The Aspen Institute

Amidst widespread fears of cyber ramifications for the US and western networks due to Russia’s war in Ukraine, Aspen Digital brought together some of the country’s top experts on cyber threats to help small and medium-size businesses understand how to handle online risks to their networks and operations. 

The session, led by experts from Comcast, Microsoft, and PwC, and moderated by Chris Krebs, the founding director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and Aspen Digital’s Senior Newmark Fellow, walked organizations through a hypothetical ransomware scenario and offered tips at every stage of an unfolding incident. 

Brandon Wales, CISA’s current executive director, highlighted the importance of collaboration between government and businesses, saying,

“We look at the threat environment and we know that only by deepening our operational collaboration with the business community can we fully understand the threats we’re facing and can we take the collective action necessary to protect our networks.”

As the panelists explained, there are several concrete actions organizations can take today to prepare for a possible cyber incident:

What should my organization do today to prepare for ransomware? 

• Update your incident response plan (IRP). An IRP includes established roles, responsibilities, processes, and procedures for handling a cybersecurity incident. As Noopur Davis of Comcast advised, companies need to have an IRP ready because during an active incident, “You really don’t have time to come up with a plan.” The IRP should include the first people you should call during an incident as well as technical, legal, business, and internal and external communications considerations. It should also align to your organization’s values around customer service, employee engagement, and transparency. 
• Enhance your security posture. Your organization’s first lines of defense are instituting cybersecurity basics such as strong password policies, multi-factor authentication, regular backups, and software vulnerability management—e.g., making sure that you have processes in place to patch and update software as quickly as possible. If resources allow, corporate investments in continuous monitoring can provide real-time visibility into what’s happening on your networks, potentially leading to faster detection. 
• Prepare your teams for a ransomware scenario. All parts of your organization should understand their role in communications and continuity of operations. If email systems are down, how will your team mobilize and communicate? Are there hard copies of the IRP if your policy library is unavailable? As Sean Joyce of PwC shared, “Collectively, we all need to become more resilient. One of the ways to become more resilient is to have a tabletop exercise and walk-through these scenarios. We have to bring to light issues and decision points we didn’t consider before.”
• Assess your reporting requirements. As the victim of a crime—and depending on the circumstances—you may have state or federal cyber incident reporting requirements. In general, the experts advised that it’s usually in your interest to contact law enforcement, but even beyond that, in some cases, it may be the law.

What if my business falls victim to a cyber attack?

• Activate your IRP. If you are hit with a cyberattack, your up-to-date and regularly revisited IRP will serve as a useful guide. Remember that even the best IRP might not consider every possible scenario you might encounter, so it’s important to establish trust and regular communications with your core response team to handle unexpected situations.
• Collect data. Gather information about the size, scale, and severity of the incident (e.g., impacted data subjects, files potentially accessed or exfiltrated, etc.) to assess and prepare for technical, business, and legal impacts. Ensure stakeholders across your organization receive timely information they can use to help with the response.
• Presume the story will go public. Take the incident seriously, and prepare to share an accurate account of what information you had and the actions your team took to contain the incident and restore operations. 

How can my organization recover? 

• Set reasonable expectations. Share your commitment to restoring normal business operations, but set reasonable expectations with employees, customers, and regulators. There will be many unknowns in the early days of the attack—including when operations will be restored—and many questions about whether or not to pay the ransom. Do not make promises without sufficient information and coordination with your team and your key incident stakeholders. 
• Communicate carefully. Be deliberate about your communications with your employees, regulators, and other stakeholders. Jim Sfekas of Microsoft warned, “There’s always a chance the ransomware actor still has access to your systems, which could give them visibility to incident response.” To address that concern, it’s critical that IRPs should include alternatives to email for communication, such as SMS or text messaging or cell phone numbers. If your company telephone system is a voice-over-IP, know that it too could be disabled during an attack, so make sure you have relevant alternatives to contact key staff.  
• Share information and get assistance: CISA and the FBI are standing by to assist with cyber incidents. By sharing your information, the government can gain a better view into the larger cyber problem, and adjust resources and policies accordingly. 

Where can I learn more? 

There are several openly available resources for organizations of all sizes:

• Cyber Tools and Services
• Cyber Essentials Toolkit
• StopRansomware.Gov
• General questions? central@cisa.gov 
• Sign up here to get information about the 2022 Aspen Cyber Summit

As Executive Director Wales shared,

“I understand that small and medium sized businesses  have unique challenges when facing cybersecurity risks. Resource and personnel constraints will certainly impact your ability to employ the most sophisticated cybersecurity tools. But, this is important: you are not helpless and you are not on your own.” 

****

Aspen Digital empowers policy-makers, civic organizations, companies, and the public to be responsible stewards of technology and media in the service of an informed, just, and equitable world. A program of the Aspen Institute, we shine a light on urgent global issues across cybersecurity, the information ecosystem, emerging technology, the industry talent pipeline, tech and communications policy, and innovation. We then turn ideas to action and develop human solutions to these digital challenges.