The rise of ransomware

Ransomware is on the rise. A recent article in InfoSecurity claims attacks increased by an astonishing 485% in 2020 compared to 2019, demonstrating how cybercriminals have capitalised on the pandemic for their own financial gain.

And attacks aren’t just becoming more frequent: criminals are becoming more sophisticated and ruthless in their approach, often targeting higher value and ‘weaker’ targets to gain larger financial rewards.

The news agenda has become littered with stories of high-profile ransomware victims as a result. For example, just two weeks ago Ireland’s healthcare system was hit by a “catastrophic” attack which forced IT systems to be shut down and substantial numbers of appointments to be cancelled.

The importance of preparation

No business is completely immune to a cyber incident, and ransomware attacks can be particularly devastating. An organisation’s IT systems may be taken down and, in some cases, data may never be recovered.

If recovery is possible, it can take several weeks, but corporate reputation and brand value could take a lot longer to recover. It’s therefore crucial that organisations plan for an attack, even if they think it is unlikely.

Crisis communication plan

A key part of this involves creating a ransomware crisis communication plan, so that the business isn’t scrambling to piece together an appropriate message for customers and stakeholders while decision makers are in crisis mode.

This involves identifying who needs to be informed of a cybersecurity incident – a list which should include employees, customers, legal counsel, and other major stakeholders.

Businesses should, if possible, designate a single spokesperson for any crisis communication as this will help to control the messaging. Decisions should be made in advance regarding exactly how messages will be communicated to customers and stakeholders.

Having crisis communication templates ready for different scenarios will also help to save time and avoid incoherent communication in the event of an incident. Bespoke messaging should be developed that is appropriate for each communication platform e.g. press, email, website, and social media.

The good and the bad

When it comes to the actual communication, businesses should use simple, actionable language and provide enough details to initiate the correct response.  A particularly strong example is the Scottish Environment Protection Agency, which issued clear and regular communications as it worked to rebuild many systems from scratch after refusing to pay a ransom.

These have been issued via a dedicated site launched by SEPA after the Dec. 24, 2020, attack. The agency has continued to issue regular updates as well as hold weekly briefings for its staff of 1,200 and its crisis comms has earned plaudits for being clear and forthright about what happened, whilst being appropriate within the confines of the incident remaining an active police investigation.

On the flip side, the crisis communications response to the recent Colonial Pipeline cyberattack has been criticised across the industry for being sluggish and unclear. For example, the New York Times described the Colonial Pipeline’s first communication as a “vaguely worded statement.”

This again serves as a reminder that proactively agreeing on core messages and getting these pre-approved ahead of time will help to avoid ambiguous responses.

There will always be another ransomware crisis akin to Colonial Pipeline on the horizon. So, it’s up to businesses to ensure they’re ready to react quickly by maintaining an updated, thoughtful crisis communications plan in case they’re unlucky enough to be the victim.