Dr. Ritesh Mukherjee is Vice President - Enterprise at Jio, on a mission to digitize businesses with affordable and secure connectivity.
getty
If 2020 taught us anything, it’s that we should expect the unexpected. Enterprises with the best security tools and practices in place still need to be prepared on how to respond when they face a hack. This means more than just having an incident response team to isolate, investigate, clean and restore. If a company is the victim of a ransomware attack, for example, then its incident response team must already know answers to the following:
• Do they have data back-ups that they can use to restore operations?
• If sensitive data has been siphoned out, can they live with it being published?
• Do they have a negotiator on hand to negotiate with the hackers?
• Do they have access to cryptocurrency to pay the hackers?
• Are they ready to pay ransomware?
• Are they going to use a middleman for the transaction?
Cybersecurity preparedness demands pessimists. The human brain is wired to be optimistic. Optimism bias leads humans to hope for the best. While this is a great outlook for everyday life, it can compromise being prepared for the worst in ensuring an enterprise takes every precaution to ensure that it can’t be hacked. This means having security tools and procedures in place to prevent intrusion. It means following best practices to ensure that there are no vulnerabilities. However, enterprises also need to be ready to respond when there are breaches. How enterprises respond to modern breaches has changed significantly.
Just a few years ago, most enterprises had never heard of ransomware. Now dozens of ransomware cases are reported every month. CWT Global, Colonial Pipeline, Brenntag, Travelex, the University of California at San Francisco and JBS have made some of the biggest reported ransomware payments. Considering the number of rising cases, enterprises must plan to have cyber crisis management strategies to respond in case of a successful attack.
Earlier protocols for incident response didn’t involve dealing with hackers in public view, negotiating with hackers, having cyber-insurance cover, having access to cryptocurrency for ransom payments, vetting before making payments, deciding how much to pay and other many other new considerations — and many of these decisions are tough to make under duress. It makes sense to think of these situations in advance and to have guidelines in place to follow.
Let’s take a look at some new questions that modern cyber incident response protocols must be able to respond to in case of a ransomware attack:
Should we pay?
Law enforcement agencies urge victims not to pay because paying the ransom can incentivize further attacks, and the payment can also be used to fund more illegal activity. There is, however, no ban on paying ransomware as that would drive attackers towards mission-critical data locks like hospitals, water-treatment plants, energy providers and schools. Businesses must decide based on the kind of data and systems that have been breached.
Back-ups are one defense against ransomware if they can be restored, but back-ups could be a target themselves. Usually, businesses succumb to paying ransomware when they have no choice as the ramifications from the loss would be devastating to the company or lead to loss of life. The Ransomware Task Force issued a report from leading enterprises, FBI and the Secret Service recently offering recommendations to the White House, but the report wasn’t conclusive as to whether to pay or not to pay at this time.
How much should we pay?
The average ransom paid is roughly $170,000, but how much you should pay depends on how much the data that’s locked up is worth to the company. If the ask is too high, then forensics may propose to rebuild the systems and suffer the loss rather than pay a higher amount. Can the payments be brought lower than the initial ask? Definitely. This is where you would need a negotiator. A good response protocol will have identified someone they can reach out to talk to hackers. This could be a company providing specialized services or a cyber insurance company that has recommendations on whom to use.
How do we pay?
Usually, hackers demand payments in Bitcoin or monero. They will give instructions on how to set up Bitcoin wallets and how to procure cryptocurrency. There are final-mile crypto brokers like DigitalMint who can assist with making payments. They can also vet hackers to make sure they aren’t tied to a U.S.-sanctioned country and arrange for acquiring cryptocurrency. An incident response plan must have already decided on protocols on how such payments can be made in case of an attack.
Is your business prepared?
A business will fall victim to a ransomware attack every 11 seconds by the end of 2021. Most businesses are unprepared and don’t have a plan for when they get breached. Older cyber incident response protocols are unequipped to deal with the aftermath of modern cyberattacks. It’s high time for all enterprises to update their incident response handbooks.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
