They are increasingly frequent and, to an extent, inevitable. Ransomware attacks are part of today’s business landscape, and the recent passage of Bill 64 now compels companies to document these incidents. Companies need to prepare for such attacks and put in place a specific reaction plan. Here are a few tips.
“Ransomware attackers represent a very serious threat,” explains Roger Ouellet, director of the security practice at NOVIPRO. “When they have found a breach in your system and get into it, they become so knowledgeable about your business that they can often explain how your network works better than you.”
The first piece of advice from this security specialist is to “stop behaving like an ostrich and get your head out of the sand! In 2022, the question is no longer whether you will be attacked, but when. Companies must prepare for this eventuality, period.”
Mr. Ouellet suggests adopting the methodology of the National Institute of Standards and Technology used by companies in North America.
This methodology consists of five steps: from preparation to post-event assessment, through detection and analysis, containment and eradication-recovery.
Incident management plans should also take into account current legal provisions, including the recently adopted Bill No. 64 concerning the recording of incidents in an incident register and their declaration to the Commission d'accès à information de Quebec as of September 2022.
1 - Prepare well
Prevention is cure. The preparation stage involves defining a methodology as well as roles, responsibilities and legal obligations when reacting to attacks. But it also requires planning measures as part of the daily life of a company, among other things, building a framework for the controlled use of office equipment.
Explains Mr. Ouellet, "For example, you need to define reasonable use of laptops by each employee, create a framework for the use of company data, a framework for communicating data on social networks or even in private messages, and a framework for the use of USB keys. Also, remember to document your software architecture: this will be essential to rebuilding everything after an attack.”
It is also at this stage that companies need to ensure that legal obligations regarding disclosing damages are met and that insurers are provided with all the information needed for their files.
Download the Portrait of IT 2022
A survey of 500 decision-makers from Canadian companies about their IT challenges
2 - Detect and analyze
Has your system been attacked? The first thing you need to do is perhaps the most difficult: detect and recognize incidents. Remember to check each attack vector. “Is the attack coming from a messaging platform? The company website? You have to make sure you have the tools you need for detection and analysis.”
Get in touch with one of our experts to find out
how to cyber secure your business
3 - Contain damage
“This is the stage where we develop a strategy to remedy the problems caused by the attack” explains Roger Ouellet. “We determine what the damage is and what is its extent. We try to isolate the section that has been attacked (for example by disconnecting the network) to prevent it from spreading.”
4 - Eradicate and recover
After the attack, it will take several weeks to rebuild an at least minimally efficient production situation. “You have to clean up each server and then re-establish a secure environment. It is possible that parts of this environment cannot be restored, and that certain elements cannot be found. Sometimes you simply have to start over and rebuild,” warns Mr. Ouellet.
5 - Draw up a post-event report
To successfully carry out this step, the containment and eradication steps must be properly documented. Remember that the insurer will also request both this information and documents in order to analyze claims for reimbursement and compensation.
“We analyze this documentation and we try to draw conclusions” says Roger Ouellet. “Did we have a specific flaw in our system to which we must be sensitive in the future? Did we have trouble detecting a specific attack vector? At this stage, we also need to establish the software and tools that we lacked to properly fend off the attack." This improves the company’s defensive posture and helps it to be ready to minimize any short or long-term impacts.
