“Herman” comes back from vacation over Veteran’s Day weekend to a mess. Herman, who leads the HR department at his company, doesn’t know that a salesperson opened an infected Excel document from an email claiming to be a client over the weekend; on this day, all he knows is that $100,000 of payroll has been redirected from employees to mysterious cyber criminals, who are now threatening to withhold or destroy files on Herman’s computer without an additional $10,000 ransom in Bitcoin paid.

“Herman” and his bad day back at the office are fiction, but there are plenty of businesses each day that find themselves in similar situations, panelists at Wednesday’s Into the Breach seminar shared. An estimated 80 attended in-person and 500 livestreamed the morning, hosted at Holmes Murphy with representatives from Dickinson Law and SBS CyberSecurity.

“Don’t let a breach be the first time you try your action plan,” warned Kyle Hougham, attorney at Holmes Murphy.

Through four hours, panelists laid out a roadmap for companies to create a cyber incident reaction plan, well before a distant hacker ever installs ransomware on your company computer.

Identify who receives the first calls

“Who do you call if your building is on fire?” asked Chad Knutson, president of SBS CyberSecurity. “[A breach] is your building on fire. Know who to call.”

Knutson and other representatives recommend creating hard copy plans outlining immediate steps and contact information for a company’s designated ‘instant response team’, especially phone numbers, so that employees can get in touch with necessary people if they are locked out of their email or digital contacts list.

Who gets on that list? Companies should identify either the Chief Information Officer or another employee enabled to make substantial decisions and delegate tasks under pressure. Insurance brokers and legal counsel should also be prioritized contacts. The company should immediately get in touch with its financial institution, which could potentially freeze any funds affected by the attack.

Companies should work with insurance brokers ahead of an attack to identify which vendors to call in response to an incident, rather than risk calling a vendor who is not covered under their insurance policies, said Miles Weis, executive risk practice leader at Holmes Murphy.  

Employees affected by the attack should be notified before the Board of Directors, advised Laura Wasson, an associate at Dickinson Law.

“The Board of Directors probably doesn’t need to be contacted in the first 24 hours,” Wasson said.

Contain the attack

The longer an infected machine is connected to the internet, the bigger the risk is that files are being exported to criminals. Disconnecting from the internet is an “essential move” – but do not shut down any computers, Knutson added. Preserving any evidence is paramount to a future investigation of an incident.

“If you power down, you destroy all [potential] memory,” he said, including any temporary files or software installed on the computer.

That said, “it’s not black and white,” Knutson added, and responders might consider shutting down unaffected computers preemptively to prevent the spread of malware – as long as they can prove those computers haven’t yet been infected.

Consider reactions to ransomware

Law enforcement strongly encourage businesses not to pay into ransom threats to retrieve files, but panelists say it’s a business’s own decision. If attackers are demanding $10,000 for files, and a business loses $20,000 each day, leaders may consider paying up.

Some insurance policies will cover ransom under e-commerce extortion. If payment is demanded in cryptocurrency such as Bitcoin, understand if the company already owns Bitcoin or how it would pay under pressure. Be wary that there are no guarantees attackers will release files after the ransom is paid – or that attackers won’t hit back with a larger ransom.

Figure out how the company would resume operations before a potential attack, Knutson said, especially in states like Iowa which may hold businesses liable for not paying employees in a timely fashion under a wage payment act.

Companies may never see the criminals brought to trial, especially if the attack originated overseas; however, they may receive protection under their bank or insurance policies in the instance of an incident. Creating a culture of preparedness and a healthy skepticism of emails as potential phishing attacks can aide in keeping company assets safe, panelists said.

The full recorded seminar, which covers incident triage, liability and claims, communication strategy and preventative education for employees is available on demand through Holmes Murphy.