John Bruggeman, CISSP, consulting (CISO) for CBTS and OnX, both are MSPs and MSSPs.
What do you think when you hear the word “ransomware”? Take a minute before you read any further and reflect. Now, shift your focus and think, “Am I prepared for a ransomware attack?”
Was your next thought an action item like, “Did I do my weekly or daily backup?”
Or did the thought of ransomware put you in a bit of a panic? “Oh my. What am I going to do?”
Or are you prepared for this kind of cybersecurity incident, thinking, “OK, time to implement my ransomware playbook.”
If you are like me and have decades of cybersecurity experience, you know that ransomware is a constant threat. Ransomware is like a hard-drive failure in a server or storage array, a power outage at the office or data center or a localized or system-wide network outage. I have playbooks for these types of incidents and others, so I’m prepared. It’s just what I do.
What I find helpful for people who ask me how to get ready or defend against a ransomware attack—or other kinds of computer-related business disruptions—is to have a plan and practice it.
In cybersecurity, we call these plans incident response (IR) plans. Your IR plan can be detailed or general, but you must have one to maximize your cybersecurity strategy.
Some plans I have helped create are detailed and very specific, with mapped-out steps so anyone on the team can follow the instructions—like a recipe for a good chocolate cake. Others are general and rely on some members of the team knowing what other steps they need to follow if an incident occurs.
How do you create your IR plan?
Creating a plan is not a long or complicated process, but it does take effort and some time.
What you want to plan for is about half a week’s worth of time (so 20 hours), which I usually break into one-hour meetings spread out over three to four weeks. The writing part is straightforward, but you first need to know what your critical business processes, applications and people are. Once you know that, you can start to build out recovery options for those processes, applications and people.
From the first meeting to the final meeting, the process will usually take two to four weeks. At the end, you will have an IR plan.
You have an IR plan; now, practice it.
Mentally fast forward to one month from now when you have developed your organization’s IR plan. The next step is to test the plan. But how do you do that?
Well, before you test it, you should practice it.
No one would send their kid out to play a game of basketball, baseball, soccer, hockey or unicycle hockey without some practice. We all know how we were the first time we picked up a baseball or softball and threw it. Picture the first time you tried to throw a ball. It’s probably not a pretty picture, is it? Nope, not something you would want shown on the evening news or recorded for Instagram. You had to practice—as we all do—to succeed at anything.
You need to do the same thing with your IR plan. But how do you practice?
I recommend a monthly 90-minute meeting to practice your plan with your team. Schedule a meeting time with the IR Team (which should be documented in your IR plan) and put it on everyone’s calendar. Make the meeting a regular day (third Tuesday of the month, fourth Friday of the month or whatever works for your team) and get into a rhythm so that you regularly review the plan and walk through it so everyone is familiar with it.
As you practice the plan, you will refine it, make changes and adjust it. That is natural and expected.
Practice will help you improve your plan. Your goal is to get better at responding to an incident, like a ransomware attack or network outage. You do not need perfection with the plan or the practice. Unless you’re in law enforcement or a medical first responder, your goal with practice is to be able to recover, be resilient and know how to quickly recover.
If you commit six months to a game plan like this, you can be ransomware-resilient in less than a year. You might still have an attack, but you will know how to respond to the incident in a calm, reasonable, and effective manner.
Testing your plan is done with a tabletop exercise (TTX). Usually, a TTX is conducted with a trained professional who does more than just walk through your plan. A good TTX is done based on a scenario your team has prepared for, but the pro running the TTX will add some “injects” or surprises to simulate a real incident. This kind of test is usually done annually after your team has had time to practice your IR plan.
The results could save your company millions.
But how does this save millions of dollars?
Take a moment and Google, “Floyd Mayweather $2 million.” That picture will give you an idea of what $2 million looks like, it makes the money real. The average cost of a ransomware attack in 2024, according to IBM, was $4.88 million. According to my research, the cost can be much higher.
One attack on a small biotech company resulted in $12 million in fines and lawsuits. That did not include the cost of recovering from the attack itself—only legal fees. In another case, a Fortune 100 company had a ransomware incident in 2024 that resulted in a cost of an estimated $2.87 billion and counting. That figure does not include the billions in relief they’ve provided to customers.
If you take the time to make, practice and test your IR plan, you’ll not only protect your organization from brutal data breaches, but you could save your company billions.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
