Ransomware always seems to be in the news at the moment. Jeremy Swinfen Green, TEISS Head of Consulting and Training, suggests some questions that CEOs should be asking if their organisation is hit by a ransomware attack.
CEOs have a vital role to play in the event of an attack, keeping cyber security staff on track and supporting them where necessary, reassuring other organisational stakeholders, and making sure that lessons are learned.
So here are eight questions CEOs should ask in the event of a successful ransomware attack.
1. How far has the ransomware infection spread?
Most, but not all, ransomware is carried on software designed to spread it through networks. Both WannaCry and this week's Petya malware were particularly effective at doing this. So you will be hoping that the spread hasn't gone too far. You will want to be reassured by your IT security team that infected computers have been disconnected from your IT network and that shared network drives have been disabled.
Ideally you will want to know that you have a doomsday plan involving the first person to see a ransom demand disconnecting their computer, telling the appropriate person in IT about the attack (so they can shut down the network), and then perhaps telling everyone else in the vicinity to switch their computers off.
2. Have we got back ups of our data?
You will want to be reassured by your IT security team that back ups for any infected data exist. You will also want to know whether the back ups are sufficient.
Ideally you will have several back ups, taken at different times (such as yesterday, last week, lat month), at least one of which will be held off site and at least one of which will be "air gapped", that's to say not constantly connected to the internet so that infections can't can't spread to it easily. Having a single networked back up, held on servers in your office is a dangerous strategy. It's just as bad to have a single online backup stored in the cloud. (If you don’t have back ups, the question to ask your head of IT security at this point is “How long will it take for you to clear your desk?”)
3. Have we told everyone who needs to know what has happened?
You will need to know that employees who are affected by the attack know what is going on and how they should be behaving. For instance you probably don't want them spreading the news on social media and when we expect to be back to normal (or when they will get an update)?
If your systems are down because of the attack then you may need to inform customers as well and you should have plans for this such as publishing a holding message on your website. People need to be told facts (not opinions) and, whether or not you have anything substantial to tell them right now, you need also to tell them when you will next be updating them.
Also of interest: Cloud and cyber security
4. Have we cleaned our systems?
You will need to know how and when you are going to get back to normal. Cleaning your IT networks of any malicious software will be an important first step. If you have been infected with ransomware that attacks operating system files then you may be able to overcome this by using the Windows System restore function and resetting your computer to an earlier state (i.e. before the ransomware hit). If you have been hit with ransomware that just affects your documents then updating and running your anti-virus software should clean things up.
5. How long will it take to restore our data from back ups?
The second step to getting back to normal is restoring any document files that were encrypted in the attack. This is where your back ups come in. Restoring the files won't necessarily be particularly easy and may well take some time. There are occasions when you can use existing decryption software which should be relatively quick, but you shouldn't assume that this will be the case.
Be aware that any restoration may be incomplete, so make sure that people check they have all their essential data once the data has been restored.
Also of interest: Major UK cyber attacks
6. How did we get infected with ransomware?
Knowing how the infection happened isn't necessarily a question to leave till later. It is useful to know where the infection originated and how it happened: visiting a website, downloading an email attachment, using a memory stick... You may not be able to get all the detail in the days following an attack and this detail could help you prevent future attacks.
You will also want to know why your defences failed. Are you patching software such as browsers and Windows? Is your antivirus up to date? Are you running a holistic security solution with antivirus, an effective firewall, and community based website and file reputation warnings?
7. Have we paid the ransom?
You probably shouldn't. In some jurisdictions it is illegal. It is almost certainly immoral (unless perhaps lives are at stake). And there is absolutely no guarantee that you will get your files back.
8. Are we training our employees to stay cyber safe?
Ultimately most ransomware arrives because an end user has made a mistake - visiting a dodgy website or downloading an email attachment. Training needs to develop the ability of your employees to recognise and avoid potential threats. And it needs to give them the knowledge of what to do and who to call in the event of an attack.
But knowledge on its own is not enough. You will need to be confident that you have campaigns in place to keep people aware of the threat. And you will need to be working on organisational culture to motivate people to stay safe and take personal responsibility for cyber security.
Also of interest: Usable cyber security
Ransomware is a very present threat. It isn't going to vanish any time soon. Asking the right questions when an attack happens is essential if you want to recover quickly and if you want to guard against future attacks.
Image under licence from thinkstockphotos.co.uk, copyright g-stockstudio