#RSAC: ISACA’s New Ransomware Incident Checklist to Aid Cyber Pros

Written by

ISACA has published a new quick reference document designed to help organizations prepare to mitigate ransomware incidents.

The guide, titled Ransomware Incident Management Quick Reference, is a checklist designed to ensure enterprises are as prepared as possible to mitigate and recover from ransomware attacks.

The checklist covers the following areas: planning and preparation, identification and detection, analysis, containment, eradication, recovery, and postmortem, lessons learned and after action.

Speaking to Infosecurity during RSA 2023, Rob Clyde, board director at ISACA, explained that the guidance came after consultation and surveys with the international professional association.

He emphasized that ransomware remains a huge and present threat to organizations, despite recent data suggesting that extortion payments are down. While tactics used may change, the concept itself will continue to be effective for the foreseeable future.

“It will never go away, because the beauty of ransomware versus other types of cybercrime is that the attacker gets paid directly by the victim – there’s no other criminal involved,” said Clyde.

Read more: Ransomware Poses Growing Threat to Five Eyes Nations

This is why the focus of the new document is ransomware attacks, which are particularly complicated to properly mitigate.

“It makes sure you follow the appropriate steps and don’t leave something out,” Clyde explained. For example, it’s not enough to just focus on getting ransomed data back – the attackers will have found a way into your environment and already accessed that data, which could lead to double extortion demands.

Clyde added: “This process is comprehensive, it will take you through resolving the immediate problem of the ransomware and the steps to fully eradicate the situation – and be better prepared for the next time.”

Another important aspect of the guidance is that it is written with easily understandable terminology, which can help security leaders explain what is required to develop an effective incident response strategy to their company’s board, stated Clyde.

He also hopes that the document will emphasize the importance of collaboration with other departments within the organization, such as HR and legal. Therefore, organizations should ensure processes and responsibilities are clearly established for these scenarios.

“I don’t want to be putting that together in the middle of the incident when emotions are high and the chances of making a knee-jerk reaction versus a measured reaction that we’ve already thought of are high,” outlined Clyde.

Cyber Insurance Becoming a Vital Step

Alongside the new checklist, ISACA has also published new research related to the uptake of cyber insurance, which Clyde emphasized is a crucial component of a ransomware incident response plan. This is because it enables organizations to recover at least some of the costs involved in recovering from an attack.

This survey found that 71% of organizations view cyber insurance as extremely or very important and over half (53%) have a cyber insurance policy.

He pointed out that the ISACA poll was very broad, encompassing many SME organizations with smaller budgets than larger firms.

“When you consider the range of companies that are in the response, it’s remarkable that it’s that many who have cyber insurance – it really has become mainstream,” commented Clyde.

Of those organizations with insurance, 66% are covered for third-party/cyber liability. This is a finding that demonstrates growing recognition of the risks of supply chain attacks, according to Clyde.

“Companies are realizing that the third-party risk, the software we buy, may be a likely avenue through which attacks come. And if our insurance doesn’t cover that, then we’re stuck with trying to collect from the third party,” he explained.

Despite the benefits of cyber insurance, Clyde cautioned that it should only be part of a ransomware mitigation strategy. “I really caution companies who are under the misconception that cyber insurance is the primary mitigation against ransomware attacks – I can tell you there are companies that think that way.”

What’s hot on Infosecurity Magazine?