How well would you handle a ransomware attack?

We all like to think that if a catastrophe like a ransomware attack were to occur, we’d know how to handle it. So, if you went into work, switched on your computer, and saw this message, you’d know exactly what to do, right?

Well, no matter how confident you may be, or how capable your organisation is at handling a disaster, you’d be surprised at what you might not have considered.

At our conference this year, we were lucky enough to be joined by the Regional Cyber Crime Unit (RCCU), who kindly put on an Incident Response Workshop to test our readiness regarding potential cyber threats. The workshop was an eye-opener, highlighting areas of concern that some of us realised we hadn’t thought much about.

In this blog post, we’ll cover a few questions brought up during the workshop that perplexed the room – things your organisation might want to ensure it’s got covered.

What’s your first instinct?


If the first member of staff to arrive at the office and switch on their computer were greeted with such a distressing message, what would they do? Are there procedures in place that they can follow should this ever happen? The most sensible thing for this person to do is to switch off the computer and call a manager or the IT team. For this to happen, it’s crucial that staff have the relevant phone numbers to hand so that they can easily get in contact in such an emergency.

Once the issue has been raised to the appropriate person, and it’s become a waiting game, what do you do in the meantime? Do you go home? Sit around twiddling your thumbs? Your business is mostly conducted online, and it’s not exactly safe, or maybe not even possible, to boot up the computer and carry on like normal. Are you stuck not knowing what to do with yourself? Or do you have a business continuity plan on paper that you can refer to?

Do you have a paper business continuity plan?


That’s right – it’s always a good idea to have a business continuity plan (BCP) on paper, kept in a memorable place where all staff can find it. Today, more than ever, business is being conducted almost entirely digitally. While this is great for convenience, it also means your business grinds to a halt when the computers are out of action. If your network is compromised or your digital data has been snatched, a business continuity plan that’s being kept on your PC isn’t any good.

By having a detailed plan on paper that outlines what your organisation’s game plan is in situations like this, you can avoid a “now what?” feeling if you’re suddenly taken offline. Are there any tasks you can move to pen and paper for the time being? Who should take charge regarding enacting the BCP? What needs to be recorded, and where?

When everybody at the conference was asked to raise their hand if their organisation had a hard copy of a business continuity plan, and they knew where exactly to find it if they needed it, about half the room put their hands up. Many businesses don’t consider the possibility that they could be taken offline and have their BCP rendered inaccessible.

Have a physical BCP to hand. Make sure your staff know where it is. Don’t let your reliance on technology leave you stranded.

Who do you tell about the incident?


Now, here’s an issue brought up in the workshop that made a lot of us scratch our heads: who needs to know about this? If your company’s data has been compromised, and your business can’t continue as usual, you’ll have to say something, right? It wouldn’t be professional to just pause operations and not let any of your clients know, would it?

Well, the recommended approach would be to first ensure that all staff are aware of the issue, and have been instructed to stay offline. Are there any staff members who work remotely and therefore need to be notified of the situation? Make sure that all staff have been alerted of the issue (via an external means of communication, such as a WhatsApp group or phone call) so that everybody knows to steer clear and wait for the situation to be resolved.

Are you consistent in your communication?


It’s entirely possible that there are some key clients you’ll need to make aware of this. But before you start letting people know the problem, take time to craft an approved message providing an explanation of the situation, an apology for any inconvenience, and reassurance that business will be back to normal as soon as possible. This should become the official company response to prevent any conflicts in communication, which can happen when one staff member tells a customer about experiencing “technical difficulties”, and another gives more detail about the actual situation.

Not only would this seem unprofessional, but it could make the situation appear chaotic and out of control. Your clients, if they caught wind of all the different messaging floating around, might think your operations were in complete disarray. This would reflect negatively on your company’s image.

So the solution is simple: approve a baseline message that’s going to go out to whoever is necessary, and ensure all staff stick to it.

Should you pay the ransom?


In this situation, do you give in to the cyber criminals’ demands? They’ve promised you that the data they’ve stolen won’t be made available to the public so long as you pay them a handsome sum. Can they be trusted?

According to Coveware’s quarterly report, the proportion of ransomware victims who decide to pay is in decline. Q4 saw the figure at 29%, which has fallen from 41% in Q3 2023, 34% in Q2, and 45% in Q1. This drop is said to be caused by such variables as a lack of trust that cybercriminals will hold up their end of the bargain, and an increase in organisations’ capability to recover from such incidents.

The Regional Cyber Crime Unit emphasised during the workshop that there’s no objective correct response, but that there are a few things to consider when deciding the best course of action.

Can you trust the cybercriminals to “honour the deal” and hand the data back after you’ve paid the ransom?
By paying the ransom and lining the criminals’ pockets, are you then enabling them to continue their attacks on other businesses?
Could you recover from this incident without giving in to the cybercriminals’ demands?

Do you have backups of your data?


Finally, the big question: does your organisation have backups of its data in case of loss or theft? Having multiple copies of your data is crucial to a disaster recovery plan – otherwise, losing your data could be a real catastrophe, and you’d have to rebuild your business from the ground up.

Some effective data backup options include removable media (such as discs and flash drives), external hard drives, and cloud backup services. Whatever method works best for your organisation, it’s best practice to ensure your data is always backed up. It’s better to be safe than sorry.

What did we learn from this experience?


Overall, it turns out that there’s always something you haven’t given much consideration to. Your organisation could have the most secure systems in the world, the most detailed business continuity plan, and all the data backups it could ever need, but there’s bound to be at least one thing that needs to be given a second glance.

This is why we’re urging you now to take a look at your organisation’s plans. If you were to face a ransomware situation tomorrow, how would you react? What would your business do to handle the incident? Would it be able to recover? It’s dangerous to just assume that everything is all shipshape, because you never know where some cracks might be showing.

Recovering from a cyber attack


While a ransomware scare is a good example of cybercrime, and a fantastic choice for a hypothetical scenario to test our readiness, there are many forms that these attacks can take. It’s important to ensure your organisation is ready for any kind of potential attack it may be hit with, and is aware of the different remedial actions that each one would require.

We previously went into further detail about how to deal with cyber attacks, including ensuring that your organisation not only has adequate security measures in place, but also that all staff are trained to prevent these situations.

How can DPAS help?


Luckily, we provide expert training to organisations to equip them with all the necessary knowledge and readiness to not just handle these situations, but to help prevent them in the first place.

We also have courses in data protection, freedom of information, subject access requests, data ethics, AI, and more. Click to view our training courses and see what we can help your business with today.

related posts

Get a Free Consultation