Ransomware response hinges on war room setup, experts argue
In the digital age, the threat of ransomware attacks looms large for businesses worldwide. To proactively prepare for such an eventuality, companies are advised to establish a ransomware war room - a dedicated physical or virtual space for coordinated response efforts.
This war room should involve key external resources such as forensics firms, external counsel, human resources executives, communications personnel, business continuity experts, business application owners, help desk personnel, and others. Aligning internal stakeholders and outside experts in advance of an attack is crucial for an effective response plan.
Appointing a project manager and conducting tabletop exercises with all key stakeholders is beneficial. Red team officials can play the role of an adversary in these exercises, helping to identify exploitable weaknesses in the system. These simulations provide an opportunity to refine the response plan and ensure all parties understand their roles and responsibilities.
A ransomware attack can have significant legal ramifications for a company. Breach notification requirements, disclosure to federal regulators, and litigation resulting from privacy law breaches are all potential outcomes. Companies may also face litigation regarding business continuity due to cyberattacks, as demonstrated by the ongoing litigation against Colonial Pipeline from gas station owners.
The Securities and Exchange Commission is closely monitoring whether companies disclose cyber incidents in a timely and accurate manner. The Department of Justice is also adding timely disclosure requirements for federal contractors.
The California Consumer Privacy Act (CCPA) allows up to $750 in statutory damages for every record that is part of a cyberattack. With more than 170 class action suits currently underway for data breaches under the CCPA, it is essential for businesses to have processes in place for handling negotiations with threat actors and managing the legal and public relations fallout from an attack.
It is crucial for companies to understand how quickly they can get back to business with their backup locations. The backup files may not immediately allow a company to resume normal operations after a ransomware incident, according to Leipzig. Companies should, therefore, focus on restoring critical operations first and then gradually bring the rest of their systems back online.
Colonial Pipeline, a victim of a recent ransomware attack, worked around the clock to safely restart its pipeline system following the cyberattack against the company. However, the company could not comment on pending litigation. The massive T-Mobile data breach, which impacted more than 54 million customers, is expected to fall under the CCPA, underscoring the importance of robust cybersecurity measures.
In conclusion, the establishment of a ransomware war room is an essential step for companies seeking to mitigate the risks and consequences of a ransomware attack. By aligning internal and external resources, conducting tabletop exercises, and having processes in place for handling negotiations and legal fallout, businesses can better protect themselves in the face of this growing threat.
