In recent years, data ransom incidents have become more common, and have impacted more organizations, across a wider range of industries, than ever before. These incidents have caused increasingly significant disruptions to businesses, more often than ever forcing companies to close their doors.

Proper planning and preparation for business continuity in the face of such incidents can make the difference between rapid recovery of critical business data and resuming business as usual, and shutting down operations.

Take, for example, the following two possible scenarios for a particular company, say a technology company employing 650 staff at five locations worldwide, dealing with a ransom attack that could significantly disrupt its business processes, impacting its bottom line and reputation.

The CEO, upon starting his day, received on his computer screen the following notification:

We have encrypted all of your corporate data and are holding it ransom. When you transfer to us $600,000 in bitcoins, we will provide you the decryption key to unlock it.

You have 48 hours to respond to our demand, or your data will be sold to the highest bidder.

Scenario 1 - Without a Business Continuity Plan (BCP), here’s what might transpire:

  • He wasn’t sure who to call, and how to quickly reach them.
  • When he finally gathered key personnel, confusion ensued among the gathered senior company management and IT leaders as to what actions to take, and how to prioritize them to get processes back online.
  • He ascertained that a sample of corporate data was stolen and exposed on several public networks, and he were at a loss as to how to react, or even who to contact for help.
  • Word got out of the data breach, and the company had to deal non-stop with calls from concerned investors, partners, and the media, and had no prepared communication plan to guide who should engage with them to control the message, nor what the message should be.

 

Scenario 2 - With a Business Continuity Plan (BCP), here’s what might have transpired:

The CEO retrieved a hardcopy of our BCP from the shelf, and followed the prescribed protocol that had been practiced periodically:

  • Based on the Emergency Contact List in the BCP he reached and convened key department heads (Cyber Security; Business; IT; Legal; HR; Corporate Communications), whose roles as the Cyber Crisis Management Team were clearly defined.
  • They verified that indeed the data was encrypted/made inaccessible, and that a sample had been stolen and distributed over several public networks.
  • The convened Cyber Crisis Management Team assessed the scope and business value of the data effected and declared an Emergency Cyber Situation.
  • The Cyber Crisis Management Team now managed the execution of the BCP and directed the following teams: 

o   The Incident Response (IR) Team, responsible for executing the technical steps as directed

o   The Corporate Communications Team

o   The Disaster Recovery (DR) Team, responsible for switching the network over to the backup database (that was set up when the BC initiative was implemented) to get the business processes back on track

  • When dealing with calls from concerned investors, partners, and the media, the Corporate Communications Team utilized Legal-Department-approved prepared statements to control the message disseminated.
  • The Communications Team reported the incident to internal stakeholders, providing guidelines regarding who may discuss the incident; with whom; and what they were allowed and not allowed to communicate.
  • The Communications Team reported the incident to a wider audience, including Law Enforcement and additional stakeholders.
  • After the incident had been dealt with successfully as per the BCP, the aforementioned teams reconvened to record lessons learned and update the document.

From our experience, a company that prepared a continuity plan and maintains a cyber resilience program, often significantly shortens recovery time and reduces damage to the organization.

Source: Sophos Whitepaper. April 2022

Source: Sophos Whitepaper. April 2022

Source: Sophos Whitepaper. April 2022