By Wayne Hankins, Senior Director Analyst at Gartner
The threat of ransomware attacks has escalated over the years, affecting organizations with disruptive aftermaths and downtimes. Meanwhile, chief information and security officers (CISOs) are under increased pressure to defend and minimize the effects of a ransomware attack on their organization.
To help improve an organization’s resilience during a ransomware attack, cybersecurity leaders, must prepare to execute a coordinated containment strategy that helps them stay resilient and recover quickly from future attacks. Failure to do so will increase the risk of uncoordinated and ineffective response, prolonging the recovery time.
How To Develop a Containment Strategy?
CISOs should work with stakeholders to develop a containment strategy to mitigate the impacts of a ransomware attack. The key objective of this strategy is to reduce the time from the attack to the containment point while limiting the disruption within the business. CISOs must follow these steps to get started:
– Identify business-critical systems and the business impact. Lean heavily on business stakeholders to help identify these crown jewels.
– Assign the level of impact these systems have on the business.
– Work with SMEs (such as architects and vendors) to understand the organization’s capabilities to isolate infected systems. The containment methods need to be clearly defined and tested.
– Predetermine the contamination risk levels for your systems. Examples of contamination risk levels include systems with little to no interdependencies, which may have a lower value than systems with many interdependencies.
– Finally, document this work in your containment strategy workbook.
Integrate the Containment Strategy into Your Cybersecurity Incident Response Plan
Due to ransomware’s impact on a business, Gartner recommends creating a ransomware playbook that includes the processes and procedures for managing this type of attack. CISOs must integrate their defined containment strategy into their enterprise’s cybersecurity incident response plan and/or ransomware playbook.
Finally, once the integration has been successfully executed, CISOs must test the reliability and effectiveness of the containment strategy in conjunction with the cybersecurity incident response plan and ransomware playbook. They must use a tabletop exercise to test their enterprise’s capability to execute its Incident Response Plan and Ransomware playbook. It will also help identify gaps in both documents that will require improvements.