Spending money you hadn’t budgeted to hire experts to clean up an unexpected mess is at the bottom of every manager’s wish list, but in the case of a cyber attack as damaging as ransomware, turning incident response over to a pro may be the best thing you can do.
Let’s examine five key reasons to pay an expert to help recover from ransomware:
Further reading: Best Ransomware Removal and Recovery Services
Sometimes organizations enter into contractual agreements that specifically determine how they need to respond to a ransomware incident. These types of contracts can be made with key customers that require a response to be documented in a certain fashion or handled by vendors certified to perform forensics.
Cyber Insurance companies used to simply provide lists of potential vendors approved by the insurer, but with the rising costs of breaches, insurers need to control costs. Some policies now require a victim to contact the insurance company first so that the insurance company can manage the incident exclusively through their vendors.
Law firms will want similar control if they help manage an incident. Lawyers will want the services performed by certified experts, in a manner consistent with the rules of evidence, and by personnel that might also provide testimony in future litigation over the incident.
Downtime in a hospital emergency room is measured in human lives. While we don’t all save lives as part of our business, many organizations will be strongly motivated to recover quickly from an attack.
We can easily imagine the issues in healthcare, and the Colonial Pipeline attack helped inform us about the dangers of ransomware and critical infrastructure. When an organization’s mission is critical, it usually needs to do whatever it can to return to full operational capacity.
It may be more difficult to picture financial loss, but many companies should create a measure of the cost per hour for downtime. For example, a stock trading company, a produce logistics company, and a telemarketing company can consider their average revenue and the cost to their business should it be inoperable for an hour, a day, or even several weeks – and at what point the business’s survival might be threatened. Those costs can help determine the budget available for incident response and what level of an attack would merit outsourcing.
Lack of Expertise
Many organizations lack sufficient expertise to deal with complex attacks. Even for organizations that may have in-house experts, the scale of the attack may overwhelm their team and require the organization to outsource large portions of the incident response or recovery process to others.
ISACA’s State of Cybersecurity 2021 report noted that 55% of respondents cannot fill all of their open cybersecurity positions. Most companies cannot afford the time to train cybersecurity experts, so experts tend to gravitate toward service providers where they can deploy their expertise constantly in a variety of environments. This trend pushes the talent towards service providers and leaves other organizations without sufficient internal personnel resources to deal with attacks of any complexity or scale.
If we assign our internal IT team to perform incident response for a ransomware attack and they mess up, we are fully exposed to potential consequences. If the attack spreads to vendors and customers connected to our network, they may be able to sue us to recover their costs and damages. Additionally, if we perform recovery efforts without employees certified in forensics or with sufficient IT credentials, an opposing attorney may be able to make a claim of negligence.
By hiring outsourced experts, we can make sure they have the certifications to make our legal counsel happy. We can also hold them accountable for any mistakes they make and push some of the potential liability in their direction.
Speaking of liability, if someone on your team might have intentionally, accidentally, or negligently caused the attack, you will want to assign responsibility appropriately and be able to gather evidence for potential legal action.
Assigning incident response and recovery to anyone who might have played a role in an attack, even accidentally, might lead to temptation to tamper with the evidence. An external third-party vendor can provide an unbiased assessment of the cause of the problem and provide forensic expertise to gather the appropriate evidence.
For this scenario, the definition of team may be quite broad. This could apply to contractors, a managed service provider (MSP), managed security service provider (MSSP), email vendor, or main internal IT team, or a subgroup of an IT team at a branch office.
The Bottom Line
The bottom line in this case is just that: your bottom line. Your company’s survival may depend on how quickly you can get your business back up and running after a ransomware attack. It’s a difficult thing to recover from, and it’s probably best turned over to people with experience. A quick cleanup could wind up saving you money.