Do you know what actions internal auditors should take in the event of a cyber ransomware attack? AuditBoard’s Scott Madenburg shares his real-life experience of a ransom attack, what to expect, and how internal audit can help the organization respond effectively.
Every 14 seconds, a cyber ransomware attack occurs with the potential to cause long-lasting financial and reputational damage. It will just seem like another disquieting statistic — until it happens to your organization.
In a previous life, I experienced a ransom attack. The system breach was discovered in the early morning — and spread like wildfire. A task force was quickly assembled, signs were posted to inform employees, and the main conference room was converted into a makeshift war room. Our third-party incident response team and forensic specialists started strategizing and developing response plans, and I was called in to help due to internal audit’s valuable knowledge of risk management, business processes, and the overall control environment.
Based on my previous experience, I wanted to share key lessons I learned with fellow audit, risk, and compliance leaders who — given the increasing frequency of attacks — may find themselves in a similar situation. In this two-part article series I cover what to expect during the immediate response to a ransom attack, and key challenges and success factors for Internal Audit during containment and post-event recovery.
What is a Ransomware Attack?
Intended to generate revenue from unsuspecting victims, ransom attacks are the most pervasive type of cyberattacks today. The two most common types are:
- Crypto — where ransomware will encrypt all the files, folders, and hard drives on the infected device
- Locker — where ransomware simply locks users out of their devices
Attackers use your data and information against your organization, holding it ransom by threatening to release incriminating evidence or proprietary information. These attacks will cost companies an estimated $20 billion by 2021. 76% of organizations anticipate they will be victims of a malware attack in the next year, and 55% of those don’t think they would be able to identify or block a potential attack.
This makes ransom attacks and security audits a priority for internal audit teams — especially with the increased attack frequency in the aftermath of COVID-19 as IT departments relax their endpoint or user privileges for employees to work remotely, and security budgets are reduced.
Critical First Steps During a Ransomware Attack
When a breach is discovered, it’s essential to act comprehensively and quickly to prevent exposure of more business areas. The following are organization-wide best practices internal audit should expect and support to reduce the damage.
1. Share a succinct message with employees.
Human resources should be involved in getting control of the message to employees. Let employees know:
- There was a breach.
- What it means.
- What actions are being taken.
- What to expect from the downtime.
- The impact on their work.
2. Stop the damage from spreading.
Disconnect everything, take real-time snapshots of infected computers, virtual machines, and storage devices. Know what data was impacted, what’s potentially corrupted, and which of your critical systems need to be up and running — and back up your data.
3. Trace the attack.
Audit can assist forensic teams to identify where the attack took place, which is typically through a website or email. Forensic teams may build a schematic of the attack sequence to illustrate the timeline, motivation, and the origin of the attack information included in data files, binary, scripts, and the attack characteristics — which will be crucial in a later step to share with authorities.
4. Assess the impact.
When faced with ransomware, your first instinct may be to launch into a remedial action plan immediately, but this can waste precious time and effort as the infection spreads. Before you kick off defensive and corrective actions, take a step back from the chaos and perform a comprehensive assessment of the damage. Internal audit can propose the following analysis efforts to establish the what, who, when, and where of the incident:
- Perform host analysis on systems identified as being part of the initial intrusion.
- Analyze network log data to identify ongoing or historical attacker movement within the environment.
- Analyze available Domain Controller server logs to identify suspicious access activity.
- Correlate relevant events to establish a timeline of malicious activity.
- Develop recommendations based upon observations during analysis.
This assessment should be the basis of your subsequent course of action.
5. Notify the authorities.
A ransomware attack is a criminal incident. Notifying the authorities about the cyberattack on your organization is essential to protect both your reputation and your customers. If your organization is in GDPR alignment, you are required to do this along with adhering to other regulatory aspects. Swiftly reporting the incident can provide your organization more knowledge and insight if authorities are working with other organizations that were attacked by the same individuals or the same malware.
6. Notify customers.
This will be difficult, but being authentic will build a stronger relationship. Importantly, your legal team and public relations teams must be involved to establish a single voice and put out fact-based statements.
While internal audit may not play a starring role during the immediate response to a ransomware attack, we have an opportunity to learn, help review the process in real time, and make needed improvements. An awareness of these critical first steps will help internal audit and your organization respond effectively in the early days of the attack — but containment and remediation are where internal audit can really make an impact by conducting an independent review of the company’s response plan to stay ahead of future threats. Stay tuned for the second part of this series, where I will examine what internal audit can do to support effective ransom attack containment and forward-looking recovery.