As I was about to write this article, I saw a post in LinkedIn from Rob Burton quoting the Top 3 concerns of business continuity professionals according to the BCI Horizon Scan 2017. Not surprisingly, number one on the list is cyber security. (Followed by data breach and unplanned outages).
Cyber security as a topic can take on many forms including unauthorized access, network penetration, vulnerabilities, phishing and notably – ransomware.
First, let me say that if you haven’t included cyber security in your crisis management program, you need to do it – NOW. I have expanded my crisis management portfolio to include cyber for two clients and in both cases I was able to successfully utilize the same response protocol for cyber that we were already using for crisis management. This is important as you don’t want to confuse the responders by implementing disparate response procedures for different types of incidents.
A valuable tool that I have developed is the Cyber Security Playbook which walks the Crisis Management Team through the necessary steps to determine how to respond to an attack. One of the sections of the playbook focuses on ransomware and it outlines the decisions that need to be made when evaluating the ransom demands. (If you want help developing a Cyber Playbook for your organization, let me know).
The Playbook is based on the fact that there are several factors to consider when deciding how to respond to a ransomware attack. Will you pay the ransom? Will you notify law enforcement? Will you inform the public / media? Is there a specific privacy issue that requires notification of whatever privacy commission you report to? Do you need to notify customers? What are the risks to the business or to key employees (executives) associated with the attack? Let’s look at a couple of these questions a little deeper.
Too pay or not too pay, that is the question. I was at a cyber conference in Toronto a couple of months ago. The first speaker said that they have no default position when it comes to paying ransom. His organization would evaluate each case and decide if they were going to pay based on the circumstances. The next speaker told us that they never pay ransom and that, for his company, this isn’t negotiable. Another speaker said that his company begins the conversation by having a default position of not paying ransom and will only pay if there is a compelling reason to do so. What could compel them to pay? While there are several possible scenarios – the most likely would be their inability to recover whatever system / platform was locked or the hacker group’s threat of what they would do with the data if the company didn’t pay. The decision is ultimately based on a time sensitive risk assessment based on factors including the amount of the ransom, your company’s ability to recover the system internally, the credibility of the hacker group’s decryption tool, impact of downtime, inherent risk to the company, the hacker group’s threat if you don’t pay and the threat of recurring attacks.
What about law enforcement? In the same Toronto conference, we saw two different points of view on this question. Members of law enforcement lobbied to be involved by default. Lawyers were less enthusiastic about engaging law enforcement because they were concerned about losing control of the situation, having information go public and having the cybercrime teams combing through their data. Some ransom demands specifically say “no law enforcement” and this, too, is a factor.
Should you proactively engage the media? If there has been a breach because of a negotiation that went sideways, the public relations fall-out will need to be managed. But as we learned from the Equifax situation, you can’t hide it. Things to consider here include whether data was breached, the sensitivity and scope of the data breach, whether or not you paid the ransom, the potential impact to your brand / company reputation and predicted response of the public.
Your team will also need to consider if regulators need to be notified, how/what/when to notify customers, what to tell your employees, how to respond from a technology standpoint to mitigate the risk of future attacks, how to handle the forensic audit of the attack, and more.
Beyond the Decisions
Depending on the answers, you’ll need to define a communications strategy and a remediation plan. The communications strategy should include pre-scripted templates to allow for a consistent message to be developed and delivered to various parties. Your strategy will also need to define how the Crisis Management Team and affected business units will receive updates throughout the recovery process.
The remediation effort will include how to obtain decryption keys (if you decide to pay the ransom), how to take the systems offline for a forensic review, and how to recover the systems internally.
Cyber security, including ransomware is not just a technology related incident. Integrating your cyber response with your crisis management protocol is critical and goes a long way towards making your organization more prepared to deal with a cyber security incident. Engage your crisis management team in your cyber security tabletop exercises and understand the business decisions that you need to address. Integration of these two critical groups is a key component in the success of your program.
Mark Hoffman, CBCP is a senior crisis management consultant operating out of Toronto, with clients in Canada, the United States and Caribbean. Mark can be reached via Email: firstname.lastname@example.org or on Twitter: @mhoffman_cbcp or via ICMC.