< Back to Thought Leadership

The Importance of Incident Response Plans for Organizations

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

Over the years, we have highlighted several steps businesses and nonprofits can take to reduce the risk of a cyberattack. Most of these initiatives previously discussed are designed to prevent or significantly reduce the chance that your organization becomes a victim of a cyberattack.

However, no one can completely secure their network or reduce the risk of successful cyberattacks to zero. As such, businesses should also discuss how they would respond in the event they were impacted by an attack (either a ransomware attack that locks up your systems or a theft of data, or both). These considerations are known as Incident Response Plans. The purpose of incident response planning is to make as many decisions as possible while you are levelheaded and not responding during a stressful situation.

This article will be the first in a series of articles that examines the elements organizations should consider in developing their incident response plans. In this article, we will look at the initial questions that need to be answered to create your incident response plan to a ransomware attack.

The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Most organizations do not have the staff and experience to implement the entire framework into an incident response plan. All organizations are at risk, but small and medium-sized organizations are targeted more with ransomware because they are perceived to not be ready or have a plan in place. This is simply a guideline to follow when considering the development of that plan. First, let’s focus on preparation.

Ransomware Incident Response Plan – Preparation

The first question to answer after a widespread ransomware attack is: Are we going to pay the ransom or are we going to attempt to restore our systems from our backups? In this scenario, we will assume all systems (servers, PCs) have been locked.

Most organizations will indicate they plan on NOT paying the ransom and plan to restore their systems from backups. However, this simple decision raises a series of additional questions, including but not limited to:

  • How long will it take to restore from backups and is that time an acceptable “downtime”?
  • Are the backups restorable? Are we confident that the ransomware virus that infected and locked the primary systems has also not infected the backups? Are you simply re-installing the ransomware from your backups?
  • Do we know how to restore from backups? Have we tested our ability to restore?
  • If you are restoring from backups, have you prioritized which system needs to be restored before any others?
  • Backups are based on a “point-in-time” of when the backups were taken, usually overnight. Are you able to lose potentially up to one day’s worth of data that did not get backed up before the ransomware attack?

For those that elect to pay the ransom because they want to get back in business immediately, there are several other questions that need to be asked, including but not limited to:

  • How much are they asking for in ransom and is this amount less than what it would cost to recover from backups? This raises moral considerations and could affect the organization’s reputation with customers, investors, or donors if you give in to paying cybercriminals.
  • Are you familiar with the bad actors requesting this ransomware? What is their reputation for honoring their ransom payments in terms of providing the keys to unlock your systems or are they going to continue to exploit you after the initial payment?
  • The bad guys will expect to be paid in a cryptocurrency, such as Bitcoin. Do you know how to obtain Bitcoin or some other cryptocurrency? Do you know how to transmit the amount?

Most organizations, including even large for-profit organizations, do not have the experience to answer the last three questions. That’s why it’s important to engage your cyber insurance carrier immediately following a ransomware attack. They will connect you with the appropriate legal counsel and cyber forensic firm who have significant experience dealing with ransomware responses, including when the ransom is going to be paid.

These are the type of questions that can get you started on the development of your incident response plan. These questions should be answered proactively so the plan is well thought out and considers risk from multiple angles.

The next article in the series will discuss additional considerations for the preparation stage of your plan and begin examining the Detect and Analyze phase of the framework.

If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

Contract Services: Impact on Wage Index

In the past several years, hospitals have continued to feel the impact of increased utilization of contract nursing and other contract services. Although these services have developed into a major expense line item, it is important for hospitals understand how expenses related to contracted services can impact the wage index factor for Medicare reimbursement. Contract […]

Learn More
shamrocks not-for-profit tips

3 Lucky Tips for Not-For-Profits to Avoid Bank Fraud

Trusted Insights from The National Bank of Indianapolis Nonprofit Services Team Not-for-profit organizations are increasingly falling victim to fraud, with a rising number of incidents and an ever-growing amount of money being lost. Fraudsters find it easy to target not-for-profits, as their publicly available 990s provide valuable information. Protecting your organization from such fraudulent activities […]

Learn More

Capital Efficiency Concepts: How to Evaluate Capital Purchases

Rising interest rates and historic inflation are impacting hospital purchasing decisions. Using capital efficiency concepts in making hospital purchasing plans is as important as ever. What is Capital Efficiency? Capital efficiency refers to how effectively a hospital deploys its resources to generate returns. In the context of fixed assets and software purchases, capital efficiency involves […]

Learn More