Malware – Response Preparedness, Part 3
All right, you have rolled out your awareness campaign to the staff about how to prevent a malware attack and have even implemented ongoing reminders and simulated phishing attacks to keep people on the lookout for potential malware attacks. As effective as we might want to think our efforts are, we also need to realize that it only takes one instance of someone being caught off guard and clicking on a suspicious link or opening an infected email attachment to result in a malware attack.
This is where the focus of this blog takes us. We should recognize that given that we cannot totally mitigate the risk of becoming a target of a successful malware attack, it is prudent that we consider the following in our planning on what we will do when a malware attack hits.
First things First – Ongoing Operations
People’s dependence on computer based workflows and processes are totally understandable. We use computers in just about every phase of our job related duties and tasks. At the same time, organizations often have what are referred to as “downtime procedures” which are used when the computer system is unavailable. The most frequent use of downtime procedures is to maintain workflows and operations when there is a loss of electrical power. Typically, this means that computer based workflows move to a paper based format. Essentially, data and information that was entered into a computer system is now documented on paper. Once the electrical power is restored and the computer system is back online, organizations will either scan into their various systems the paperwork that was generated during the system downtime, take the data that was placed onto paper and perform data entry into the applicable applications, or a combination of both. Having established and tested downtime procedures can enable an organization in maintaining some level of ongoing operations if a malware attack should result in a computer system compromise which causes the system to be shut down or taken offline. Consider finding out what downtime procedures exist and when was the last time they were tested or used. Better to check them out now to make sure downtime procedures are in place and ready for use rather than after a malware attack occurs.
Incident Response Team
Moving in parallel to re-establishing and maintaining operations is the suggestion of assembling the team that will respond to the malware attack. Some organizations in various industries have some form of incident response team protocol which they can follow. If your organization does not have such a program, brainstorm with your management and leadership teams as to who would be most likely to be involved in assessing the impact of a malware attack and deciding on next steps. This initial workgroup can certainly expand as needed based on the case specifics of the malware attack. These teams often have a mix of people who have the authority to make high level decisions and people who can assess the technical aspects of the malware attack and explain the situation in terms that business leaders can understand so that they can decide on what action to take next. This is where the idea of a table top exercise can be a valuable learning exercise. By running through a mock malware attack and bringing the team together, the team can then assess if the right people are at the table and if not, make some adjustments on how to make the team more effective moving forward. In my opinion, the best time to identify and organize the incident response team is before you actually need to mobilize the team in the wake of an actual malware attack.
A malware attack can do more than compromise the privacy and security of the data on the organization’s computer system. A malware attack can expose the organization to financial and reputational risks. In addition, the malware attack can also represent the commission of a criminal act against the organization. For these reasons, departments such as the risk management department or the legal department are often contacted so as to provide these departments with details about the malware attack. Often these departments take a lead role in helping provide the leadership and management teams with important guidance on how to preserve evidence and to document actions taken in response to the malware attack for various reasons to include reporting the incident to the authorities and for obtaining critical information for possible insurance claim related reasons.
Hopefully training on your malware attack response is the best training you never have to use. At the same time, given how easy it is for a malware attack to make it through even the best front line defenses that an organization may have in place, it is training that is critical to have in place.
BridgeFront offers industry-leading out-of-the-box courses to accelerate compliance for hundreds of healthcare organizations. To access a free set of these courses, click HERE and enter the code: comply.