What to expect when you’re expecting a ransomware attack

What’s the best piece of advice a seasoned cybersecurity professional can give? Cybersecurity is a team sport.

“Take time now to understand how others think, how to relate to others, how to communicate effectively to others,” Jason Manar, CISO at software company Kaseya, told IT Brew. “We are totally reliant on other members throughout the company to implement cybersecurity practices that we are recommending.”

Manar, who was previously with the FBI as a cyber supervisory special agent, said there’s never been more pressure to keep organizations secure. With that in mind, he sat down to discuss the best practices for a ransomware attack.

This interview has been edited for length and clarity.

When we’re thinking about ransomware attacks, we know that some folks might get swept into the moment and chaos. In your experience, how worthwhile is having a good plan for if an incident occurs?

You do not come away unscathed in any kind of cyberattack. It’s like when you’re trying to walk through a muddy area or something, you’re going to get dirty at some point. So, those that usually navigate this the best are those that have planned and have had preparation. The “why” is because they will have…training that they can fall back on. Not every scenario is the same, but they know who to contact. They know who to get inside war rooms. They will know who’s going to be the incident commander, and they already have all this preplanned. In fact, they’ll have cyber insurance.

When you’re talking about resiliency and getting back up on your feet and limiting the impact to the business, that’s what you want. So, you have to be prepared, and you have to go through it, and you have to have buy-in at the top levels. As we say, it’s not a matter of if something happens, it’s when something [happens]. There is going to be an action that you have to take, whether it’s in relation to a ransomware or another actor inside your environment is going to cause you to initiate your incident response plan, which is why it’s so important to prepare.

What is something that you can’t plan for when your organization is experiencing a ransomware attack?

You can’t plan for the unexpected, and there’s always going to be something unexpected.

There was a company that was getting ransomware in real time, they reached out to their [CISO] who was overseas…the CISO had shut off his phone, ceased communication with the company, and tendered his resignation within six hours of the event.

Trying to expect the unexpected just comes back to resiliency, and it comes back to our planning and preparation conversation that we had originally, which is why it’s so important and so critical to understand what your critical systems, your crown tools are, so that you have resilience planned into when something happens. Not necessarily just an incident, but any kind of interruption of services, any kind of interruption of services, whether you’re a cloud entity or in a data center, so that you’re prepared and you have an additional plan that you can revert to, so you don’t lose your continuity of…the system that you’re working with.

Which experiences have you had that lead to what, in your opinion, is the most successful way of handling a ransomware incident?

The most successful that I’ve seen are those where everyone understands—when I say everyone, I mean the board, the executive level, all the way down to the individual contributor—understands not only their role, but understands that you are dealing with an event that is constantly evolving and constantly changing. So, understanding that takes preparation, and that’s why these tabletop exercises and communication are so important.

Typically companies that would do really well had regular security briefings, not only at the executive level, but also at the board level.

I can’t tell you how many boards of even Fortune 500 companies…I talked to about cybersecurity, and not only nation-state threats, but just threat actors in general, and providing them an overview of what the landscape looks like. Walking out of there, it was very clear that of at least 95% of the board that I talked to, they didn’t fully understand the risk of the adversary that they were up against, or they believed that their security personnel was overexaggerating the risk.

Whether it’s [an] independent third party come in, whether it’s having a law enforcement agency come in, having someone else come in…that tells that story to the board. Because at the end of the day, while we say boards are driven by metric KPIs, OKRs, etcetera, most boards, they’re interested in what that chief revenue officer says, and then every other metric taken with a grain of salt a lot of times.

I have found that, typically, those that are great storytellers are able to communicate and get across what that level of risk is and what that looks like.