Building a ransomware response team

A ransomware response team will play a critical role in avoiding paying ransom to cybercriminals.

Michael Mowder, Senior Director, Global Partner Success, Barracuda MSP

With the threat from ransomware and other types of cyberattacks growing, more companies are investing in technology that can help protect their data, networks, and applications. However, technology alone will not be enough. Organizations must prepare by developing an incident response plan that will help them better leverage their technology in the event of an attack. Just as important is the creation of an incident response team that ensures those plans are followed.

An incident response (IR) plan includes instructions to help your organization prepare for cyberattacks, respond to them in real-time, and then restore operations. While technology plays a vital role, cyberattacks can cut across divisions and functions with a given company and may require the involvement of outside stakeholders (like partners, customers, regulators, or law enforcement).

The goal of these plans is to minimize the damage from cyberattacks, and in the case of ransomware, ensure that the company doesn’t have to pay the ransom.

Building the Team

A critical first step is establishing an incident response team and outlining their roles and responsibilities. 

Who is on the team? There should be C-level sponsorship to ensure the success of the project. And obviously, the IR team should include representatives from IT, cybersecurity specialists, and probably a general security representative, depending on the type of organization. There should also be representatives from each operating division, human resources, finance, legal, insurance, and public relations/marketing. If the company works with third-party VARs or MSPs, those entities should also have a seat at the table.

Who is in charge? The team should have a leader, someone at a VP or management level with enough authority within the organization to direct the group’s activities in an emergency. There should be a clear chain of command relative to who can launch the IR plan and issue orders to shut down company websites or other IT assets during an incident.

How will the IR plan play out? Create workflow maps designating each team member’s role, with guidelines as to when each step in the process should take place. Ensure that all relevant team member and stakeholder contact information is maintained and updated centrally so that everyone has access. And note alternative contact methods in case email systems and other methods are compromised during the attack. There should also be plans to contact members if an attack happens late at night or over a weekend.

Who does the talking? Communication is vital, so there should be a chain of communication to ensure that employees in each department/division are informed of what is happening and what they need to do. There should also be a designated liaison to the board of directors (for large or public organizations) and the C-suite. 

When do you go public? This will vary based on industry-specific regulatory requirements and the degree to which the incident affects customers, clients, and suppliers. There should be clear rules put in place as to when regulators or the authorities need to be informed of a ransomware demand or data breach and when customers/suppliers should be notified. There should also be guidelines for public relations and managing media communication, given how swiftly bad news travels in our highly connected world. Outside parties will likely learn about the attack sooner than you expect, so public messaging should be developed early and adjusted as the IR team learns more about the attack.

Drill, and then Drill Some More

Having a plan and a team in place is just the beginning. Regular meetings to discuss evolving threats, review past IR performance, and review relevant cybersecurity regulatory requirements are just some practices that a team should utilize. This also gives team members a chance to acquaint themselves with any new employee who may have joined the team.

Set up periodic drills to test the IR plan, identify communication gaps, and test data recovery and restoration technologies and processes. This fire drill approach will help reduce mistakes when there’s an actual cyberattack. 

Include a review process after each simulated and real attack, so team members can go over what went wrong, what went right, and how to better stop future attacks based on those experiences. 

Ransomware attacks can paralyze an entire company and have long-reaching effects on a company’s future solvency and customer relationships. With robust technology like Zero Trust Network infrastructure, regular secure backups, cloud security, and strong email security solutions, coupled with regular employee training around phishing, companies can mitigate the impact of all cyberattacks. However, there needs to be an empowered incident response team to guide the organization through an attack and ensure that the technology is doing its job.

Michael Mowder is the Senior Director of Global Partner Success for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for the partner journey from on-boarding, to implementation, through professional services and finally, renewal.