Despite best-laid plans, ransomware attacks can be the worst experience for any person or business. Particularly as adversaries evolve, it’s important to pause, step back, and see if your organization is well prepared for an incident with everything it needs. It can seem like an insurmountable task to take on, but thankfully, you’re not alone. With the help of cyber insurance carriers, breach counsel, forensic providers, ransom negotiators, technical advisors, and IT recovery specialists, executives can create a playbook to help their organization through ransomware recovery.
In this piece, I’ll share insights that enable you to lead your organization through an incident and avoid common pitfalls that routinely lead to increases in expenditures, excessive business interruption time, and a prolonged, difficult claims process.
Set Realistic Expectations
It all starts here, and if you don’t get it right, you’ll be paying for it every day of the recovery — and beyond in reputation. As with many things, unrealistic expectations can doom your efforts from the start. Denying reality or pushing too hard or fast are common pitfalls that set you up for failure.
Picture this: Your organization is under attack, and suddenly everything is down. Leadership is asking how long it will take to get operations back on track. How do you answer? Of course, the time to recovery varies, but it’s not uncommon for internal IT or a service provider to set an initial expectation of 24-48 hours for recovery…setting themselves and the organization up for failure.
The reality is that you may not know how long it will take to recover for a while. Accurate estimates require visibility into the state of the environment after the incident and must be data-driven. That takes time! That may not be the answer anyone wants to hear, but the solution is clearly communicating the process to get that visibility, which can then be used to determine the optimal recovery strategy, and, ultimately, gather the data required to estimate how long it will take.
For effective and efficient recovery, we also need to focus on the reality of the situation, not what would be nice to be true or what we expected the reality should have been. Not only will you need to accept the reality of the attack that has taken place, but also the associated infrastructure changes and the harsh reality that sometimes data is going to be lost, regardless of the number of restoration methods at your disposal. Those involved in the recovery process need to speed through the shock and the stages of grief to get the right to acceptance and devote all their attention to the problem at hand.
Remembering that recovery can take much longer than expected, we must be careful not to push teams full force until it’s over. This is where leaders can set an example for their team by remaining cool-headed and laser-focused to inspire confidence and guide the organization through recovery. Often, unrealistic expectations, denying reality, and pushing too hard are spurred on by fear and inexperience. People may be afraid they’ll be blamed for not stopping the attack, scared of giving a long ETA and looking even worse than they feel they already do, or even fearful of losing their job.
Recovery is a marathon, not a sprint. And it’s understandable if stress levels are high throughout. The best executives remain calm, are supportive of their teams, set realistic expectations (and achievable goals), and communicate updates and appreciation throughout the recovery process.
Focus on the Right Goals
With initial expectations set, executives need to develop the right strategy to approach ransomware recovery. Often, we feel the need to throw the kitchen sink at the problem because we feel helpless. Panic can lead to the immediate purchase of new hardware or software, the addition of more external vendors, and the adoption of over-engineered solutions to provide more resources for recovery. Unfortunately, this lack of prioritization means executives will face conflicting requirements and demands with no granular recovery plan.
By bringing in too many additional vendors, it quickly turns into a “too many cooks in the kitchen” scenario, with constant distractions, leadership issues, and analysis paralysis. Making purchases before you have real visibility into the problem or the right recovery advisor to develop the optimal recovery strategy usually leads to unnecessary spending and much wasted time and may result in unexpected problems. Because it’s an emergency situation, we need to be mindful of over-engineering — the situation requires agility and working with an incident response mindset rather than the formality of a typical large-scale project with standard processes.
In the event of an attack, there will be immediate demands from a wide array of external entities, clients, and internal business units, up and down the organization. It’s an all-hands-on-deck situation, but a lack of prioritization can stall recovery. Asset management is often the bane of organizations, but a complete list of what is in the environment is one of the first questions in any investigation or recovery. That asset list, prioritized, is an essential part of a solid disaster recovery plan. It’s required to ensure the recovery can be as efficient as possible.
You’ll also need to understand the general recovery process at a high level: first, get visibility into the environment and contain it. This will be your foundation for the investigation and the recovery. Next, recover the core infrastructure to restore some critical IT functionality. Then, assess your backups to see if they are viable for restoration or if a decryption tool may be necessary. Finally, once the optimal recovery strategy has been determined, given what you have available to you, begin the prioritized restoration of systems.
The key is to be prepared ahead of time. Work with your insurance carrier to connect with a technical advisor, privacy counsel, forensic investigators, and ransomware recovery specialists to build the relationships beforehand, prevent an incident from happening in the first place, and expedite the process if there is an incident. Further, if something does happen, remember to allow time for your experts to gain the visibility required to determine what is actually necessary before adding more hardware, software, or people into the mix.
Get Started Now
If you’re not ready for recovery, no problem — this is where you start. These pitfalls are not incredibly complicated, but they are the things that organizations tend to struggle with most during recoveries.
Waiting for a ransomware incident to occur puts you behind the ball from the start. Get to work on your prioritized asset list ASAP. Set governance and communications now, from C-suite to engineering leads across all sites and business units. Lastly, learn where others have failed. Pause to understand the situation and focus on the process while keeping the plan simple and agile. Set data-driven expectations that enable everyone who touches the recovery process to collaborate based on a single source of truth. And remember that preparing ahead of time can save you a lot of time, money, and stress in the event of an attack. Improvements are important, but so is your sanity.
