keep any affected service providers or suppliers in the loop and ensure they take the necessary steps to prevent another breach.  


Looking ahead

It’s almost naïve to think that your organization won’t be affected by a cyberattack or breach at some point. Cybercriminals will undoubtedly continue to innovate and evolve, and we can expect ransomware to get even more creative and capable of even greater damage. Although we can’t predict the next big ransomware attack, we can certainly prepare ourselves by continuing to evolve our cybersecurity strategy. 

KEYWORDS: cyber security data breach emergency response incident response information security ransomware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Andrew stone
Andy Stone is an accomplished IT executive with a passion for technology and creating innovative solutions that solve business problems and deliver results. As Chief Technology Officer for the Americas at Pure Storage, Stone is focused on delivering next-gen data storage and protection technologies that help companies get better insights, improve time-to-market, and make breakthroughs.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Person working on laptop

Governance in the Age of Citizen Developers and AI

patient at healthcare reception desk

Almost Half of Healthcare Breaches Involved Microsoft 365

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber-protection-freepik1170x658v78.png

    Before, during and after a cyberattack

    See More
  • Nurse points to medical device

    A 3-step approach for healthcare organizations to elevate cybersecurity

    See More
  • malware detection

    3 ways to build cyber resilience post-ransomware attack

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!