Why Belnet created a ransomware response plan
Attacks involving ransomware have been on the rise for some time. Research by Check Point Research shows that in the second quarter of 2022, an average of one in 40 organisations worldwide was hit by a ransomware attack, a year-on-year increase of nearly 60%. The research and education sector was attacked the most, followed by governments and Internet and other service providers. (1)
It is no accident that precisely these institutions are being targeted more frequently. After all, they often have highly sensitive information that cybercriminals are only too happy to get their hands on.
NRENs are not left out of the picture either. As a Belgian research network, Belnet serves governments, both local and federal, in addition to Belgian R&E institutions.
“We have target groups that have more chance to be victims of successful phishing attacks. This is one of the main reasons why we strongly advise to create a ransomware response plan, and in order to help, but also as part of our own strategy we decided to invest time into the elaboration of such a plan” Belnet’s CISO explains in this interview for GÉANT Cyber Security Month.
Ransomware attacks often begin with a click on a fraudulent link or opening an attachment in a phishing e-mail. Sometimes, it can take weeks or months before files are encrypted and the affected organisation notices something is going on.
Creating awareness, by raising it among users and training them, is one of the most important preventative measures an organisation can take. “At Belnet, this is the job of the Awareness Team. They devise campaigns for our awareness programme and teach our colleagues how to recognise malicious messages in various forms (e-mail, SMS, QR-code, …), and other best practices. They also provide relevant and specific online training for those who accidentally clicked anyway. We also respond to current events by informing them of new phishing techniques that are exploiting these opportunities.”
Gaining time and reducing impact
So technology alone is not enough, and even with intensive user training, no company or organisation can ever rule out becoming a victim of ransomware. Don’t think it only happens to others was the premise behind Belnet’s ransomware response plan. “By thinking in advance about scenarios, corresponding technical measures and response strategies, you can save a lot of time when you become victim of ransomware. Moreover, when an attack occurs, organisations will face delicate issues or questions that sometimes require quick decisions. That makes it important to talk through these issues ahead of the events at an appropriate management level.”
Jean-Christophe Real, Business Continuity Manager at Belnet, adds: “Over the years, we have built up in-depth experience in BCM, risk analysis and the management of purely technical crises. We have not yet had to deal with ransomware, but what is certain is that the impact would be significant and it could take a lot of time to restore business. In creating this plan, we are aiming to reduce the impact when the time comes and resume business as soon as possible.”
But how does an organisation begin such a ransomware response plan? Properly defining the scope of your plan and engaging the right stakeholders within the organisation is the first step. “At Belnet, we took a transversal approach to this – so all the security experts in our technical teams were involved, as were the management, the communication unit and our DPO. The project was driven by the CISO and coordinated by myself as BCM Manager.”
Input from external sources was important here too. Given Belnet’s lack of real-life experience with ransomware attacks so far (thankfully), the organisation also sought outside help. The plan was drawn up entirely internally, but audited by an external party. “That external perspective allowed us to improve and better tailor the plan to our specific situation.”
Importance of crisis communication
Broadly speaking, Belnet’s ransomware response plan consists of three parts: a technical section, a communication section and a strategic guidelines section. The plan fits within BCM and is integral to crisis management at Belnet.
The first section focuses on different scenarios that may occur and corresponding technical measures. “Working out the technical response scenarios can be an endless job. It was not an easy exercise to determine the level of detail. Speaking with organisations that had already had experience with this allowed us to better assess it,” says Jean-Christophe Real.
Previous crises at Belnet led to much media attention each time. For this reason, Belnet decided to prepare a specific crisis communication plan for ransomware. “The premise is that we communicate proactively based on the “we know, we do, we care” principle, in order to maintain control of crisis communication as far as possible. Communicating quickly, appropriately and as transparently as possible to our stakeholders is crucial in this regard,” explains the Belnet CISO.
The communication section also involved working with different scenarios, each with its own risk evaluation and requiring its own approach. This included all the legal aspects as well. “If it turns out that data from Belnet and/or our community has been leaked, as an organisation you obviously have to report it to the appropriate authorities.”
In addition to general communication guidelines, the project team wrote up some templates for press releases, internal communications, social media, etc. “Having these messages validated internally beforehand once again means we can save a lot of time.”
The final section of the plan includes a set of strategic guidelines. “To formulate those, it’s important that you think as an organisation about some delicate and sometimes even ethical questions in advance, such as ‘What is the management position on possibly paying the ransom, and can this be done in a legal way?’ The decision as to whether or not to purchase cyber insurance or use a professional negotiator is also part of that strategic thinking exercise,” says the Belnet CISO.
Don’t delay
Now that the ransomware response plan is nearly complete, Belnet is eager to share its experience with the GÉANT community, for example within the SIG-ISM group. “We are eager to hear feedback from other NRENs and first and foremost want to encourage our colleagues to get started themselves. Don’t wait until you are hit by an attack, but start preparing now!”
(1) Source: https://blog.checkpoint.com/2022/07/26/check-point-research-weekly-cyber-attacks-increased-by-32-year-over-year-1-out-of-40-organizations-impacted-by-ransomware-2/
About the author
Davina Luyten is Communications Officer at Belnet, the Belgian research and education network. She has a background in translation, journalism and multilingual corporate communication. At Belnet she is focusing on external communications, public relations and crisis communication. She is interested in developing cyber security awareness and participates in the development of the annual awareness campaign of GÉANT. On behalf of Belnet she also takes part in the Belgian Cyber Security Coalition.
Connect with Davina on LinkedIn.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022