Guest Column | November 1, 2021

Preparing Clients For A Ransomware Attack

By Angel R. Rojas, Jr., DataCorps Technology Solutions, Inc. and ASCII Group member

Ransomware Security

Spend any length of time reading the news and you can’t help but notice that at least one new, a successful ransomware attack is announced every day. No one wants to succumb to one, so this constant attention is helpful to communicate to clients the importance of being prepared. When communicating these attacks, keep it educational and informational because if you sound like a salesperson, being gimmicky or trite, you will not get the privilege to have the protection and preparedness conversation. Also, be sensitive that using disasters and negative news to sell products and services can come off as disingenuous.

How can we use the news to help clients prepare for a ransomware attack?

The approach I have found that works the best is to use the Socratic Method. This is a form of a dialogue between individuals that involves asking and answering questions to stimulate critical thinking. The success behind the approach is that it results in more ownership of the solution to an issue since the response is developed cooperatively.

Let’s look at some questions that can guide the conversation and stem some constructive dialogue:

  1. Who is in your incident response team? Knowing who needs to be called and when is critical.
  2. What is the incident response plan? What will you do first, second, third, etc.? When do you call insurance, attorneys, etc.? When and how do you tell clients? Who speaks to the press/media?
  3. What needs to be protected and how quickly do you need it back? We can frame the types of backups and the restore strategy based on the dialogue behind this question.
  4. How will you operate if incident investigators request to preserve/isolate your systems? In the case that a forensics investigation is requested/required, spare equipment may become necessary. Is there a plan or insurance for this?
  5. How will you communicate during an attack? During a ransomware attack, email may be compromised. This means alternative means of communication will become necessary. What will these means be and how will the incident response team know to use them?
  6. How will you mitigate the attack? Is data release a possibility? What’s the damage? The timely answer to these questions will help determine the severity of the attack and what items in the incident response plan are triggered.

This is, by no means, is an exhaustive list of questions. In fact, as you have conversations, other questions may arise, and it is important to address them all.

Kicking off the conversation can be as simple as sending an email posing some or all of those questions. Sending a frequent email with updates about the current threat landscape and asking the questions in the closing of the email keeps you top of mind, provides valuable and timely information, and sets you up as a knowledgeable resource that serves as a refreshing contrast to the doom and gloom they encounter in the news daily. Repetition and consistency are the keys to being noticed!

To enhance this dialogue, I encourage clients to contact me for a personal, one on one, appointment to address specific concerns. Make it easy to schedule by using an online scheduling tool and make it a 15–30-minute time window so they are not overwhelmed by a large time commitment.

The dialogue that occurs in this process should also not be the only one – it should be a part of an iterative process. This ensures that as the business grows and changes, the incident response also adapts to these changes. Nothing can be more frustrating than being in the middle of an emergency working from an outdated plan with bad phone numbers, former employees in key positions, and a list of servers that were recently replaced. Be sure to update this plan as the organization changes!

About The Author

Angel R. Rojas, Jr. is President & CEO of DataCorps Technology Solutions, Inc and has been a member of The ASCII Group since 2017.