With recent high-profile attacks targeting organizations ranging from healthcare systems to retailers to government services—even IT companies—business leaders and the public alike are learning that ransomware is a threat no one is fully safe from. The breadth of the problem and the rapid tactical changes made by hackers make both preparing for and responding to a ransomware attack a significant challenge, but it’s one every entity with a digital footprint must take up.
Misunderstandings and mistakes, whether before or after a ransomware attack, can leave an organization and those it serves in a difficult, even devastating, position. Below, members of Forbes Technology Council share common mistakes leaders make when preparing for or responding to a ransomware attack. Read on to ensure your team is doing everything possible to be ready for whatever comes.
1. Thinking The Only Vulnerability Is Technology
A lot of managers and executives think that ransomware attacks are only about technology, but that’s not true. Social engineering is still effective, and this method doesn’t need to detect antivirus weaknesses to steal data. Instead, it targets people. Businesses need to provide their employees with training sessions covering all the possible ransomware attacks and the ways to prevent them. – Roman Vrublivskyi, SmartHub
2. Overlooking Legal And Compliance Ramifications
A common mistake is overlooking the legal and compliance ramifications of ransomware attacks. I strongly recommend involving legal counsel in both incident response planning and as soon as an attack is identified. All communications, whether internal or external, should be reviewed and approved by legal counsel and, where possible, protected under attorney-client privilege. – Rolando Torres, Abacode Inc.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Failing To Establish And Follow A Strong Risk-Mitigation Process
Like all breaches, ransomware is the beneficiary of vulnerabilities. Vulnerabilities are not just defects—they crop up any time someone fails to follow a risk-mitigation process. If an adversary can critically exploit a vulnerability, it indicates a failure in the AppSec strategy. Strong strategies account for each application’s risk profile and include checks and balances to minimize impact when an attack occurs. – Brittany Greenfield, Wabbi
4. Not Having A Tested Incident Response Plan
A common mistake organizations make in ransomware preparedness is not having a tested incident response plan. Many fail to regularly train their employees on attack responses, leading to confusion and delays when an attack strikes, which can have devastating consequences. Regular drills and clear protocols are essential for effective mitigation. – Erica Dobbs, Dobbs Defense Solutions
5. Insufficiently Backing Up Data
Many organizations fail to sufficiently back up their data. Do that first, then work on other low-cost, high-ROI projects that address the variants of ransomware that are currently in the wild—for example, multifactor authentication on Remote Desktop Protocol. None of this is well-understood in the business world, because the ROI on various initiatives remains unclear to executives. – Padraic O’Reilly, CyberSaint
6. Underfunding Ransomware Defenses
Many organizations make the mistake of underfunding their ransomware defenses. Instead, they should prioritize encrypting backup data in separate locations using unique keys and investing in data management and security tools. These measures ensure data integrity and more confident recovery, turning a potential disaster into a manageable challenge. Being proactive is key in today’s digital landscape. – Rajat Sharma, CWS
7. Failing To Contain Malware Before Starting Data Recovery
When it comes to preparing for or responding to ransomware attacks, organizations encounter several common challenges. Organizations should ensure that the malware is effectively contained before focusing on data recovery, minimizing the potential for further spread. Emphasize secure backup placement, maintain composure and focus on fundamental security practices alongside complex measures. – Karthik T S, Torry Harris Integration Solutions
8. Failing To Pressure-Test Recovery Plans
A common and serious mistake we see is failing to adequately pressure-test recovery plans. While having a cyber-specific recovery plan is crucial, it’s more important to conduct rigorous scenario testing. Organizations should simulate attacks to test critical component recovery, ensuring systems are truly resilient. This proactive approach identifies vulnerabilities and improves preparedness. – Jack Dziak, Recovery Point Systems
9. Putting Too Much Faith In Outdated Tools
Organizations tend to put too much stock in tools such as firewalls or perimeter defenses without considering the evolution of the threat landscape. As hackers become more prolific and our tech stacks become more complex, we must be diligent in shifting to a more unified security operations platform, which provides better visibility into the broad IT environment. – Daniel Schiappa, Arctic Wolf
10. Not Having A Plan At All
The biggest mistake is not actually preparing—acting as if the organization had no idea an attack was coming or even possible. “Reacting” needs to be the antithesis of panic, and the prevailing mindset must not be “if,” but “when.” Vigilance must be baked in, and there must be an unfailing commitment to off-site backup. Make a plan, share it with stakeholders and keep it current—but above all, make a plan. – Adam Stern, Infinitely Virtual
11. Waiting To Report A Breach Or Attack
Too many organizations wait to report a breach or ransomware attack. Once a breach is detected, an organization needs to move quickly to determine its extent and figure out a fix. Being transparent about what has occurred and sharing details along the way is what separates organizations that continue to earn the trust of their customers and partners from those that lose it. – Jay Chaudhry, Zscaler
12. Not Leveraging The Full Capabilities Of Current Security Controls
Focus on pre-breach remediation using your current security controls. Most organizations have the right security tools to counter most ransomware attacks—it’s all about leveraging the maximum capabilities of your current security controls. Exposure management for ransomware workflows is common, but responding to the findings is not. – Oren Koren, Veriti Security Inc.
13. Failing To Segment Networks
Many organizations fail to segment their networks. Segmenting can prevent the lateral spread of ransomware across systems and limit damage. Also, it’s essential to enforce strict controls on privileged access, which can prevent extensive network damage if credentials are compromised. – Mani Padisetti, Digital Armour
14. Overlooking The Security Of Critical Devices And Systems
When preparing for a ransomware attack, organizations often focus solely on IT systems, neglecting critical devices such as printers and scanners and document management systems. These devices and systems can be vulnerable if they are not secured. Organizations can secure vulnerable devices by conducting thorough risk assessments, implementing multilayered security measures and educating employees on best practices. – Sam Yoshida, Canon
15. Failing To Implement Lateral Movement Prevention
Most organizations implement security controls to prevent initial ransomware infections but do nothing to prevent the spread of malware once it is inside the environment. Organizations should also implement lateral movement prevention inside the network, using preventative measures such as zero-trust access between internal devices to control lateral movement and minimize attacker reach. – Geoffrey Mattson, Xage Security
16. Not Treating Ransomware As A Malware Problem
The biggest mistake organizations make is not seeing ransomware for what it really is: a malware problem. Bad actors gain information or access through malware infections, which in turn leads to ransomware attacks. To get ahead, organizations need insight into what data of theirs is circulating on the Dark Web from past infections so that they can negate these entry points for ransomware. – Damon Fleury, SpyCloud
17. Failing To Adequately Protect Hypervisors
Organizations often fail to adequately protect their hypervisors. Many ransomware attacks target hypervisors to encrypt virtual machine disks, and companies rely solely on basic protections such as network segmentation to defend these systems. Organizations must use more advanced defense mechanisms, such as multifactor authentication, behavioral detection and virtual patching. – Austin Gadient, Vali Cyber
18. Not Sharing Details Of An Attack With The Security Community
In the wake of a ransomware attack, many organizations’ first instinct is to sweep the incident under the rug. However, giving into this impulse is a major mistake. By not sharing the details of attacks, these organizations are robbing the security community of potentially invaluable threat intelligence—empowering the perpetrators and putting even more organizations at risk. – Eyal Benishti, IRONSCALES
19. Basing Defense Strategies On Detection Rather Than Restoration And Containment
Most organizations base their ransomware strategy on detection, but attacks often spread before incident-response measures can kick in. Instead, ransomware protection should focus on a robust backup and restoration process to quickly bring impacted systems back online, as well as network segmentation, which can mitigate the blast radius of an attack by isolating the spread of malware on the network. – Sameer Malhotra, TrueFort, Inc.
20. Waiting For An Attack To Happen To Begin Strategizing
The most common mistake is waiting until a ransomware attack happens to begin discussing what to do. Get in front of the problem by conducting tabletop exercises around ransomware scenarios, where leaders and crisis teams can ask important questions and build muscle memory for response. The most important factor to discuss is whether or not to pay the ransom—further, you must establish procedures for both options. – Jim Wetekamp, Riskonnect