You don’t need me to tell you what a ransomware attack could do to your business. We’ve all read the stories. Even the largest multinationals have been crippled by malware encrypting or stealing sensitive data. The result is a Hobson’s choice for IT managers: pay the criminal gang an exorbitant ransom demand or face costly downtime, reputational damage, and regulatory scrutiny.
Thankfully, your fate is in your hands. Ransomware attacks aren’t random. Like most crimes, perpetrators deliberately target the vulnerable and weak. Your job is to make sure that your organisation’s network is resilient and secure and, should the worst happen, you’re well prepared to withstand even the most sophisticated assault.
What not to do.
Some customers come to us because they’ve been victims in the past. We’ve noticed common themes in their experiences.
Some organisations see disaster recovery planning as an annual box-ticking event. Team leaders go through their checklist and make decisions by committee. But malicious technology evolves quickly – a plan that has been gathering dust for months will not be effective in a ransomware attack.
Sometimes we’ll ask if a company has a current, agile plan and they’ll say ‘we’re working on it.’ Villains won’t wait for you to be ready before planting their code. And coming up with a plan is only half the exercise. The plan needs to be tested regularly and thoroughly to be sure you’re in a fit state to combat ransomware.
5 steps to a rock-solid ransomware plan
Talk to your trusted partner
When faced with a blank page it’s helpful to talk to someone who’s done this kind of thing before. Start with your trusted IT partner who can offer nuggets of advice. Once you’re up and running and have detailed technical questions they can introduce you to experts like us to help get you over the line.
Draft something
Don’t wait for conditions to be just right to create your plan. Perhaps you’re waiting for an important stakeholder to free up time or a digital transformation programme is chewing up resources. Or maybe you have a plan, but you’re waiting on internal buy-in before communicating it more widely. That’s perfectly understandable, but I’d argue you’d be doing criminal hackers a favour.
If you haven’t drafted anything yet make a start, even if it’s a dozen bullet points on a single page of A4. If your plan is languishing in development limbo, send a note explaining this is what will be implemented in the case of an attack, pending anything better.
Effective ransomware plans are always a work in progress and subject to change anyway. Just like the data they’re protecting, come to think of it.
Document and communicate
A plan can’t work if it can’t be implemented. That means it must be written down, shared with the right people, and stored somewhere easily accessible. Once you’ve drafted something, talk it through with the people that matter in the event of an attack. Get their feedback, suggestions and buy-in, and make sure they understand their role.
Once that’s done, make sure you keep a copy of the plan somewhere safe. There’s no sense having a ransomware recovery plan if it’s encrypted by the same malware it’s supposed to help you recover from. An online storage service is your friend here, or a secure server housed somewhere off-site.
Prioritise your assets
When it comes to ransomware recovery, it pays to act fast. The faster you can restore business-critical applications, the sooner the business will be back up and running. And the faster you identify potential data exfiltration, the sooner you can start communicating with those affected. Reputations can be won or lost in times of crisis.
An essential part of planning, therefore, involves prioritisation. What are the most important applications? Do they depend on other parts of your IT estate? Which data is most sensitive and how will you manage stakeholder relations in the event of a breach?
Road-test your recovery
Traditional disaster recovery exercises lean heavily on role play and theoretical exercises. And they don't factor real-life variables, such as network congestion, into the scenario. A healthy dose of imagination is needed to appreciate the urgency of a ransom attack. These exercises are unlikely to prepare you for the stress of an attack, nor provide actionable insights into where your plan needs a tweak, or how you can train your team to respond to unanticipated events.
Thankfully, it’s now possible to simulate a ransomware event in a live environment. Using sample data sets, you can put your recovery orchestration plan through its paces, get a better view on how unexpected variables might affect recovery times, and ensure your plan is bomb-proof.
Start preparing now
Faced with the very real threat of ransomware attacks, many companies hesitate. More and more stakeholders are added to the planning process, making it unwieldy and slow.
The best-prepared IT and security departments understand this and adopt a nimbler approach. They start small, iterate, and improve. The plan is tested and amended at regular intervals. It’s presented anywhere in the business that may be affected by a breach. In the event of an attack, the team is well trained and prepared to respond.
Ransomware attacks are a sad fact of corporate life. But with the right preparation and tools in place, IT security leaders can manage the threat and ensure a swift recovery.
To learn more about planning and preparing for a ransomware attack, view our on-demand session at rubrik.com/forward.