Complex Made Simple

Crisis management: How to respond to ransomware attacks

In terms of preventing an attack, your IT department is key to ensuring that all IT systems are regularly updated by the deployment of security patches and ensuring antivirus software is installed on all your computers, according to experts from corporate law firm Addleshaw Goddard.

They also recommended putting a crisis management team in place to deal with any urgent issues and to have comprehensive incident response plans in place to deal with security breaches or attacks.

Addleshaw Goddard’s UK Reputation & Information Protection and Dubai Commercial Litigation teams hosted a Crisis Simulation event in Dubai in conjunction with PR agency ASDA’A Burson Marsteller’s Corporate and Crisis Practice last week.

Cyber crime in the UAE and the course of action following an attack were key issues discussed at the seminar.

Cyber crime

Here’s what you need to know about cyber crime in the UAE:

1. Cyber crime is taken extremely seriously in the country and there are a range of offences that any individual found guilty of hacking might face, with custodial sentences and hefty fines able to be levied

2. Ensure that you are aware of your reporting obligations. While there is no formal reporting obligation for companies registered onshore in Dubai, there are strict duties to report for companies registered in the DIFC and ADGM

3. Bear in mind that there are cyber crime laws in the UAE that apply not only to those guilty of the type of offences linked to hacking, but to a broad range of Internet-based offences. Make sure you consider what you are posting/circulating online and that you are not breaking any laws before you do so

What to do immediately following a cyber-attack  

Experts highlighted some practical steps to consider during the first few crucial hours following a cyber-attack. As part of your initial response plan, you should:

1. Mobilise your crisis management team with support from communications and legal advisers, as appropriate

2. Alert and activate everyone on the response team, including external resources, to begin executing your incident response plan

3. Secure the IT systems affected by the cyber-attack to help preserve evidence and bring in your forensics team to begin an in-depth investigation

4. Stop additional data loss, take affected equipment offline but do not turn them off or start probing into the computer until your forensics team arrives

5. Protect your reputation with an internal and external communications strategy, supported as necessary by crisis communications specialists and/or reputation lawyers

6. Involve the police, if/when appropriate and particularly if a ransom has been demanded

7. Notify regulators after consulting with legal counsel and upper management

8. Notify insurance broker(s) to ensure compliance with policy terms

Avoid the temptation to pay the ransom 

If a company or organisation is unfortunate enough to be hit by this recent or any other cyber-attack, it may be tempted to pay the ransom.

Ransom demands are deliberately set at a relatively low level (in the recent attack it was said to be approximately $300) to make it less expensive to pay the ransom than it would be to pay for outside IT security consultants to come in to fix the problem.

There are several reasons why you should think twice before paying any ransom:

1. Quite often, these types of cyber-attacks are a form of advertisement for the hacker to show off their abilities and be hired or procured to undertake more damaging attacks in the future;

2. Hackers often communicate with each other in chat rooms and the so-called ‘dark web’ and share information about vulnerabilities they have discovered. If you pay a ransom for one type of cyber-attack, you may leave your organisation open to further attacks by other hackers as well; and

3. If your company is in a regulated industry, such as financial services, you may have to report any security breach to your regulator. Paying a ransom may instigate further regulatory scrutiny

Damage to reputation and retrieving your data 

The recent WannaCry attack appears to be focused on encrypting the data where it is located and then unlocking it once the ransom is paid, rather than focusing on any loss of data. Other types of cyber-attacks have involved data being damaged or extracted and then held to ransom.

While it may not be possible to prevent an attack, how you respond once it hits will be key to ensuring your business – and its reputation – recover as quickly as possible.