• Current students
      • Student centre
        Enrol on a course/exam
        My enrolments
        Exam results
        Mock exams
        Learning Hub data privacy policy
      • Course information
        Students FAQs
        Student induction
        Course enrolment information
        F2f student events
        Key dates
        Book distribution
        Timetables
        FAE elective information
      • Exams
        Exam Info: CAP1
        E-assessment information
        Exam info: CAP2
        Exam info: FAE
        Access support/reasonable accommodation
        Extenuating circumstances
        Timetables for exams & interim assessments
        Interim assessments past papers & E-Assessment mock solutions
        Committee reports & sample papers
        Information and appeals scheme
        JIEB: NI Insolvency Qualification
      • CA Diary resources
        Mentors: Getting started on the CA Diary
        CA Diary for Flexible Route FAQs
      • Admission to membership
        Joining as a reciprocal member
        Conferring dates
        Admissions FAQs
      • Support & services
        Recruitment to and transferring of training contracts
        CASSI
        Student supports and wellbeing
        Audit qualification
        Diversity and Inclusion Committee
    • Students

      View all the services available for students of the Institute

      Read More
  • Becoming a student
      • About Chartered Accountancy
        The Chartered difference
        What do Chartered Accountants do?
        5 Reasons to become a Chartered Accountant
        Student benefits
        School Bootcamp
        Third Level Hub
        Study in Northern Ireland
        Events
        Blogs
        Member testimonials 2022
        Become a Chartered Accountant podcast series
      • Entry routes
        College
        Working
        Accounting Technicians
        School leavers
        Member of another body
        International student
        Flexible Route
        Training Contract
      • Course description
        CAP1
        CAP2
        FAE
        Our education offering
      • Apply
        How to apply
        Exemptions guide
        Fees & payment options
        External students
      • Training vacancies
        Training vacancies search
        Training firms list
        Large training firms
        Milkround
        Recruitment to and transferring of training contract
        Interview preparation and advice
        The rewards on qualification
        Tailoring your CV for each application
        Securing a trainee Chartered Accountant role
      • Support & services
        Becoming a student FAQs
        Who to contact for employers
        Register for a school visit
    • Becoming a
      student

      Study with us

      Read More
  • Members
      • Members Hub
        My account
        Member subscriptions
        Annual returns
        Application forms
        CPD/events
        Member services A-Z
        District societies
        Professional Standards
        Young Professionals
        Careers development
        Diversity and Inclusion Committee
      • Members in practice
        Going into practice
        Managing your practice FAQs
        Practice compliance FAQs
        Toolkits and resources
        Audit FAQs
        Other client services
        Practice Consulting services
        What's new
      • In business
        Networking and special interest groups
        Articles
      • Overseas members
        Home
        Key supports
        Tax for returning Irish members
        Networks and people
      • Public sector
        Public sector news
        Public sector presentations
      • Member benefits
        Member benefits
      • Support & services
        Letters of good standing form
        Member FAQs
        AML confidential disclosure form
        Institute Technical content
        TaxSource Total
        The Educational Requirements for the Audit Qualification
        Pocket diaries
        Thrive Hub
    • Members

      View member services

      Read More
  • Employers
      • Training organisations
        Authorise to train
        Training in business
        Manage my students
        Incentive Scheme
        Recruitment to and transferring of training contracts
        Securing and retaining the best talent
        Tips on writing a job specification
      • Training
        In-house training
        Training tickets
      • Recruitment services
        Hire a qualified Chartered Accountant
        Hire a trainee student
      • Non executive directors recruitment service
      • Support & services
        Hire members: log a job vacancy
        Firm/employers FAQs
        Training ticket FAQs
        Authorisations
        Hire a room
        Who to contact for employers
    • Employers

      Services to support your business

      Read More
☰
  • The Institute
☰
  • Home
  • Articles
  • Students
  • Advertise
  • Subscribe
  • Archive
  • Podcasts
  • Contact us
Search
View Cart 0 Item
  • Home/
  • Accountancy Ireland/
  • Articles/
  • News/
  • Latest News

Lastest news

How to mount an effective response to a ransomware attack

Jun 18, 2021

A responsive ransomware incident plan is critical for organisations. Carol Murphy and Ross Spelman outline what the plan should include and how to respond in the case of an attack.

Every organisation should have a ransomware incident response plan in place, and this should be regularly tested, reviewed, and updated. This plan should include roles and responsibilities for all stakeholders, including IT, legal, compliance, human resources, operations, communications, and end-users.

The response effort should focus on key functional areas, including IT, information security, legal, and communications. The teams looking after these areas should share information in a central location and establish clear communication channels with regularly scheduled incident update sessions.

IT

Ransomware is a technology problem and, once detected, the first step is to disconnect any infected or suspected systems from the network and shut down non-infected systems to protect them from infection. Once that is complete, available backups should be identified and evaluated. It is critically important that backups pre-date the attack. If a system cannot be cleaned and brought back to a secure, operational state, the system must be rebuilt or restored.

The restoration process should follow a clear, prioritised sequence based on business criticality and risk exposure. For example, critical production servers or systems providing email/collaboration services may come first, followed by business-critical workstations supporting payroll and other critical areas of the business. Depending on the priority, general user workstations may come last.

Information security

The information security team should attempt to identify the type of ransomware that has infected the system and, if possible, pinpoint the criminals responsible for it and then determine if a decryption key or remediation software is publicly available.

A forensic investigation should be undertaken to determine whether any data was stolen, how the network was accessed, the particular systems accessed, and what activities took place on them. Devices and equipment which appear to be non-infected should be examined for evidence of hacker activity as a matter of routine.

Once the investigation is complete, the team should work with IT to fix the vulnerabilities used by the criminals to access the network.

It is not good enough to fix the root cause(s) or vulnerabilities exploited by the attacker: the organisation should strengthen multiple layers of security controls and improve/adopt a defence-in-depth approach to security.

Legal and communications

Depending on the criticality of the incident, company officers and employees may need to be notified immediately. Business partners and key external parties should also be informed at the earliest possible juncture and kept informed as the investigation progresses.

The legal and communication teams should prepare a statement to inform the broader public of the incident. They should also work with IT and Information Security to develop and implement temporary workarounds for impacted critical functions, including email, payroll, and customer portals.

The team should also prepare for regulatory or compliance reporting requirements such as those covered by GDPR.

No ransom

We do not think you should pay ransom demands for a variety of reasons. Paying ransoms will only fund continued criminal activity. Payment could also expose companies to legal risk with no guarantee that the criminals will make good on their promise to supply a decryption key or other means of recovering data. Indeed, companies that pay ransoms may find themselves vulnerable to re-infection by the same criminals or their associates.

No organisation can afford to be without a cyberattack or ransomware response plan. The plan should be subject to periodic review and set out the role of all appropriate sections of the organisation in the response and recovery process. Particular emphasis should be placed on the investigation phase as this will assist in the prevention of future attacks. When an organisation recovers from a ransomware incident, it should emerge much stronger.

Carol Murphy is Consulting Partner and Head of Risk Transformation at EY.

Ross Spelman is Cybersecurity Director and Lead at EY.

The latest news to your inbox

Useful links

  • Current students
  • Becoming a student
  • Knowledge centre
  • Shop
  • District societies

Get in touch

Dublin HQ

Chartered Accountants
House, 47-49 Pearse St,
Dublin 2, Ireland

TEL: +353 1 637 7200
Belfast HQ

The Linenhall
32-38 Linenhall Street, Belfast
Antrim BT2 8BG, United Kingdom.

TEL: +44 28 9043 5840

Connect with us

CAW Footer Logo-min
GAA Footer Logo-min
CARB Footer Logo-min
CCAB-I Footer Logo-min

© Copyright Chartered Accountants Ireland 2020. All Rights Reserved.

☰
  • Terms & conditions
  • Privacy statement
  • Event privacy notice
LOADING...

Please wait while the page loads.