Four Key Steps a CIO Should Take after a Ransomware Attack

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise technology. In this feature, Veeam CIO Nate Kurtz offers a commentary on key steps enterprises need to take after they’ve suffered a ransomware attack.

The infamous MoveIt tool threatening enterprises everywhere has, of late, begun breaching companies that don’t even use it, simply because their business partners do. Cyberattacks are proliferating with concerning ease and speed, and not everyone is prepared for it.

As a CIO myself, I’m keenly aware of the pressures CIO’s face, and have worked alongside Veeam’s own CISO to develop a strategic, targeted response to cyberattacks. What I’ve found is: there are four crucial measures to an effective post-attack response.

After a Ransomware Attack

Observe

When faced with a ransomware attack, our first instinct from a security perspective is to eliminate the threat and resolve the issue. Truthfully, this isn’t the best move.

Instead, a CIO should first focus on quickly isolating the bad actor within the environment. Sequestering them without removal is helpful because 1) it prevents the bad actor from harming other parts of the environment, and 2) it allows you to observe their actions. Eliminating or resolving the threat is tempting but it often prevents the opportunity to analyze the threat actor’s actions, which can reveal a lot about their intent, target, and strategy, as well as the company’s own vulnerabilities. It is also critical to understand the extent of the compromise both from a systems and data perspective.

Critical observation will help CIOs gain a better understanding of how the threat actor operated, and down the line, this knowledge will also help develop a proactive approach for the next ransomware attack.

Correct

Now that you have a comprehensive understanding of how the attacker infiltrated your company, you can take corrective measures.

What do ‘corrective measures’ entail? Namely, removing the threat, patching up the attack vector, recovering systems and data, and addressing any other damage the attacker may have caused. Once a CIO has done the necessary footwork to obtain valuable data on attacker intent, behavior patterns, knowledge, and impact, it’s high time the attacker be eliminated. In the observation stage, the attack is siloed off to prevent them from accessing and harming more of the company’s data processes. Pull the necessary tools required for removal and do so with the knowledge that they will not be able to

immediately return through their original breach, or any other potential vulnerability visible to the artificial eye.

Once the attacker’s presence has been removed, a CIO can review the damage done in full, checking through valuable data, backups, logs, and what seems to be missing and if it can be recovered or has a copy, and what may require further action.

Prevent

With the threat actor removed and the breach secured, CIOs can kick off preventative measures to avoid undergoing such an attack again. Scanning security measures will help identify any immediate gaps or vulnerabilities in your attack surface.

While an attacker may not return to the scene of the crime for another go, knowing their point of attack can help patch the vulnerability and protect against another threat. In reviewing the criminal profile stemming from the attack, as a CIO, you must focus on the key variables at play: the target, the attacker’s identity, the actions they took, and the impact they caused. These factors are crucial to determining next steps to reduce future risks. Identify the pattern of behavior to determine if similar activity could cause another, or wider, breach.

Security vulnerabilities are often seen as technical issues, but the biggest risk is the people working within the organization. Most attackers enter companies through human engineering – phishing scams or the like, preying on the distracted employee. In such cases that lead to an attack, you could immediately restrict or lock down access for employees to avoid further harm.

Only when you have taken all the precautionary measures above to reduce or eliminate further threats can you move on to stage four: relaying the news.

Notify

It’s never fun breaking the news of a ransomware attack to your stakeholders. But transparency is valuable to retaining trust and loyalty while keeping the industry informed about emerging threats.

You must be purposeful in your notification. Sharing everything without a plan not only risks the company reputation, but also leaves you vulnerable to future attacks. Instead, start by reaching out to key parties – the board, the company’s legal team, and business stakeholders. If there has been a loss or theft of customer data, this can open the door to legal repercussions. Coordinate with your legal team and board to align on messaging and what information on the attack can be shared, with whom, and when.

It can take days to weeks to address an attack sequentially and thoughtfully. By this time, you will likely have the information to provide and be able to reassure customers of your company’s commitment to protecting their data, and the actionable steps taken to prevent more attacks. Doing so demonstrates customer value, helps retain customer loyalty and trust.

What Comes Next?

While ransomware attackers don’t normally target the same gap twice, they can, and likely will, strike again. Taking a backward approach and securing already-breached zones is not going to be effective for long. Instead, CIOs should consider the potential vulnerabilities and targets to get in front of before an attack can occur.

In the end, CIOs that follow the post-ransomware attack procedure, in whatever capacity, should operate with a primary goal in mind: To secure the future of the company.