CTO & VP of Strategy
Interested in comparing your ability to respond to cyber incidents to other nonprofits?
This blog provides details of the results from a crowdsourced tabletop exercise led by our Strategic Advisory team. We asked nonprofits from around the globe questions about how they’d handle a ransomware incident. We then analyzed their responses.
Here, you’ll find poll results and discussion about the good, the bad, and the gaps.
Why are we sharing this data? In many nonprofits, incident response plans either don’t exist, are lacking, or don’t often get stress tested—in spite of the fact that the Ponemon Institute found that lost business costs due to data breaches averaged $1.42 million in 2022.
This article also gives some insights into how a tabletop exercise works. Read on if you’re curious about how your cyber incident response measures up.
We posed the first question to replicate an all-too familiar incident.
“At 4:30pm on the Friday of a holiday weekend, the service desk receives several calls with users reporting that they have a skull and crossbones message mentioning bitcoin on their screens. System access is disrupted for all employees, including the phone system. The attacker’s instructions include a $1 million ransom demand for the decryption tool. They have given you 48 hours to pay before the data on your systems is destroyed.”
In this case, tools matter. That’s why 84% of participants with a Security Information Event Management (SIEM) and User and Entity Behavior Analysis (UEBA) tool believe they’d have a chance of detecting the incident.
But 48% (16+32) of respondents are right not to be too sure.
Why?
Unless alerts and automated remediations are in place to shut down the first signs of compromise (i.e., escalating privileges) without human intervention, encryption may be applied swiftly and silently.
It’s a safer approach to assume breach and be prepared to recover.
Now that responders are aware of an issue, they responded in the following way:
Those that would disconnect the affected devices right away would be wise to get approval in advance from business leadership before isolating a critical system. That’s a key aspect of the most common answer, e.
Tabletop leaders would then ask some logical steps about the expected process….
The questions posed by the tabletop leader can (and should) become harder. They should weave between people, process, and technology/tools. All parts of the incident response should be covered, including business impacts, stakeholder communication, and potentially restoration (to a known/good version). Which led to question 4…
B (segmenting the network) is easier said than done, so in a real tabletop, the next questions would include, “Who,” “How,” and “With whose authorization?”
E is an excellent answer, but a breach coach won’t engage quickly without a preexisting incident response contract.
Solid answer!
In an actual tabletop exercise, the next step would again be exactly “who” and “how” would reinstate the systems, but as importantly, “when?” Business leaders will want to reinstate service as soon as possible, but it’s critical for the incident response team to ensure that the intruder is no longer in the environment (and that backups themselves are not affected).
The importance of ensuring that backups are not compromised and testing them regularly cannot be overstated. It’s the best insurance policy.
The answer was interesting in that as many people are ready to potentially pay the ransom as those who never would. In either case, cyber insurance providers will expect you to open a claim prior to paying for a ransom (and they will not pay with their own bitcoin).
No matter how the previous questions have gone, our final question for any incident is to see how repeatable and rapid it would be.
Props go to the 43% of participants that take ransomware seriously enough to document a playbook! Even more applause to the 12% who have tested the recovery!
More than we’d like to admit, we hear that incident responders store their plans “in their heads.” They’re not in a binder or offline soft copy. They’re neither known nor accessible by their peers or successors. We trust that those folks now have some proof to management that investing time and resources in such efforts is necessary.
For those well-prepared organizations, a good tabletop coordinator would typically inject a curveball, an unforeseen and potentially bizarre situation. In this case, had our collective audience passed the previous tests, we’d ask, “Question 1.8. The ransomware compromise is publicized on Facebook by an employee who brags that they’ve gotten the day off due to the computers being down. What’s next?”
At the end of each scenario, it helps to ask all participants to share their thoughts. Some of our respondents obliged when we asked the crowd. Assembled in a word cloud are their responses.
I’d like to point out one comment, “Lots of work.” While yes, that will make an optimal response possible, starting with incremental improvements (especially backups and restoration processes) is not an option. Perfect shouldn’t be the enemy of good.
FEMA, NIST, CISA, and the White House are imploring organizations to practice their response to ransomware. Some cyber insurance carriers are starting to require it.
The media and legal communities love to highlight those that don’t.
It’s impossible to understate the importance of practicing and adapting to different scenarios in disaster response. Here are some takeaways…
Dos and Don’ts:
– Do practice and identify gaps in your response plan.
– Do communicate effectively with your teammates.
– Do share your thoughts and lessons learned after each tabletop scenario.
– Don’t let perfect be the enemy of good. Get started in some way today!
– Don’t rely solely on documentation or protocols. Teamwork and practice are key.
– Don’t ignore the feedback from the line of business participants. They own this too!
If you find yourself without the time or authority to execute an internal tabletop exercise or make progress closing your gaps, our Strategic Advisory team is at your disposal. Contact us at info@eGroup-us.com or complete the form below.
Contact our team today to get help with any of the updates mentioned above!
Last updated on November 6th, 2024 at 05:12 pm