Skip to main content
Marsh logo

Article

3 best practices to prepare for a ransomware attack

The top three ransomware attack vectors are remote desktop protocol (RDP) compromise, software vulnerabilities, and email phishing. Learn key cyber hygiene practices every company should take to mitigate the effects of a ransomware attack via these common attack vectors.
Person's name and title

By Kelly Butler

Cyber Practice Leader, Marsh Specialty

08/23/2022 · 8 minute read

Cyber-attacks remain a top business risk year after year, increasing in frequency, severity, and sophistication. At the top of the cyber-attack list? Ransomware.

As the remote workforce from the pandemic expanded, ransomware attacks increased 148%. Bad actors have discovered a rich environment of unsecured Wi-Fi, vulnerable equipment, and outdated intrusion prevention software. Attacks are not only more frequent, they’re swifter — a new remote desktop protocol (RDP) is discovered just 90 seconds after it is opened to the internet.

Ransomware has become an industry, and every organisation is a potential target. Attacks now routinely disrupt operations for days or weeks; the average downtime in the fourth quarter of 2020 was 21 days. In addition to downtime and remedial expenses, ransomware demands have skyrocketed, with extortion demands increasingly exceeding $10 million.

More than 70% of attacks now also include data exfiltration, which bad actors use as a coercion tactic to entice companies to pay higher ransom demands. Layer in regulatory and compliance considerations, and you’ve got a complex issue to navigate.

Companies with poor cyber hygiene can become low-hanging fruit. Cyber-attackers are constantly evolving their tactics and scanning corporate technology environments to identify companies with poor cyber hygiene, such as lax controls or unpatched software. The increase in attack sophistication shows no signs of slowing.

Organisations that take a robust approach to ransomware preparation can increase their odds of avoiding an attack, recover more quickly, and minimise the impact of an attack. It’s critical for organisations to be prepared well in advance of a potential incident. The bottom line: Planning is everything. Read on for three of the best practices that an organisation can adopt.

1. Best practice: Develop and test incident response plans with ransomware in mind

Preparing for a potential attack

Your organisation should have an effective cyber incident response plan in place that specifically includes ransomware. Unfortunately, many organisations with a plan in place do not update it — or test it — to address new risks. In fact, fewer than 50% of organisations have reviewed or updated their cyber incident response plan in the past year and only 40% planned to invest in cyber incident planning and preparation, according to the 2019 Marsh Microsoft Global Cyber Risk Perception Survey.

Here are some steps you can take immediately to prepare for a potential ransomware attack:

  • Plan and test. Develop or update your existing incident response plan to include ransomware considerations. Once your incident response plan is in place and accounts for ransomware, it is time to put it to the test. Evaluate your incident response plan with a ransomware tabletop exercise. Practicing a hypothetical ransomware scenario is critical for the quality of a real ransomware response.
  • Develop a decision-making framework. Use this to help analyse whether you can restore data and systems on your own and whether it makes sense to pay an extortion demand. The framework should include criteria to analyse specific circumstances, including the criticality of impacted data and systems, the length of time your organisation can operate without critical data and systems, and the cost and length of time for your organisation to restore the impacted data/ systems on your own and/or with external support. Engaging external counsel to help develop and review the framework is recommended.
  • Establish ransom payment criteria. When developing ransom payment criteria, include the amount of the initial extortion demand, the threat actor’s track record of negotiating the initial demand downward, the threat actor’s history of providing working decryption code upon payment of the ransom, and an estimate of the length of time it will take to restore data and systems using the decryption code. Include criteria in the framework to assess circumstances where the threat actor demands payment in exchange for not releasing stolen data to the public. This includes analysing what data the threat actor actually has via a “proof of life” process and evaluating the potential reputational or other harm that would result from a public data disclosure. We recommend having an external extortion service provider review your payment criteria.
  • Identify extortion service providers in advance. Some extortion services are available on a standalone basis while others are part of services offered by digital forensics providers; many insurers have vendor panels that include extortion service providers. Extortion services typically include providing threat intelligence, negotiating with threat actors, ensuring compliance with regulations and restrictions such as the Office of Foreign Assets Control (OFAC), procuring cryptocurrency, and conducting payment transactions.
  • Engage legal. In addition to extortion services providers, know which incident response vendors to engage when an attack hits. This includes a law firm that specialises in cybersecurity and data protection and a digital forensics incident response provider. Many cyber insurance policies cover incident response vendor services, which are frequently subject to prior consent, and many cyber insurers have panel vendor requirements. Ensure legal counsel is involved in and ideally directing ransomware analysis and overall investigation to maximise attorney-client privilege. Legal counsel can also provide guidance on notifying law enforcement of ransomware attacks, a practice that is encouraged by regulatory agencies.
  • Consider regulatory and compliance requirements. Have a compliance program in place to specifically address the possibility of paying a ransom demand. Organisations should follow OFAC guidance and review their plans with all key stakeholders, including outside counsel and other parties that specialise in ransomware response.
  • Keep your checklist handy. Maintain ready access to an incident response checklist, including how to engage your cyber insurer and what vendors to engage when. This can enable a more efficient and seamless response.

2. Best practice: Be diligent about cyber hygiene

The top three ransomware attack vectors are RDP compromise, software vulnerabilities, and email phishing. Improving cyber hygiene can help limit potential exposure to attacks. At a minimum, companies should focus on the following hygiene essentials to mitigate the effects of a ransomware attack:

  • Ensure regular backups and periodic data restoration testing. Storing backup data offline and offsite in a secure manner can substantially expedite recovery from an attack. Limiting access to privileged users is also important. A full backup should be completed at least once a week, although more valuable data may need to be backed up more often and incrementally. Businesses should conduct tests to confirm that backed up and restored data will work in a live environment.
  • Segment your networks into smaller sections. Use firewalls and other means to limit opportunities for attackers. Without gaining privileges, unauthorised users ideally will not extend beyond the originally compromised segment.
  • Limit access. Require multifactor authentication (MFA) for users accessing critical or sensitive data. Remote access should also require MFA through encrypted VPNs.
  • Update your software. Patch regularly to maintain the security of applications and operating systems. Address all critical patches immediately.
  • Enhance security awareness. Cybersecurity awareness training for employees is an important cyber hygiene practice, as employees are the first line of defence against phishing attacks. Employees should be trained to recognise phishing emails and other threats. At the same time, security tools can also prevent phishing emails from reaching an employee’s inbox.

3. Best practice: Understand the financial impact of ransomware and transfer residual risk

Consider ransomware as part of your organisation’s broader risk management efforts. Take into account your risk tolerance, cybersecurity controls, cyber insurance coverage, broader enterprise risk management programs, and value chain as you review and develop your ransomware plans and prepare for the possibility of an attack.

Quantify your ransomware exposure and stress test your balance sheet

Quantifying cyber risk in financial terms allows you to express cyber risk in a language common to all business stakeholders: economics. Equally important, quantification allows organisations to frame cyber in the same terms as other business risks and evaluate risk management investments on the same financial basis.

Ransomware attacks can be devastating from a cost perspective — and the impact of an attack is directly tied to an organisation’s controls and incident response planning. Consider the cost of your systems being down for 14 business days as you rebuild your network from scratch. Was data stolen? Will you negotiate with the bad actor? systems being down for 14 business days as you rebuild your network from scratch. Was data stolen? Will you negotiate with the bad actor?

Ransomware attacks can play out in countless ways. It’s important to consider the financial impacts they could have on your organisation and your balance sheet’s ability to cover these costs. Due to the unpredictable severity of such attacks, many look to transfer their risk and turn to cyber insurance.

Transfer your risk

While understanding the financial impact of your ransomware exposure is essential, it’s only one piece of a comprehensive cyber risk management strategy. Risk transfer can help protect an organisation’s balance sheet and provide resources if risk mitigation tactics fail.

Cyber insurance can provide comprehensive coverage for ransomware attacks, including for ransom demands, business downtime, and associated costs. Cyber policies may also provide access to vendors to help with response as well as resources for clients on incident response planning, employee training, legal, forensics, and breach notification services.

The effects of a ransomware attack can be anticipated. With solid planning, your organisation will be well positioned to handle a potential attack.

Contact Us

For more information about Cyber Risk and how Marsh can support your business, please contact your Marsh representative.  

Related insights

Mountains and lake aerial view

Article

The price of privacy risk: Managing the wide range of data exposures

11/11/2024
Business Colleagues Walking

Article

Emphasizing preparedness: The role of out-of-band communications in cyber incident response

11/11/2024
Green plant grow in middle dry cracked earth. nature recovery and climate change solution

Article

Always on: Preparing for the future of cyber risk

11/06/2024
Woman looking at mountains

Article

Fundamental considerations for building cyber risk resilience

10/03/2024
View more

Marsh Pty Ltd (ABN 86 004 651 512 AFS Licence No. 238983) arrange this insurance and are not the insurer. The information contained in this publication provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisors regarding specific coverage issues. All insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. If this communication contains personal information we expect you to treat that information in accordance with the Australian Privacy Act 1988 (Cth) or equivalent. You must advise us if you cannot comply. © Copyright 2022 Marsh Pty Ltd. All rights reserved. LCPA: 21/234.