5. The Approach to Cybersecurity: Cyber Risk Management 119 on his computer, he is greeted with a ransomware note on his desktop similar to the one in Figure 5.5. What happens next? Figure 5.5 A screenshot of a ransomware note. The first phase is to respond. Would an employee know who to contact in case of an emergency like this, especially on a holiday when nobody else is in the office? Time is of the essence, so the quicker he is able to notify leadership, the better. Imagining this scenario might help the organization understand the need to provide clear guidance to employees of what to do when an incident happens. Covering what to do could be part of the new employee orientation process, and employees could be periodically reminded in emails or as part of annual security trainings—these are examples of controls. The company could even establish an emergency phone that is manned 24 / 7 / 365 (24 hours a day, 7 days a week, 365 days a year) in case an incident occurs and make sure all employees know the number to call. Once a person in leadership is notified, he needs to quickly assess the situation to determine if it constitutes an emergency. In this case, he might ask the employee to login to a different computer to see if the ransomware note appears there as well. The leader might try to login remotely to see if he can access key systems. Once it is determined that this is a real ransomware incident, the next phase begins: the necessary team members must be alerted. The first to be called would be cybersecurity and IT staff members who could respond quickly and perhaps reduce further damage. It may be prudent to take the office network offline and to shut down computer systems. During this process personnel need to be careful not to destroy any evidence that could
RkJQdWJsaXNoZXIy MTM4ODY=