In May this year, Colonial Pipeline, a large oil pipeline system that supplies a large area of the US, was hit by a ransomware attack, forcing them to shut down all of its pipeline operations. It took five days before it was able to restart its operations, and six days before it was fully back up and running. 

“Imagine shutting down your business for six days,” says Kevin Wong, managing director of FTI Consultants Middle East, on a recent ICAEW webinar. “Imagine the costs, the unfulfilled contracts, the knock-on effect to your business.”

Colonial Pipeline ended up paying its attackers, the Russia-linked cybercriminal group known as DarkSide, around $4m. On top of that, it had to factor in the cost of investigation, remediation and regulatory fines. It lost intellectual property, client data, and share value.

“In the Colonial attack, the bad guys hit them with the double whammy of not only encrypting the data, but stealing some of it and threatening to release it unless they paid the ransom,” says Wong. “We've seen other ransom-type events where the bad guys introduce a third threat of distributed denial of service attacks, which would prevent your web services from working.”

So when the costs of a data breach are so high, how can organisations recover and rebuild quickly, with the minimum possible damage to their bottom line and reputation?

Bring in your back-ups

You should have all of your data backed up somewhere outside of your main system. It’s important to have a solid back-up execution plan to ensure that you can recover your business quickly, explains Patrick Wong, Director, cyber security and privacy, PwC Hong Kong. It’s important to have tested this plan before an attack to make sure it is fully recoverable. 

Secure your baseline

This means shutting down some of the routes that attackers or ransomware will try to infiltrate. For example, a remote desktop client that staff might use. The Microsoft task automation and configuration management program PowerShell is often used by hacker groups, says Patrick Wong. If your organisation uses it, make sure you disable it, and programs like it, quickly. “Disable unneeded services and limit your exposure.” 

Keep a log

It's important to enable logging on your systems, says Patrick Wong. This will help you to conduct an investigation quickly and easily, allowing you to review your systems and improve your defences after a breach. “In a lot of the incidents that we investigate, there are no log trails that we can go in and investigate. So make sure that you have centralised logging, and make sure that your logging coverage is good. That will definitely help, even in the unfortunate event that you have been attacked.” 

Let someone take charge

A lot of panic often follows a successful cyber attack, explains Kevin Wong. Without strong leadership, it can easily devolve into a blame game. You need someone who understands the issue and its impact and is able to communicate effectively with stakeholders. 

“You definitely need to include on your incident response team, general counsel, internal audit, the technical lead, perhaps strategic internal and external communications, external counsel, if necessary.”

Contact your insurers

“If you've got cyber insurance, you will need to contact your insurance provider and they'll probably put you in contact with a loss adjuster,” says Kevin Wong. Your incident response team at this time should be looking to address a number of questions at this time. What's happened? Are the attackers still in the network? If they are, how can you stop them moving across your network? How do you kick them out, and from coming back in again?

“Often ransomware events would require the deployment of an endpoint detection system that should cover all of the network, detect suspicious behavior and files, and isolate machines to stop further infection.”

Should you pay?

While Colonial paid their ransom, it’s not recommended, says Kevin Wong. There’s no guarantee that the attackers won’t be back again in six months. You also need to consider how to convert your cash into Bitcoin or some other crypto currency, as ransomware attackers prefer to be paid in this manner. It’s best not to give into their demands. 

Communicate strategically

You will have to communicate with law enforcement that you have had a data breach, but there are others you will need to reach out to. You need to work out what you are going to tell your clients and your employees. You may have to notify the regulator depending on what data have been captured. Tell them what has happened, what functions you can still perform on your network, and what steps you have taken to mitigate the damage. Is your data being published? 

Review with your team

As a team, sit down, review all aspects of the incident – when it happened, how it happened and the consequences – and investigate what went wrong and what you could have done better. Undertake a thorough investigation into the incident to identify the weaknesses that the attackers exploited. “Understand the attackers movements across the network, you'll then be able to understand what data was at risk of compromise,” says Kevin Wong. “Regulators will often look more favorably on those organizations that took action and properly investigated things after an attack.”