January 3, 2023

Encountering a ransomware attack can be stressful for any organizational leader. Even the term “ransomware attack” is frightening to the enterprise, and for good reason. In this post, we discuss the steps organizations can take during a ransomware attack to be both responsive and responsible. 

Create a Plan 

As anyone in cybersecurity will affirm, organizations must plan before a crisis happens. Everyone in the enterprise must know what should be done during a ransomware event. This will help the response team act quickly and with intention when tensions are high. 

Among other things, a plan should clarify members of the response team, what protocols they should activate, and the enterprise’s ransom payment policy. The purpose of the plan is to avoid second-guessing and provide the team with clear action steps. 

Train Team Members Not to Panic

It’s easy to panic when stakes are high, especially if the attackers give the enterprise a timeline for paying the ransom. The immediate goal is to minimize the damage, and it’s difficult to focus on the task at hand when team members are not fully present. Train everyone, including Leadership, to take a deep breath, calm down, and begin to assess the scenario to properly evaluate what is happening. 

Assess the Initial Attack

Assessing the initial attack is a great starting point. Assemble the company-wide response team and begin the process of asking everyone what happened, when, and how. This information enables the organization to formulate a response as well as understand vulnerabilities to mitigate future ransomware attacks. 

Diagnose Problem Areas and Gather Information

Diagnosing problem areas and identifying what’s been affected will help determine the extent of the attack, as well as the root cause. Gathering information helps the enterprise, the team, and the authorities determine how the attack unfolded and how to best move forward. Document everything; various law enforcement agencies, such as the U.S. Secret Service, provide checklists for what information organizations should record. 

Set Up Safeguards to Prevent Further Damage

To minimize damage from the attack, it’s important to contain the threat quickly. This may include steps such as isolating infected devices or network portions as soon as possible, collecting logs before attackers destroy them, and changing passwords

Report the Attack

Although companies are not required to report the incident to the FBI or the local equivalent, this is a recommended step because it helps law enforcement determine whether this is a patterned or one-off attack. It can also help investigators gather important evidence to assist with their ongoing investigations and possibly prevent future attacks on the reporting organization or others. 

Alert Investors and Customers

Enterprises, of course, have internal company policies establishing when to alert investors and customers of any data breaches, cyberattacks, compromised systems, and related cybersecurity incidents. Ensure that team members abide by these company policies to avoid possible litigation or other potential consequences. 

Focus on Prevention

Focusing exclusively on the problems associated with a ransomware attack is the only option in the short-term, but to make lasting changes, the organization must focus on strategies for avoiding future issues.  

SailPoint offers a variety of solutions that help organizations ensure the right users have the right access at the right times. Let us show you how we enable this for enterprises like yours. 

Take control of your cloud platform.

Learn more about SailPoint Identity Security.

Schedule a Demo