Panic is the enemy of incident response. When a staff member clicks a malicious link and the screen flashes red, or when accounting realises $50,000 has just been transferred to a fraudulent offshore account, the first ten minutes dictate the severity of the entire crisis.
Having a plan saves money, time, and your business's reputation. Here is exactly what you should - and shouldn't - do in those crucial first ten minutes.
Step 1: Disconnect, But Do NOT Turn Off
The absolute first instinct people have when they see a virus warning or a ransomware note is to hold down the power button and turn the computer off. Do not do this.
Turning off the machine can destroy critical forensic evidence stored in the temporary memory (RAM). Even worse, some modern ransomware is designed to permanently corrupt your hard drive if it detects an improper shutdown.
Step 2: Isolate the Infection
Instead of a full shutdown, you should focus on isolating the machine from the network. This stops the infection from spreading across your office while preserving the evidence.
- Pull the blue or yellow Ethernet cable out of the back.
- If it is on Wi-Fi, turn off the Wi-Fi switch or put the laptop in Airplane mode.
Step 3: Escalate Immediately
Do not try to fix it yourself, and do not let your staff try to hide the mistake. Foster a "blame-free" reporting culture. The faster someone admits they clicked a bad link, the faster you can isolate the threat.
Call your IT Provider or internal IT team immediately. Tell them exactly what happened. If you suspect a serious breach, you should also contact the Australian Cyber Security Centre (ACSC) via their 1300 CYBER1 hotline.
Step 4: Avoid Immediate Ransom Payments
If you are hit by ransomware, the deadline timer on the screen is designed to make you act irrationally. Do not communicate with the attackers and certainly do not attempt to pay them in the first ten minutes.
Paying the ransom without first consulting an incident response specialist is incredibly dangerous. You might be paying a sanctioned terrorist organisation (which is a federal crime), and there is absolutely no guarantee they will actually give your data back.
Do You Have an Incident Response Plan?
If reading this made you realise your team would have no idea what to do in a crisis, it is time to build a formal Incident Response Plan.
Don't wait until the screen goes red. Book a Cubit cyber security assessment today. We will help you identify your weak points and build a practical, jargon-free response plan so your team is ready for the worst.
To understand where your business stands, we offer a free initial consultation - get in touch.