Attacks involving ransomware have been on the rise for some time. Research by Check Point Research shows that in the second quarter of 2022, an average of one in 40 organisations worldwide was hit by a ransomware attack, a year-on-year increase of nearly 60%. The research and education sector was attacked the most, followed by governments and Internet and other service providers. (1)
It is no accident that precisely these institutions are being targeted more frequently. After all, they often have highly sensitive information that cybercriminals are only too happy to get their hands on.
NRENs are not left out of the picture either. As a Belgian research network, Belnet serves governments, both local and federal, in addition to Belgian R&E institutions.
“We have target groups that have more chance to be victims of successful phishing attacks. This is one of the main reasons why we strongly advise to create a ransomware response plan, and in order to help, but also as part of our own strategy we decided to invest time into the elaboration of such a plan” Belnet’s CISO explains in this interview for GÉANT Cyber Security Month.
Ransomware attacks often begin with a click on a fraudulent link or opening an attachment in a phishing e-mail. Sometimes, it can take weeks or months before files are encrypted and the affected organisation notices something is going on.
Creating awareness, by raising it among users and training them, is one of the most important preventative measures an organisation can take. “At Belnet, this is the job of the Awareness Team. They devise campaigns for our awareness programme and teach our colleagues how to recognise malicious messages in various forms (e-mail, SMS, QR-code, …), and other best practices. They also provide relevant and specific online training for those who accidentally clicked anyway. We also respond to current events by informing them of new phishing techniques that are exploiting these opportunities.”
Gaining time and reducing impact
So technology alone is not enough, and even with intensive user training, no company or organisation can ever rule out becoming a victim of ransomware. Don’t think it only happens to others was the premise behind Belnet’s ransomware response plan. “By thinking in advance about scenarios, corresponding technical measures and response strategies, you can save a lot of time when you become victim of ransomware. Moreover, when an attack occurs, organisations will face delicate issues or questions that sometimes require quick decisions. That makes it important to talk through these issues ahead of the events at an appropriate management level.”
Jean-Christophe Real, Business Continuity Manager at Belnet, adds: “Over the years, we have built up in-depth experience in BCM, risk analysis and the management of purely technical crises. We have not yet had to deal with ransomware, but what is certain is that the impact would be significant and it could take a lot of time to restore business. In creating this plan, we are aiming to reduce the impact when the time comes and resume business as soon as possible.”
But how does an organisation begin such a ransomware response plan? Properly defining the scope of your plan and engaging the right stakeholders within the organisation is the first step. “At Belnet, we took a transversal approach to this – so all the security experts in our technical teams were involved, as were the management, the communication unit and our DPO. The project was driven by the CISO and coordinated by myself as BCM Manager.”
Input from external sources was important here too. Given Belnet’s lack of real-life experience with ransomware attacks so far (thankfully), the organisation also sought outside help. The plan was drawn up entirely internally, but audited by an external party. “That external perspective allowed us to improve and better tailor the plan to our specific situation.”
Importance of crisis communication
Broadly speaking, Belnet’s ransomware response plan consists of three parts: a technical section, a communication section and a strategic guidelines section. The plan fits within BCM and is integral to crisis management at Belnet.
The first section focuses on different scenarios that may occur and corresponding technical measures. “Working out the technical response scenarios can be an endless job. It was not an easy exercise to determine the level of detail. Speaking with organisations that had already had experience with this allowed us to better assess it,” says Jean-Christophe Real.
Previous crises at Belnet led to much media attention each time. For this reason, Belnet decided to prepare a specific crisis communication plan for ransomware. “The premise is that we communicate proactively based on the “we know, we do, we care” principle, in order to maintain control of crisis communication as far as possible. Communicating quickly, appropriately and as transparently as possible to our stakeholders is crucial in this regard,” explains the Belnet CISO.
The communication section also involved working with different scenarios, each with its own risk evaluation and requiring its own approach. This included all the legal aspects as well. “If it turns out that data from Belnet and/or our community has been leaked, as an organisation you obviously have to report it to the appropriate authorities.”
In addition to general communication guidelines, the project team wrote up some templates for press releases, internal communications, social media, etc. “Having these messages validated internally beforehand once again means we can save a lot of time.”
The final section of the plan includes a set of strategic guidelines. “To formulate those, it’s important that you think as an organisation about some delicate and sometimes even ethical questions in advance, such as ‘What is the management position on possibly paying the ransom, and can this be done in a legal way?’ The decision as to whether or not to purchase cyber insurance or use a professional negotiator is also part of that strategic thinking exercise,” says the Belnet CISO.
Don’t delay
Now that the ransomware response plan is nearly complete, Belnet is eager to share its experience with the GÉANT community, for example within the SIG-ISM group. “We are eager to hear feedback from other NRENs and first and foremost want to encourage our colleagues to get started themselves. Don’t wait until you are hit by an attack, but start preparing now!”
Davina Luyten is Communications Officer at Belnet, the Belgian research and education network. She has a background in translation, journalism and multilingual corporate communication. At Belnet she is focusing on external communications, public relations and crisis communication. She is interested in developing cyber security awareness and participates in the development of the annual awareness campaign of GÉANT. On behalf of Belnet she also takes part in the Belgian Cyber Security Coalition.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022
GÉANT uses cookies to deliver the best possible web experience. By continuing and using this site, you agree that we may store and access cookies on your device. Please ensure you have read GÉANT’s Privacy Notice and Cookies Policy.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.