The age of ransomware
By now, many businesses have likely heard about – or even experienced – the devastating effects of a ransomware attack.
Unlike other forms of cyberattacks, ransomware is a particularly pernicious form of malware that locks users out of their IT systems until a ‘ransom’ is paid to the attacker. It is also one of the fastest growing types of cybercrime in Canada, accounting for nearly a quarter of all cyber claims by small businesses last year.
While any successful cyberattack entails business continuity risks, ransomware generates major challenges, as it curbs access to key platforms and resources like customer databases, resource planning tools, electric record management systems, email and digital address books, proprietary software and business analytics tools. It can also compromise intellectual property, personally identifiable information, and the effectiveness of emergency management programs – raising serious questions regarding the company’s competitiveness, governance and, ultimately, it’s longevity.
So not only can ransomware trigger serious legal and financial impacts, it also carries substantial reputational risk for organizations that do not demonstrate transparency, accountability, and competency when responding to a ransomware incident.
Communications during a ransomware attack
While cybercriminals typically hold up their end of the arrangement, paying the ransom only perpetuates the problem and promotes the proliferation of attacks. There’s also the chance that data will be corrupted during the decryption process and restoring from backups is a resource- and time- intensive process. This means that – regardless of whether an organization pays the ransom – business operations can effectively be brought to a grinding halt for days or weeks on end.
As with any business disruption event, communicating with key stakeholders – whether customers, employees, or business partners – is essential to maintaining trust and protecting an organization’s reputation. But the reality is that, during a ransomware attack, an organization may not have access to its traditional suite of tools, platforms, and resources to support standard communications.
So, how can an organization properly engage with key stakeholders when its communications capabilities are severely restricted?
When entire IT systems are knocked offline, especially for an extended period of time, organizations must navigate stark operational realities with creative solutions. Having counselled numerous clients through ransomware attacks, there are several practical solutions to consider:
- E-mail. For many businesses, losing email means losing the primary form of communication with clients and employees. It also presents a serious challenge when coordinating the incident response. As an alternative, organizations can use third-party marketing platforms, like Mailchimp, to distribute mass messages to external stakeholders while using secure group messaging apps, like WhatsApp, for internal coordination purposes (note: legal counsel should be included in any group text messages to best extend attorney-client privilege to those conversations, as well). An organization’s website, which is almost always hosted externally, and its social media channels also become key channels for pushing out updates to external stakeholders.
- Intranet. Without access to a corporate intranet, organizations face a serious challenge communicating with one of their most important audiences – employees. In these cases, offline forums like townhalls and conference calls, supported by messaging distributed to line managers, becomes essential. Larger organizations may also be able to use text message-based emergency management systems to communicate key operational updates to a dispersed workforce.
- Servers. During a ransomware attack, the resources required to inform communications are often unavailable. For example, without access to email servers or CRM systems, teams often do not have the necessary contact details for stakeholders. They may also lose access to critical documents saved on internal servers. There are no easy solutions to these types of challenges, which need to be factored into a communication response plan.
- Phones. For organizations using VOIP technology, phone lines can also be rendered inoperable by a ransomware attack. In these cases, cellphones provide an easy solution, but personnel must remember to redirect incoming calls to mobile devices by reconfiguring their phone systems and/or adjusting away messages.
Hope for the best, plan for the worst
While these tactical solutions can help mitigate impacts, ultimately, the organizations who communicate most effectively during a ransomware attack – and best maintain the trust of key stakeholders – are those that have already contemplated, planned, and identified contingency measures for these types of scenarios.
Nothing instills greater confidence in an organization than being able to convey it is handling an incident transparently, competently, and efficiently. Conversely, nothing does greater damage to a company’s reputation than being perceived as opaque, in disarray, and unprepared when responding to a crisis.
Ari Indyk is Vice President, Crisis & Risk, at Edelman Vancouver, where he leads the company’s Data Security & Privacy Practice Group in Western Canada.