What boards should do after a ransomware attack

by Stephen Conmy


Members receive exclusive insights and opportunities

The Corporate Governance Institute provides it's members with exclusive content, a network of directors and business leaders, details of available board positions, and the tools and resources required for a successful governance career.

Learn More

Already a member? Log in here

The recent surge in cybercrime is attributed to increased levels of connectivity, remote working, reliance on technology, and automation. Here’s what to do after a ransomware attack.

Data from Diligent shows that €15,000 is lost every minute due to phishing attacks, globally. Chief information security officers say mobile devices are now challenging to protect from cyber threats, and executives in the C-suite are 12 times more likely to be a target of phishing attacks and malware. Worryingly, Diligent’s research also found that 51% of EMEA board members use their personal email for sensitive board communications.

Board members of organisations should know that cyberattacks, such as ransomware attacks, are more likely to occur than not. A ransomware attack will either encrypt your data or will shut down your IT systems unless you pay a ransom to get back in.

The loss of critical data in such a scenario could have catastrophic effects on your organisation. The average cost to an enterprise business for a data breach is £2.8 million. Over half of all UK businesses have fallen victim to cyber-attacks or security breaches in the past year. As a company director, the first thing you need to do is make sure your IT team takes care of the basics and calls in cybersecurity experts to help and advise on the situation.

Get specialist help

If you’re not on the board a large firm with a dedicated cybersecurity team, you probably won’t have the internal resources to resolve a problem like a ransomware attack.

Your IT team will need to hire a company specialising in ransomware to guide your data recovery efforts.

Working with specialists and advisors with previous cybercrime experience is essential, even if you consider paying the ransom.

Examine the ransom note

Take a screenshot of the ransom note using your phone. The note will include payment information and a threat. There will be instructions for how much to pay, where to send the payment, and what happens if you don’t. Ransom notes help cybercrime experts identify the particular ransomware infected with your device. The ransom note may also give the cybercrime experts an idea of who carried out the attack and how likely they are to release your data if they get paid. The screenshot is also needed for filing a police report and notifying your insurance provider.

Isolate the infected devices

Your IT team must quickly isolate the infected devices. Even after the ransomware encrypts a particular file, it won’t stop there. The virus will spread to shared storage, other devices, and the network as a whole.

Your IT team must take immediate action if your system has been compromised. Your existing network drivers may have been encrypted by ransomware. However, it may not have found your cloud backups. Any of your backups that were not connected to the network during the attack are also safe.

Your IT team should isolate and remove infected machines from your network immediately after finding them, so they do not pose another threat.

Identify the source

Your IT team will check your network for infected devices and disconnect them. Misconfigured and outdated software makes your system more susceptible so that they will look in this area first.

Identifying the first infected device is quite tricky in larger organisations with so many people and possible sources of the point of entry. Your IT team must find out who was first targeted by the attack by talking to the employees.

Find out if anyone clicked on a link in an email that caused the ransomware to infect their system. Did their browsers prompt them with unusual instructions? Did anyone notice anything suspicious?

If you can isolate the exact source quickly, you could limit the infection.

Analyse your backups

In most cases, restoring your systems from backups can restore your data and avoid paying the ransom. Cybersecurity consultants recommend that corporations regularly backup their data to prevent this sort of problem.

Any recent data that has not been infected by ransomware can be recovered, and your IT team should do this immediately.

Should you pay the ransom?

Making this decision is not easy. Unfortunately, many organisations facing a ransomware attack find themselves in a bind and must pay the ransom.

In most instances, the loss of data is much more costly than the ransom fee. In the majority of cases, once they are paid, the hackers will give you a key to release the data, and everything returns to normal.

Nevertheless, there are risks involved. These are online thieves who lack integrity, and sometimes access isn’t returned, and organisations lose both money and sensitive data.

In addition to sharing information on organisations and how easy it is to infect them with malware, cybercriminals also target companies known to pay hefty ransoms. Most ransom payments are demanded in Bitcoin.

The official line from all state-sponsored cybersecurity agencies is ‘Don’t pay the ransom’. They believe that paying encourages more cybercrime.

Before making any decisions, consult the experts. There are no simple solutions to this problem, but as a board member, you need to be aware that following a cyberattack speed is of the essence. Shut down the infection. Consult with cybercrime experts. Decide on whether or not you must pay the ransom (this is a cost-benefit analysis). Inform the authorities and your insurance provider.

The most important consideration for the board should always be: ‘Prevention is better than the cure’. Cybersecurity needs to be on the agenda at every board meeting. As a director, it is your job to ensure your organisation’s digital systems are as robust and protected as possible. Everyone in the organisation should be aware of cybersecurity. Ask yourself, is everyone in the organisation trained to spot suspicious activity? Do they know what phishing is? Do they understand how ransomware attacks happen? Consider annual, company-wide awareness and training sessions. Read more here.

Download our free eBook: A cybersecurity guide for board members

Related Posts