Ransomware – Crisis Management at the Heart of Resilience

« This malicious act is one of the most powerful business models in cybercrime today. It can cost companies as much as $40 to $80 million USD to regain access to their data. It can also jeopardize their business or even their survival. »

The losses are also human, particularly when hospitals and life-saving medical equipment are targeted. In September 2020, medical personnel were unable to save a patient admitted to the emergency room of the Düsseldorf hospital as a cyber attack blocked all the facility’s systems and data.

Understanding the business value chain

In light of the surge in attacks, « organizations must readjust their mindset around security regarding ransomware, » says a recent Accenture report noting that recovery strategies tailored to traditional business continuity plans are no longer sufficient.

« Prior to and after the attack, ransomware management is too often a technical matter, i.e. focused on technical investigation » notes Cédric L’Ollivier, Associate Director at Accenture Security, in charge of Cyber Defense Services for the Gallia region (which includes France and Benelux). « Crisis prevention, treatment and remediation are very often managed by the IT and security manager, although all technical, operational and administrative departments are involved. »

According to L’Ollivier, companies must include all of their departments in their ransomware approach: « The approach must include a complete mapping of its critical assets and processes to fully understand its value chain, list all the impacted systems and associated applications, and identify the people responsible for the business, » he advises. « The goal is to define and prioritize the right responses in the event of an attack, in order to minimize the operational, financial, image and reputation risks. » The main objective remains operational continuity: according to Deep Instinct, the average response time of an organization to a ransomware attack is about 2 working days.

Furthermore, « cyberattackers remain in corporate networks for about 11 days before being detected. And they are often not detected until their ransom demand is notified to their victim, » Sophos says.

« It takes an average of 18 days for a company to restart production, » Veeam estimates. « Likely due to the scope of the issues associated with addressing what was affected, but also due to the diligence required to ensure that the restored systems are ‘clean’ before being put back into production. »

Involving executives and addressing the business ecosystem

Accenture also observes that emergency planning does not often include executives. « During the crisis, however, very important and critical decisions must be made: should the network be shut down, should production be stopped? When, where and how to restart the business, what are the priorities… », lists Mr. L’Ollivier. « By preparing and getting involved beforehand, the CEO, the management committee or the board of directors can help the company recover more quickly. »

Another important point is that existing crisis communication plans lack transparency and flexibility to adapt to new cyber complexities. They may not always be up to date, adapted or tested, and may not involve the right personnel. Without boundaries, ransomware has an impact on the entire ecosystem of an organization: from investors, suppliers and trusted third parties to customers, including employees and administrative and operational functions.

Modernizing crisis prevention

« Any crisis response strategy must therefore take into account the full range of affected parties, » concludes Accenture. In addition to business and IT, various departments become involved during a crisis: legal, HR, marketing/public relations, etc.

« A communication strategy must be flexible, taking into account the complexity of a cyberattack, which often evolves. When a system is impacted, there are often some lateral movements, data leakage… », adds Mr. L’Ollivier. « Also, companies must be able to communicate transparently and openly, carefully, on time, to the right people, at the right time. » The content of the various communications with the different parties and the identification of the communication channels must be prepared beforehand, as well as the requirements regarding reporting, audiences and timing.

A cyber incident response plan must therefore take into account the entire company ecosystem: from employees to management, operational, technical and administrative teams, without neglecting the external ecosystem such as suppliers, customers and authorities. The identification of all parties and the related communication needs are therefore essential in the preparation of the plan. Once the plan has been approved with the various parties involved, it is important that they be made aware of it and trained so that everyone is familiar with it. Finally, the plan must be tested during crisis simulation exercises and regularly updated, as the industry and the threat landscape are constantly evolving.