A Plan-Ahead Prescription For Recovering From A Cybersecurity Attack

BEST PRACTICES

A plan-ahead prescription for recovering from a cybersecurity attack

By Eder Ribeiro

magine coming to work on a Monday morning with a full slate of patients awaiting care, yet none of your computer systems work and all your files are encrypted. Sadly, this is becoming a common occurrence among even the most cyber-cautious veterinary clinics.

The pervasive misperception that some businesses are too small or do the kind of work that won’t attract cybercrime continues to stun vet clinics when they fall victim to a cyberattack. The value of the average clinic’s digital assets—from the doctor’s personal finances to its client contact and payment information—is often too tempting for cybercriminals to ignore.

When cybercriminals find their way into your systems, it becomes difficult (if not impossible) to offer the same level of care for patients while trying to mitigate the fallout of a cyber incident. Whether ransomware, social engineering or breaching of one of your vendors, the schemes deployed by today’s digital thieves have far-reaching impact for clinic owners, staff, vendors and clients.

Thankfully, most cyber incidents can be resolved with the help of professional cyber incident response teams. How difficult or lengthy that resolution becomes depends largely on a clinic’s preparation and the quality of the contingency plan that’s prepared in advance.

Let’s review some of common cyber incidence response tactics and the steps for planning ahead that make them easier to deploy following a cyber intrusion.

1. Vet Your Vendors and Set Up External Connection Permissions.

Recovery Instructions: As soon as they are notified of a cyberattack, an incident response team typically will launch a forensic investigation to identify the criminal’s point of entry. As mentioned above, third-party vendors pose a high penetration risk to vet clinics. IT-managed services can be particularly popular targets for cybercriminals because they hold the keys to the digital kingdoms of many individual clients. Breaking into a single-managed services provider may give threat actors access to hundreds of external systems, all for the effort of one.

The Plan-Ahead Prescription: Understand which third-party providers have access to your systems and ask how they secure those connections. Insist on connection requests being a regular part of your engagement. No one should be able to log into your local network without an authorized staff member pressing a button to let them in every single time.

2. Prepare a Cyberattack Contingency Plan.

Recovery Instructions: When ransomware is in play, your clinic may be contacted by the threat actor directly. They will ask for payment in return for unlocking systems they’ve locked or not exposing the data they’ve stolen on the dark web. You may want to ask your incident response team to step in, communicating with the threat actors on your behalf. Specialized expertise, experience in negotiating with ransomware threat actors and sometimes even specific knowledge of the actor or actors behind the attack equips these professionals for such negotiations.

The Plan-Ahead Prescription: Designate a single point of contact (with a backup, should that person be unavailable) who has the authority to pay or decline a demand for ransom. Formalize this authority by including the individuals’ names or positions in a written cyberattack contingency plan. Be sure to keep a hard copy in the office, as digital-only plans could be locked down during a cyberattack. Train staff regularly on the policies and procedures outlined in the contingency plan. If possible, perform an annual tabletop exercise on your plan.

No one should be able to log into your local network without an authorized staff member pressing a button to let them in every single time

3. Look Out for Your Partners’ Security, Too.

Recovery Instructions: Depending on the extent of the attack, your network of vendor partners may be at risk. Attackers will often compromise your business email and go after other businesses in your ecosystem. They may, for instance, prepare look-alike invoices and direct the partner to pay your clinic via an untraceable wire transfer or ACH transaction to a mule account. An incident response team can look for this level of intrusion and step in before partners are victimized.

The Plan-Ahead Prescription: Keep a list, documented within your contingency plan, of your regular vendors and their contact information. Be exhaustive, including everyone from your landscaping crew to your patient management software provider.

Learn More

Consider a cyber insurance policy that includes services, such as call center support and identity theft protection memberships, for your clients following a covered incident

4. Consider a Cyber Insurance Policy.

Recovery Instructions: Like all businesses, your reputation matters. Security incidents can sully even long-held client relationships. In fact, a recent survey showed 75% of consumers would shift to an alternate company following a ransomware attack¹. Many incident response teams include public relations and legal professionals who can advise your clinic on how to communicate transparently and legally, mitigate further risks to clients and preserve your brand health following a cyber incident.

The Plan-Ahead Prescription: Maintain off-site backups of client lists so any who are impacted can be contacted as recommended by your incident response team. Consider a cyber insurance policy that includes services, such as call center support and identity theft protection memberships, for your clients following a covered incident. These policies should include access to specialists who are already vetted, eliminating the need for additional effort and pressure during an already stressful time.

5. Update and Validate Backups Regularly.

Recovery Instructions: Speaking of off-site backups, one of the most valuable contributions your internal team members can make—especially in preparing for ransomware—is to create backup files that can be used to rebuild your digital environment. The quality of your backups is one of the most significant factors in determining the amount of time, energy and cost that a rebuild will take.

The Plan-Ahead Prescription: Do not rely solely on your managed services provider for backups; after all, if they suffer a security incident, your backups may be locked down alongside theirs. In addition, make sure that your backup strategy checks two boxes. All files should be 1) regularly updated and 2) regularly validated. A corrupted backup is a worthless backup. A common mishap is running out of backup storage without realizing it. Depending on the level of backup automation and the way it’s configured, a vet clinic’s backups could be failing to upload for months before anyone realizes.

Veterinary clinic owners would not be blamed for believing their businesses are “too small to hack.” Yet that is simply not true. In fact, fraud rings often view smaller as better because small- and medium-sized businesses often lack adequate resources and expertise to fight back against a cyberattack. The main motivator for most threat actors is money. If your business generates revenue, it is a worthy target. Even small ransoms quicky add up over time.

By taking the above plan-ahead prescriptions, you can reduce the impact of a cyber incident. Doing so will help ensure you remain a reliable, trusted caregiver for pets and their families—no matter what is happening behind the screens.

References

1. Fileless attacks increase 1,400%, consumers ditch brands hit by ransomware. (2023, July 9). Help Net Security. https://www.helpnetsecurity.com/2023/07/09/week-in-review-fileless-attacks-increase-1400-consumers-ditch-brands-hit-by-ransomware/

Eder Ribeiro is a senior cybersecurity program manager for TransUnion, leading the company’s cybersecurity incident response team. He can be reached at Eder.Ribeiro@transunion.com

Learn More

Back to Issue