Staring Ransomware in the Face

Staring Ransomware in the Face

Some may call it luck. Others may call it doing a good job. Regardless, the fact remains that none of our fully managed IT clients have had to deal with ransomware.

You may be wondering why we’re writing about staring ransomware in the face if none of our fully managed clients have had to deal with it? Well, not all our clients are fully managed…

In December 2018, one of those clients was struck by ransomware through their parent company. The weeks (yes, weeks!) that followed the incident were frustrating and in short, were a bit of a nightmare for everyone involved.

The client was left unable to proceed with daily business, the corporate IT department of the parent company initiated a clean-up on scale and our team were on the ground performing local IT support and recovery.

As with all blogs that we put out for our readers, we wanted to highlight some of the issues and what was learned from this experience.

Communication is key

The number of affected users over many sites and different time zones reached into the thousands. That should give you an indication of the business impact and subsequent stress involved which was significant. It was nearly impossible for people to operate at their best.

Meetings and conference calls were obviously taking place, but more than once information did not reach the places where it was needed, and stakeholders were going without vital information.

As the saying goes; ‘no news is bad news’. This was certainly the case here and you cannot place value on properly disseminating information from the senior team at the top to the workers down on the factory floor.

Complexities of legislation

When an organisation spans multiple countries; the complexity of legal compliance in the event of a system breach is tenfold compared to a small organisation within a single territory. You have to be focused on getting the business back up and running whilst also being mindful that lawyers require details from you for staying on the right side of the law.

In this particular incident, it was necessary to consider reporting requirements (such as GDPR), and how we might retain forensic information whilst trying to clean and recover a compromised system.

Check your documentation

This may seem like an obvious suggestion, but when you’re in the middle of an incident and you learn that nobody has the password for encryption on your LTO tape – it can be exasperating.

Documentation is for life, not just at the point of implementation. It’s important for corporate IT to inform the necessary individuals of any network changes. This will ensure a smoother recovery process if a stressful incident does take place, so you aren’t left without the vital information you need.

How do you prioritise recovery?

The amount of $4 million a day was a suggested business loss during a conference call part way through the incident. Recovery was definitely being prioritised from the top down to get business back up and running, right down to the local level.

Again, ensuring that the necessary people are informed of what is and isn’t a priority will make for better communication and a faster recovery!

We suspect that every business has a different set of priorities in this type of incident but it’s important that you know what your priorities are. What’s important to get up and running first? How do you keep your business functioning and ensure that you have a business at the end of it?

The value of hindsight

No business should have to experience ransomware and the potential devastation it can cause. By putting the right measures into place; there’s no reason why you should. Which is why none of our fully managed clients have had to deal with ransomware.

In the UK, it’s advisable to consider the Cyber Essentials certification for your business as a minimum ‘information assurance’ standard. This is a basic minimum, but it can prevent many of the potentially bad incidents from happening.

If you would like to discuss any IT security concerns, please call us on 01952 303 404 or to learn more about our IT security audit, please click here.