Establishing Business Continuity in the Aftermath of a Ransomware Attack

Nearly every business relies heavily on technology to keep their operations running smoothly. With the increasing threat of ransomware attacks, however, it’s crucial for businesses to have a well-thought-out plan for business continuity. Ransomware attacks can bring your business to a screeching halt, causing significant financial losses and reputational damage. As an example, the recent MGM cyberattack is estimated to have cost it more than $100 million. 

To ensure that your business remains resilient in the face of these threats, you need a comprehensive strategy that encompasses pre-existing protection, incident response, cyber insurance, and robust backups. In this article, we will delve into each of these elements and explain why they are vital for business continuity.

Pre-existing protection against malware threats

The first line of defense against ransomware attacks is pre-existing protection. It’s essential to have robust security measures in place to prevent malware threats like ransomware from infiltrating your systems. Here are some key aspects to consider:

• Security software: Investing in advanced security software with real-time threat detection and prevention capabilities is a must. These tools can identify and block ransomware attempts before they can cause harm.
• Employee training: Educating your employees about cybersecurity best practices is equally crucial. Human error is often the entry point for ransomware attacks. Teaching your staff how to recognize phishing attempts and suspicious links can go a long way in preventing such incidents.
• Regular updates: Keeping all software, including operating systems and applications, up to date, especially for security updates and patches, is essential. Cybercriminals often exploit vulnerabilities in outdated or unpatched software to launch ransomware attacks.

Incident response planning

Even with the best preventive measures in place, it’s essential to have an incident response plan before an incident occurs. This plan outlines in advance the steps to take should a ransomware attack occur, ensuring a coordinated, timely and effective response. Here’s why incident response is crucial:

• Minimizing downtime: A well-defined incident response plan helps minimize downtime. When an attack occurs, you can swiftly identify and isolate affected systems, limiting the impact on your operations.
• Priority-based recovery: An organized and pre-arranged incident response means that your attack responders will understand and address recovery issues in the order of stated priority. This ensures that critical systems are restored first, allowing your business to resume essential functions.
• Preserving evidence: Incident response also involves preserving evidence of the attack. This is essential if you plan to involve law enforcement or pursue legal action against the attackers.

The role of cyber insurance

While preventative measures and incident response plans are vital, they may not cover all the costs associated with a ransomware attack. This is where cyber insurance comes into play:

• Cost defrayal: Cyber insurance helps defray the costs of recovery. This includes expenses related to data restoration, legal fees, and public relations efforts to rebuild your business’ reputation.
• Business continuity: Having cyber insurance can be a lifeline for your business during a ransomware attack. It provides financial support when you need it most, allowing you to focus on getting your operations back on track.
• Coverage considerations: It’s important to note that cyber insurance policies can vary widely. To get the most out of your coverage, you must adhere to security best practices. Many insurers require businesses to have robust security measures and incident response plans in place to be eligible for coverage.

The critical role of backups

One of the most critical components of business continuity in the face of a ransomware attack is having reliable backups. Without proper backups, your business could come to a grinding halt, and manual recovery may be the only option. Here’s why backups are so essential:

• Data recovery: Data recovery is the cornerstone of business continuity when dealing with a ransomware attack. It enables your organization to get back up and running with minimal downtime. Time is money, and the longer your systems are down, the more revenue and productivity you lose. In addition, effective data recovery ensures that your critical data remains intact and uncorrupted. Ransomware attacks can encrypt or destroy data, and without proper recovery mechanisms, you risk losing valuable information essential for your business operations. Beyond just data, a robust recovery plan should encompass the restoration of applications and systems, as well. This includes configurations, settings, and the entire IT environment to ensure that your business can function as it did before the attack.
• Ransom avoidance: In some cases, having backups can enable you to avoid paying a ransom to cybercriminals. If you can restore your data from backups, you don’t have to negotiate with attackers, reducing the financial impact of the attack. Ransom payments are not only costly but also provide no guarantee that you will regain access to your data or that attackers won’t strike again. Paying ransom also raises ethical and legal concerns. Supporting cybercriminals through ransom payments can encourage further attacks and may even lead to legal repercussions, which include payments to prohibited recipients, (which is a list under continuing revision provided by the U.S. Office of Foreign Assets Control), depending on your jurisdiction. In addition, most ransomware attacks are now preceded by leaks of company data (exfiltration), the attendant legal and regulatory costs of which can far exceed the ransom amount.  
• Testing and verification: Regularly testing and verifying your backups is essential. Backups that are corrupted or incomplete won’t be of much use during a ransomware attack. Ensure that your backup strategy is reliable and up to date. Testing backups allows you to assess the time required for data and system recovery, invaluable information when planning for business continuity because it helps you set realistic expectations for downtime during an actual ransomware event.  As part of this, you should conduct scenario-based testing that simulates a ransomware attack. This exercise helps your IT team become familiar with the recovery process and identifies any potential gaps in your incident response plan. Bear in mind that cyber threats evolve, and your backup and recovery strategies should evolve with them. Quarterly or semi-annual testing is a good practice, but the frequency may vary depending on your organization’s risk profile and industry. Then document the results of your testing and verification processes. Documenting detailed procedures for recovery, potential issues encountered during testing, and lessons learned and provide invaluable information during an actual ransomware incident.

Ensuring business continuity in the face of a ransomware attack is a multifaceted endeavor that involves implementing pre-existing protection measures, incident response planning, cyber insurance, and reliable backups, all of which play crucial roles in safeguarding your business operations. 

By taking a proactive approach and investing in the following key elements, you can reduce the risk of a ransomware attack crippling your business.

Steven W. Teppler is a partner at Mandelbaum Barrett in Roseland, and chair of the firm’s privacy and cybersecurity practice group. Contact him at steppler@mblawfirm.com.