How to prepare for cyberattack recovery

In 2022, nearly 60 per cent of Canadian organizations were hit by a ransomware attack compromising hundreds of thousands of records.

Ransomware payments are continuing to rise and the price of ransomware remediation almost always amounts to more than the cost of the initial ransom. Given the extra hours devoted to reassuring customers, the shareholder lawsuits businesses need to defend, and the outsourced IT and cybersecurity deployment, business downtime can be extremely costly.

Sophos says the average bill for resolving a ransomware attack, including downtime, network cost, and lost opportunity comes to about $1.85 million. For most, this loss can be debilitating.

Immediately following a cyberattack, business leaders have many areas that need attention. In a high-stress situation like this, it’s easy to let certain things fall through the cracks. However, with a recovery plan implemented far in advance, businesses can ensure a smoother road to recovery — one where each department knows its role and everyone is working in tandem to triage the situation and get back to business.

Putting a plan in place

The preparation phase is often overlooked, and this is especially true for businesses that have never been hit with a cyber-breach. Before a plan is drafted, there needs to be consensus across the organization — companywide buy-in is essential.

Once key decision-makers and teams are on the same page, it’s time to draft a preparedness plan. The most effective strategies will factor in employee training and IT hygiene because employees are often the weakest link in a cyberattack.

Given this, it’s imperative to set clear email and internet policies. Leadership teams should also be trained to respond as a cyberattack unfolds. In terms of IT hygiene, having a comprehensive patch-management program is a great way to prevent and minimize the effects of a breach. However, as we’ve seen with recent high-profile cyberattacks, often by the time a vendor has released a patch, cybercriminals already know how to exploit the vulnerability, and it’s too late.

Additionally, multi-factor authentication is vital to adding an extra layer of security, primarily when employees use the same password across various accounts, and credential vaulting to “check-out” and “check-in” administrative credentials for servers and critical services. It’s also important to keep detailed security and access logs. Not only can they help identify a potential attack before it happens, but they can help identify the source of an attack after the fact and serve as required proof of compliance to regulatory agencies. 

Reducing attack impact

There are multiple ways to minimize the unexpected costs of a cyberattack. The most prepared organizations anticipate these well in advance and put measures in place so that when an attack does hit, the business isn’t so compromised that it’s forced to shut its doors. The first step is to thoroughly understand what your cyber-insurance does and does not cover, and what requirements might exist to ensure coverage. Understanding the limitations of your plan sheds light on the areas that may need extra focus.

Once you’ve done that, turn your focus to your organization’s data retention and deletion policies. Compliance and regulatory fines can be incredibly costly. Minimizing the amount of data you have on hand at a given time means less data is at risk of getting compromised. This will also give you a better idea of what data is worth recovering. Other things to do include frequently backing up data so that it is recoverable and adopting a tiered security architecture so you can improve data accessibility.

Recovering after a breach

Once an attack has occurred, you’ll likely notice a note outlining the attacker’s demands. At this moment, you have a choice to make. Will you pay the ransom or not? Although there is no guarantee about whether the attacker will truly decrypt or recover the compromised files, at this point your priority is to minimize damage and get back online as quickly as possible.

By leveraging the response plan that you put together proactively, business units should clearly understand the timeline as they work to restore applications. Additionally, as you work with forensics experts to uncover details about which types of data were compromised, keep in close contact with your cyber-insurance provider, law enforcement and any relevant regulatory agencies. Information such as whether encryption measures were enabled during the breach and the status of preserved data should always be relayed to them.

As your organization begins to recover, restoring to an offline sandbox environment can help your team to identify and eliminate persistent malware. Ultimately, the most important thing during this time is to keep a constant and open line of communication between everyone involved in the recovery effort. Keeping customers, business partners, investors and employees in the loop will limit frustration and save time and money.

In today’s cybersecurity landscape, an attack is inevitable. Even those who take the most stringent measures to protect against one are vulnerable. However, using the above best practices, it’s possible to create a comprehensive strategy that helps your organization recover more quickly and efficiently following an attack.

Andy Stone is the Chief Technology Officer for the Americas at Pure Storage.