Business Continuity and Crisis Management Consultants

You are here: Home / Crisis Management / Building your Ransomware Playbook

By //  by 

Reading about the latest ransomware hack feels a lot like watching a bicyclist hurdle head-first over handlebars into a pile of gravel.

“Oof, that had to hurt.” And, “boy, am I glad that wasn’t me.”

But that’s where the similarity between the two stops.

Because although you can take all the right steps to keep your systems safe, in today’s digital environment, having to deal with a ransomware incident is a “when,” not “if” proposition.  And the stakes are staggering – downtime and lost productivity, recovery costs, legal liabilities, and reputational damage, to name a few.

Businesses big and small, those who are just at the beginning of their business continuity and crisis management journey, and those who have already invested significantly in resiliency all have more questions than they do answers. Like:

  • What kinds of staff, resources, and third parties do we need to have at the table?
  • What tools are we missing?
  • What if paying the ransom is the only good way out of the situation?

Here’s what you need to know if you’re one of them.

Why the Ransomware Threat is Different

Although ransomware is just one of many risks that your crisis management program should address, it’s a particularly complicated threat that stands apart—and demands an equally specific plan—in several ways.

It requires a deep bench of expertise

Many companies make the mistake of focusing solely on the technical aspects of responding to and recovering from a ransomware incident; what systems are affected, how did the perpetrators get in, and how do you recover your systems and get them up and running again?

But managing the technical aspects of a ransomware incident is only a small part of your response.  Typically, less than a third in our experience.  So, while infosec is busy managing the technical piece, you also need an extensive roster of outside experts to manage the rest, including:

  • Communications and reputation management—When millions of healthcare records are exfiltrated by a bad actor, you need to get and stay ahead of the questions.
  • Compliance and reporting obligations, especially if you’re publicly traded and are obligated to report such breaches to regulatory bodies like the SEC
  • Coordinating with government agencies, like DHS and Treasury, to navigate the web of restrictions on paying bribes to a foreign actor
  • Managing the negotiation itself
  • Setting up a payment mechanism for the ransom—Spinning up a $17,000,000 Bitcoin account doesn’t happen overnight

This requires a deep bench of outside help, including counsel, communications consultants, cyber-forensic specialists, and regulatory experts, to name a few. It’s best that these relationships are secured and, ideally, practiced well before you manage an actual incident.

Privilege matters

Cyber-extortion and data breach events expose you to tremendous potential liability. Within the first ten minutes of an event, many decisions at the advice of counsel need to be made on how the situation will be managed to mitigate that liability.

When working with our clients, we usually build the crisis response process to put the incident under attorney-client privilege immediately. We make this a specific step in the crisis management plan and/or ransomware playbook. This includes marking documents as privileged and including counsel in all communications and meetings regarding the incident to ensure the incident remains privileged for as long and as much as possible. It’s a unique aspect of managing a ransomware incident that doesn’t happen in most other threat scenarios but is particularly critical to effectively managing the long-term consequences of a cyber-extortion event.

Your reputation is at stake

Amid any disruption, what you say and when you say it can impact everything from regulatory investigations and consumer claims to whether people decide to continue doing business with your brand, not to mention the trickle-down impacts on shareholder value and your bottom line.

A cyber-extortion event carries an additional set of confounding factors. Bad actors will most likely use the threat of taking the incident public to place pressure on negotiations. They may even leak data despite their demands being met.

While preparing your messaging and communications strategy in advance is important for any type of disruption, it’s especially critical for a ransomware event. When the sensitive healthcare records of thousands, including an inevitable handful of celebrities and political figures, get leaked into the ether, you want to be the one controlling the narrative that unfolds. Not the New York Times, Twitter, or the inadvertent scrupulations of worried employees. Your messaging around an incident needs to be well-thought-out and planned in advance for a multitude of high-stakes scenarios. Those plans must be a part of your ransomware playbook.

Learn how Bryghtpath developed & facilitated a ransomware exercise for a major healthcare technology company

A major U.S. healthcare organization, seeking to practice their recently updated cybersecurity incident response plan, turned to Bryghtpath to conduct a multi-day complex crisis simulation exercise centered on a realistic ransomware incident.

Read the Case Study >>

4 Steps to Ransomware Playbook Readiness

1.   Get an overall crisis management strategy in place (if you don’t already have one)

A ransomware plan is a good first step if you’re just starting your crisis management journey. But it is not meant to be a stand-in for an overarching crisis management strategy. Your ransomware playbook is meant to be just that—a tool to help you navigate the aspects of responding to a ransomware incident and the risks that it presents. Ideally, your organization should have specific playbooks built for the other likely potential disruptions it might face. And these playbooks should be just one small part of an overall crisis management strategy designed to facilitate your organization’s response to a wide range of potential disruptions. That strategy should include things like:

  • Having a process in place to collaborate and communicate during an event
  • Having a plan for managing both long and short-term recovery efforts, and
  • A defined process for capturing lessons learned and improving your preparedness for future disruptions.

At Bryghtpath, we look at preparations for a ransomware threat (and every other threat) through a resiliency lens. Resilience–the capabilities you need to solve big problems, continue operations, and protect your assets and your people in an environment of increasing and confounding disruptions – cannot be achieved in a silo. If you aim to respond effectively to your next ransomware event, your best first step is to get a well-defined and overarching crisis management strategy in place first.

2.   Clearly define roles and responsibilities

One of the first steps to building out an effective crisis management plan is determining roles and responsibilities.

  • Who will manage the overall incident response?
  • Who has the authority to make critical decisions, such as approving ransom payments or specific messaging?
  • Who will deploy that messaging and respond to outside inquiries?

If your organization already has a crisis management program, these roles and responsibilities will already be largely established.  However, because of the complexity and high stakes of a ransomware response, you will likely have a subset of additional players whose roles and responsibilities need to be coordinated, including outside counsel, insurers, PR and crisis communications experts, data breach notification providers, and forensic analysts, among others.

Outside counsel is an excellent example of where this is especially important.  Smaller organizations often expect that outside counsel will step in and run the incident from a legal aspect. However, a larger organization might expect its in-house counsel to maintain ultimate control and decision-making authority, with outside counsel supporting those efforts. If there ever was a “too many cooks in the kitchen” problem that you need to avoid, it’s this one. And making sure you clearly define and exercise roles and responsibilities in advance is an excellent way to do it.  All of these roles and responsibilities should be documented in your crisis management plan and/or ransomware playbook.

3.   Have a process

Every crisis incident should be managed within a crisis management lifecycle that includes the key steps of moving the incident from the initial notification and assessment stages through escalation, incident response, deactivation, recovery, and ultimately debriefing and incorporating lessons learned.

Within each of these lifecycle steps, you should have a process detailed for every function; clear and easy to access to tactical instructions and guidance on what to and how to do it. This can include checklists, diagrams, charts, and other clear visuals to help people quickly understand what to do depending on what’s happening. Checklists are also valuable in providing an audit trail in the aftermath of the response.

4.   Prepare your messaging

“There are so many potential scenarios, it’s just not practical or possible to prepare our messaging in advance.”

This is a commonly held belief in many organizations. It’s also one that’s just not true.

Time is typically your most limited resource in responding to a ransomware event. Making your communications plan ahead of time will increase the speed and clarity of your response and ultimately facilitate a better overall ransomware response.

That’s why your communications framework should include messaging tailored to internal and external audiences, including board members, employees, shareholders, clients, local communities, and bad actors. Your framework should also specify which messages to use, when, approval requirements, spokespeople, and the preferred communication channels for each target audience.

If you’re just getting started on your ransomware playbook readiness journey, Bryghtpath can help. And even if you have your crisis management game dialed in, moving from “plan” to “practice” can feel like a big lift. We can help you close the gaps and develop confidence in your capabilities to respond to the next ransomware threat.

Want to work with us to learn more about Ransomware Playbooks and Crisis Management?

About Bryan Strawser

Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.

At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.

Learn more about Bryan at this link.