With recent high-profile attacks targeting organizations ranging from healthcare systems to retailers to government services—and even IT companies—business leaders and the public are learning that ransomware is a threat no one can escape. is not entirely certain. The breadth of the problem and the rapid tactical changes made by hackers make preparing for and responding to a ransomware attack a significant challenge, but it’s one that every entity with a digital footprint must take on.
Misunderstandings and mistakes, whether before or after a ransomware attack, can leave an organization and those it serves in a difficult, even devastating, position. Below, members of the Forbes Technology Council share common mistakes leaders make when preparing for or responding to a ransomware attack. Read on to make sure your team is doing everything possible to be ready for whatever comes next.
1. Thinking The only weakness is technology
Many managers and executives think that ransomware attacks are only about technology, but this is not true. Social engineering is still effective and this method does not need to detect antivirus vulnerabilities to steal data. Instead, it targets people. Businesses should provide their employees with training sessions that cover all possible ransomware attacks and ways to prevent them. – Roman Vrublivskyi, SmartHub
2. Looking at the legal and compliance implications
A common mistake is to ignore the legal and compliance ramifications of ransomware attacks. I strongly recommend the involvement of legal counsel both in incident response planning and once an attack is identified. All communications, whether internal or external, must be reviewed and approved by legal counsel and, where possible, protected by attorney-client privilege. – Rolando Torres, Abacode Inc.
The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology leaders. Do I qualify?
3. Failure to establish and follow a robust risk mitigation process
Like all breaches, ransomware is the beneficiary of vulnerabilities. Vulnerabilities are not just defects – they appear whenever someone fails to follow a risk mitigation process. If an adversary can critically exploit a vulnerability, it indicates a failure in the AppSec strategy. Robust strategies account for the risk profile of each application and include checks and balances to minimize the impact when an attack occurs. – Brittany Greenfield, Wabbi
4. There is no tested incident response plan
A common mistake organizations make in ransomware preparation is not having a tested incident response plan. Many fail to regularly train their employees on attack responses, leading to confusion and delays when an attack strikes, which can have devastating consequences. Regular training and clear protocols are essential for effective mitigation. – Erica Dobbs, Dobbs Defense Solutions
5. Insufficient data backup
Many organizations fail to adequately back up their data. Do that first, then work on other low-cost, high-ROI projects that address ransomware variants currently in the wild—for example, multi-factor authentication in Remote Desktop Protocol. None of this is well understood in the business world, because the ROI on various initiatives remains unclear to executives. – Padraic O’Reilly, CyberSaint
6. Underfunding Ransomware Protection
Many organizations make the mistake of underfunding their ransomware defenses. Instead, they should prioritize encrypting backup data in separate locations using unique keys and investing in data management and security tools. These measures ensure data integrity and more secure recovery, turning a potential disaster into a manageable challenge. Being proactive is key in today’s digital landscape. – Rajat Sharma, CWS
7. Failure to contain malware before starting data recovery
When it comes to preparing for or responding to ransomware attacks, organizations encounter some common challenges. Organizations must ensure that malware is effectively contained before focusing on data recovery, minimizing the potential for further spread. Emphasize secure backups, keep calm, and focus on basic security practices alongside complex measures. – Karthik TS, Torry Harris Integration Solutions
8. Failure to Pressure Test Recovery Plans
A common and serious mistake we see is failure to adequately achieve pressure testing recovery plans. While having a specific cyber recovery plan is essential, it is more important to perform rigorous scenario testing. Organizations should simulate attacks to test the recovery of critical components, ensuring that systems are truly resilient. This proactive approach identifies vulnerabilities and improves preparedness. – Jack Dziak, Recovery Point Systems
9. Overreliance on outdated tools
Organizations tend to put too much stock in tools such as firewalls or perimeter defenses without considering the evolution of the threat landscape. As hackers become more prolific and our technology stacks become more complex, we must be diligent in moving to a more unified security operations platform that provides better visibility into the broader IT environment. – Daniel Schiappa, Arctic Wolf
10. Not having a plan at all
The biggest mistake is not actually being prepared—acting as if the organization had no idea an attack was coming or even possible. “Reaction” should be the antithesis of panic, and the dominant mindset should not be “if” but “when.” Vigilance must be maintained and there must be an unwavering commitment to booking abroad. Make a plan, share it with stakeholders and keep it current – but above all, make a plan. – Adam Stern, Infinitely Virtual
11. Waiting to report a violation or attack
Many organizations expect to report a breach or ransomware attack. Once a breach is discovered, an organization must move quickly to determine its scope and find a fix. Being transparent about what happened and sharing the details along the way is what separates organizations that continue to earn the trust of their customers and partners from those that lose it. – Jay Chaudhry, Zscaler
12. Not utilizing the full capabilities of current security controls
Focus on pre-breach remediation using your current security controls. Most organizations have the right security tools in place to counter most ransomware attacks—it’s all about leveraging the capabilities of current security controls. Exposure management for ransomware workflows is common, but responding to findings is not. – Oren Koren, Veriti Security Inc.
13. Failure to segment networks
Many organizations fail to segment their networks. Segmentation can prevent lateral spread of ransomware across systems and limit damage. Also, it is essential to implement strict controls on privileged access, which can prevent extensive network damage if credentials are compromised. – Mani Padisetti, Digital Armor
14. Security overview of critical equipment and systems
When preparing for a ransomware attack, organizations often focus only on IT systems, neglecting critical equipment such as printers and scanners and document management systems. These devices and systems can be vulnerable if they are not secured. Organizations can secure vulnerable devices by conducting thorough risk assessments, implementing multi-layered security measures, and educating employees on best practices. – Sam Yoshida, Canon
15. Failure to implement lateral movement prevention
Most organizations implement security controls to prevent initial ransomware infections, but do nothing to prevent the spread of malware once it’s inside the environment. Organizations should also implement lateral movement prevention within the network, using preventative measures such as zero-trust access between internal devices to control lateral movement and minimize attacker reach. – Geoffrey Mattson, Xage Security
16. Don’t Treat Ransomware as a Malware Problem
The biggest mistake organizations make is not seeing ransomware for what it really is: a malware problem. Bad actors gain information or access through malware infections, which in turn lead to ransomware attacks. Moving forward, organizations need knowledge of what data of theirs is circulating on the Dark Web from past infections so they can deny these entry points for ransomware. – Damon Fleury, SpyCloud
17. Failure to Adequately Protect Hypervisors
Organizations often fail to adequately protect their hypervisors. Many ransomware attacks target hypervisors to encrypt virtual machine drives, and companies rely on only basic defenses like network segmentation to protect these systems. Organizations must use more advanced security mechanisms, such as multi-factor authentication, behavior detection and virtual regulation. – Austin Gadient, Vali Cyber
18. Not sharing details of an attack with the security community
In the wake of a ransomware attack, many organizations’ first instinct is to sweep the incident under the rug. However, giving in to this impulse is a big mistake. By not sharing the details of the attacks, these organizations are robbing the security community of potentially invaluable threat intelligence – empowering the perpetrators and putting even more organizations at risk. – Eyal Benishti, IRONSKALE
19. Basing defense strategies on detection rather than restoration and deterrence
Most organizations base their ransomware strategy on detection, but attacks often spread before incident response measures can begin. can mitigate the blast radius of an attack by isolating the spread of malware on the network. – Sameer Malhotra, TrueFort, Inc.
20. Waiting for an attack to occur to initiate strategy
The most common mistake is to wait until a ransomware attack occurs to start discussing what to do. Tackle the problem by conducting tabletop exercises around ransomware scenarios, where leaders and crisis teams can ask important questions and build muscle memory for answers. The most important factor to discuss is whether or not to pay the reward – further, you need to establish procedures for both options. – Jim Wetekamp, Reconnect