Plan for your organisation to become the victim of a ransomware or malware attack, even if you think it's extremely unlikely you'll be targeted because having an incident response plan will greatly reduce the impact if the worst happens.
The advice is part of the National Cyber Security Centre's (NCSC) updated guidance on mitigating malware and ransomware attacks under a new section on preparing for an incident. The guidance has been updated because of what the NCSC describes as "a growing threat from ransomware attacks".
One of the key pieces of advice is to plan for an attack on your systems even if you think it's unlikely, because as the agency notes, there are many organisations that have been impacted by malware as collateral damage, even when they weren't the intended target.
SEE: Security Awareness and Training policy (TechRepublic Premium)
For example, both the WannaCry and NotPetya cyberattacks caused damage to organisations around the world that weren't specifically being targeted by hackers.
To ensure that an organisation is as prepared for an attack as possible, the first thing managers should do is identity their critical assets and what the impact would be if they were disrupted by a malware attack – then develop an incident response plan that accounts for what should happen if there is an attack.
The NCSC says that a well planned and executed response will help to minimise the damage caused by a cyberattack and could result in anything from restricting the amount of data lost to being able to minimise public fallout after falling victim to an incident.
The incident response plan should also be tested thoroughly to help clarify the roles and responsibilities of both staff and third parties and how to go about a system recovery if the network is taken out.
For example, in the event of ransomware shutting down the network, an organisation should already know how long it would take to restore minimum functionality to the network, what processes need to be followed to restore servers and files from backups, and how critical business services can still operate while the incident is ongoing.
The guidance also suggests that organisations should have plans in place so that, if they do fall victim to a ransomware attack, they already know how they'd respond to a ransom demand and the threat of data being published as part of the extortion scheme.
This advice on being prepared for an incident is in addition to previous advice from the NCSC, which urges organisations to make regular backups, and prevent malware being delivered to devices and stopping malware from being able to run, for example, by limiting permissions that aren't needed. Organisations are also urged to install security updates as and when they arrive.
SEE: Global pandemic opening up can of security worms
The latest guidelines are based on the NCSC's own experience of helping organisations resolve incidents over the course of this year.
"With each incident the NCSC manages, we continue to learn. We learn about how criminals compromise networks, how they deploy malware, and the mitigations that – if in place – would have prevented the attack," said the NCSC blog post.
"Knowledge like this, which we acquire from the 'cyber frontline', is invaluable and informs the guidance we publish. This is why we've updated the mitigating malware and ransomware guidance; to ensure that it reflects the changing nature of the incidents we are dealing with."
To help organisations manage their incident response strategy, the NCSC recommends its free Exercise in a Box online tool, which contains materials for setting up, planning, delivery, and post-exercise activity – many of which are based on data from real cyberattacks.