5 questions to ask when creating a ransomware recovery plan
These 'five W's of ransomware' will help organizations ask the right questions when creating a ransomware-specific disaster recovery plan.
Once a rare occurrence, ransomware affects every industry and nation today. It's not an if but when -- and when again -- an organization will be hit.
What should organizations do to protect their business and operations from the threat of data loss, downtime and reputational damage due to ransomware? This is especially critical to ask, given the fact only 8% of organizations get back all their data after paying a ransom.
Companies need extensive plans to successfully protect themselves from ransomware attacks. Ransomware demands a similar response as disaster recovery (DR) and should be treated as a disastrous event.
Use these "five W's of ransomware" to create your recovery plan.
1. Who is going to execute recovery?
All hands on deck are needed after a ransomware attack. Employees are often busy dealing with impact assessments, damage control, communications and other activities related to the fallout -- leaving no one available to execute a recovery plan. Be sure to plan for this step and have key players in place to do so.
2. What is being recovered?
All data is important, yes. But not all data is the most important data. Prioritized data sets should already be saved to a DR runbook. Use it. Deciding what data is most important and urgent to recover will determine your organization's ability to operate. It's imperative to execute recovery according to set priorities.
3. When is it being recovered?
When is data being recovered? As soon as possible would be ideal. However, this question is about from when in time data is recovered. In DR planning, this is often referred to as RPO, or recovery point objective. Since ransomware strikes and freezes data at a particular point in time, it's critical to recover data from before the ransomware attack. If data is restored prior to the ransomware being injected, you're golden. If not, prepare to remobilize and go through the entire fire drill again. This leaves teams with two options: recover further back in time or keep trying to find the most recent copy of data sets.
4. Where is the data infected?
In most ransomware attack cases, the production environment becomes a crime scene. It's important to have a separate, noninfected environment to recover clean data sets -- for example, a hosted environment in a DR-as-a-service partner's data center, or a hyperscale cloud provider such as AWS or Azure. The ability to rapidly mobilize in this environment could be the difference in keeping your organization alive.
Ransomware can cause failures across technology stacks: infrastructure, communication, data, people and processes. All these scenarios demand contingency planning; doing this after an attack is too late. Most organizations are accountable for security compliance standards and, post-attack, are required to provide evidence, perform forensics, administer security evaluations and answer regulators' questions. Even if you have recovered operations according to your DR plan, your production environment -- the crime scene -- may not be available for some time. Are you confident your DR environment is capable of handling production traffic for an indeterminate period?
5. Why are you recovering?
Creating a recovery plan requires communication across your entire organization and the formation of service-level agreements between technology teams and stakeholders. Identify which disasters are most likely to occur and the impact such a disaster would have on business operations. Once you know what to plan for, strategize your business continuity plan.
Strategizing your journey forward
For every investment in the resiliency strategy of your business, you're also making an investment in the organization's future and employees' livelihoods.
Make resiliency planning a business imperative to get greater investment from your organization's leadership and the conversations will help identify your organization's most valued assets.
About the author
Dustin Milberg is a seasoned enterprise technology executive and current field CTO of cloud services at InterVision Systems LLC, a leading IT strategic service provider and Premier Consulting Partner in the AWS Partner Network. In this role, Milberg helps customers adopt a holistic approach to developing and delivering sustainable platforms while enabling technology organizations to optimize operations such as security, people, process, infrastructure, development and quality.
How to remove ransomware, step by step
How to create a ransomware incident response plan
Prepare and conduct a ransomware tabletop exercise