- within Insurance topic(s)
- with readers working within the Insurance and Utilities industries
By now, most of you know that due to the COVID-19 pandemic and the shift to remote work, data security incidents increased both in number and severity in 2020 and show no signs of slowing down in 2021. A report conducted by the cybersecurity company, Deep Instinct, shows triple-digit increases across all malware types in 2020, including a 435% increase in ransomware attacks alone. The expenses associated with increased cybercrime are similarly skyrocketing, costing companies and insurers billions of dollars.
What you may not know, however, is what to do when your business experiences a ransomware attack. Accordingly, the five steps detailed below describe actions that your organization should take immediately to reduce the impact of the attack.
1. Contact Your Cyber Insurance Company
If you suspect that your business is experiencing a ransomware
attack, immediately contact your cyber insurance carrier,
regardless of the coverage you have. This step is critical to
securing the necessary resources to minimize risk and mitigate
harm. Cyber insurance carriers are prepared to connect you with
leading cybersecurity attorneys, forensic firms, and other
professionals who will be able to assist you further. If you do not
have cyber insurance, you should strongly consider obtaining
it.
2. Do Not Initiate Communications With the Threat
Actor
When your organization suffers a ransomware attack, the threat
actor will usually leave a ransom note that provides instructions
for communicating with the actor. To increase pressure to pay a
ransom, the actor may also implement a countdown that begins once
you establish contact. The actor may threaten, for example, to
double the ransom amount if you do not pay the initial demand
within 96 hours or to publish data taken from your environment. As
such, refrain from contacting the actor to avoid triggering a
countdown that could lead to the threatened consequences.
3. Contact Your IT Team
Your IT team is in the best position to help secure your systems in
response to a ransomware attack. Leveraging your IT team's
knowledge about your digital environment can help you swiftly
identify potential vulnerabilities and implement necessary security
measures. For instance, your IT team can quickly disconnect your
network access or ensure that all Remote Desktop Protocol (RDP)
ports are closed to the internet.
4. Preserve Digital Forensic Evidence
Preserving relevant forensic evidence is a critical, but often
forgotten step in responding to a ransomware attack. Reformatting
(or "wiping") impacted servers and workstations in an
effort to restore the organization's operations destroys
forensic evidence. Thus, before reformatting infected servers or
computers, make a copy of the impacted devices. Save all available
logs before they automatically roll over, too.
5. Develop and Follow a Communication
Plan
Carefully consider any communications about the ransomware attack
before issuing them to internal and/or external parties and avoid
making unnecessary public statements. If possible, craft
communications with the assistance of experienced cybersecurity
attorneys or public relations professionals.
Implementing the above five steps in response to a ransomware attack will help an organization reduce the negative impact of the cyber incident. Next month, we will discuss proactive steps an organization can take before a ransomware attack, which will help the business respond in the event that an incident actually occurs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
