As Broadcom Software knows, ransomware, once obscure outside of the cybersecurity world, is now a household name as major companies, governments, small businesses, and critical infrastructure have spent time in the crosshairs, sending leadership scrambling for a best practices playbook.
An RSA panel of experts participated in a simulation to instruct CEOs, CISOs, and boards of directors in how to effectively prepare for and execute a multi-faceted response to a ransomware attack. The simulation centered around the plight of Respectable Plastics, a fictional, mid-size U.S. plastics manufacturer, hit with a ransomware attack that was perpetrated through a phishing email to the vice president of operations. Respectable Plastics is up against a double extortion attack that threatens to render systems inoperable and make sensitive information public if the company doesn’t pay up within three days. The stakes couldn’t be higher: Respectable Plastics is exposed to significant financial and legal risks and must close core logistics and manufacturing operations until it gets the ransomware situation under control.
Respectable Plastics may be a made-up character, but the threat it faces is all-too real for a growing number of companies. Last year saw a surge in ransomware—two-thirds of mid-sized organizations worldwide experienced an attack, and the average ransom payout increased five-fold. High-profile incidents like the Kaseya supply chain attack and new double extortion tactics have only raised the stakes, forcing companies to take a serious look at their response capabilities and formalize a plan.
Last year saw a surge in ransomware—two-thirds of mid-sized organizations worldwide experienced an attack, and the average ransom payout increased five-fold.
In a mock series of board of director meetings, current cybersecurity experts on the RSA panel role-played how to deal with everything from government agencies like the FBI and CISA to insurance companies, customers, and the media. They laid out a strategy for negotiating the ransom, enlisting outside resources, covering the legal and shareholder responsibilities, and repairing a company’s reputation. Among the key takeaways:
Err on side of prompt disclosures and transparency. From the get-go, the fictional company decided to notify CISA and the FBI about the breach even though there were no specific regulations to do so. They got out in front to inform customers, using strategic sequencing, and briefed employees in anticipation that the details would leak, and it was better to be transparent. That said, the communications team developed core messaging points that were tailored to the specific stakeholder audiences. “Be as transparent as possible, providing the right amount of information to the right people without getting too far in front of the investigation,” said Preston Golson, principal director for Brunswick Group, which counsels on cyber incidents and who played the communications lead role in the RSA simulation session.
Enlist the right help. In addition to its own cross-enterprise crisis management team comprised of people from security, legal, and communications, Respectable Plastics also hired some big guns to ensure it was properly prepared for each step. It contracted with an incident response team who helped in the risk evaluation and mitigation processes along with another specialty firm with experience negotiating with ransomware gangs, including dark web communications.
To pay or not to pay. That is always the question, and there is no black and white answer. In this case, the fictional Respectable Plastic evaluated the decision based on logistics and legal considerations. On the logistics front, it’s essential to have established a cryptocurrency account to orchestrate payment, something the company turned to a third-party to help orchestrate. There are also liability risks associated with paying attackers who might be sanctioned by the U.S. Treasury. Organizations need to everything in their power to make a good faith effort to comply with these regulations and make the proper disclosures to the government.
Preparedness helps but isn’t a panacea. The fictional Respectable Plastics did mostly everything right—it formalized a playbook, conducted tabletop cybersecurity exercises, enlisted outside experts, and invested in the right technologies—all well before experiencing the attack. Even with meticulous planning, there were resiliency and disaster recovery gaps and many unknowns the executive team was forced to navigate. “You can’t underestimate the value of preparedness, but no good plan survives contact with the enemy so you have to make sure there are processes in place that can adapt to where the facts take you,” said Suzanne Spaulding, the former undersecretary of the Homeland Security and Commissioner, Cyberspace Solarium, at the Center for Strategic International Studies, who played the CEO role.
To learn more on how Broadcom Software can help you modernize, optimize and protect your enterprise, contact us here.
We encourage you to share your thoughts on your favorite social platform.