If you think a ransomware attack is the worst thing to happen to your organization, I hate to tell you – That’s only the beginning.
Don’t misunderstand – an attack is awful. But after an attack, you’re somewhat of a wounded gazelle and the predators start circling. While you may not be responsible for the attack itself, if you mishandle the recovery, regulatory requirements, and communication, you may be hit with fines and lawsuits. And if that isn’t enough: attackers, competitors, and even potential acquirors and activists may seize the opportunity to pounce.
Which is why, as a Chief Legal and Compliance Officer and an independent board member, I believe you need a proven, practiced data protection plan long before your data is compromised. To help you through this, here are four steps I would take in weighing and responding to an attack:
#1 Secure your Perimeter. At the first sign of an attack, you need to slam the door shut, stop the bleeding. CrowdStrike recently estimated that an attack window is 84 minutes. That’s how long you have before data is bricked, exfiltrated, or destroyed. You don’t have time to debate and the moment you need to close all entry and access points to your business, a ransomware attack cannot be first time you bring the cross-functional team of IT, Security, Legal and others together. You need to be a well-oiled machine and act fast. Practice this like a drill. Know what assets you have, what they access – and be prepared to shut it all down.
#2 Assess the Damage. Once the perimeter is secure, you must assess the damage. What data was exposed or taken? What damage was done? What is your contractual obligation for maintaining and protecting customer or constituent data? How does this impact you in terms of industry, state, federal, and international regulations? There are more disclosure requirements on the horizon and as PwC recently noted its 2023 Global Digital Trust Insights survey, “only 9% of the respondents feel highly confident that they can effectively meet all disclosure requirements.” The sooner your team is engaged in the planning, assessment, and remediation process, the better.
#3 Were you a victim or negligent? Did you leave the perimeter unsecured? Did you have loose access or security controls? Do you have a data protection plan in place? When was your last tabletop exercise or system tests? Were the right controls in place to prevent (or quickly detect) the attack? Do you have cybersecurity awareness training in place for employees so they’ve learned how to identify phishing attempts? Customers expect that when they give you their data, you will protect it. Having a data protection plan or solution in place is the cost of doing business. Without it, you are not a victim.
#4 Communicate. Communicate. Communicate. Be transparent with your critical stakeholders. The speed in which you disclose can be a delicate balance because you’re still assessing the impact, identifying the root cause, and remediating. Clearly, your CEO and C-Suite leaders need to know as soon as possible and you’ll alert your Board of Directors. But the most important people you need to communicate with are those impacted by the breach, such as your customers, partners, or employees. You need to notify them as soon as possible.
Bottom line: The attackers are on the horizon, they get smarter everyday and time is not your friend. These steps will help you detect and recover quicker from an attack and will give you the confidence that you have taken responsible, informed steps to protect your data.