Storagepipe Is Now Thrive

Learn More

GridWay Is Now Thrive

Learn More

Security

The Best Defense: How to Prepare for a Ransomware Attack Today

The Best Defense: How to Prepare for a Ransomware Attack Today
07.28.25
Cybersecurity Disaster Recovery Planning Ransomware Security
By: Christopher Clark, Cybersecurity Incident Responder and Threat Hunter

When talking about security or real-life attacks, the focus naturally tends to be on the things that went wrong. Security reports look at the most common “ways in” or new potential exploits.

In a sense, the things that can go wrong – from simple human errors to bad luck – are infinite. It is actually simpler to look at the day-to-day best practices that also reduce your likelihood of attack and increase how fast you can recover.

Have a Call List

One of the most difficult aspects of incident response is that people don’t know whom to call or who is in charge.

The key stakeholders in a response may vary depending on your organizational structure, the location of the incident, or even the type of incident. This is a good starting point, where there may be additional roles that you need to include for your operations and others that may not be as relevant:

  • Local resources who can be onsite to deal with system and hardware issues
  • Facilities managers
  • In-house legal teams
  • Executive leadership, including any IT managers and possibly senior leadership, the C suite, or the board of directors
  • Business and cyberinsurance companies
  • Points of contact for vendors and service providers, both for IT and for operations

Your contact list should also be loosely ordered, so that you contact the people who will have active roles (like local IT resources and IT managers) first, while groups that need to be informed or have follow-up tasks can be dealt with later. It’s also a good idea to have backup contacts wherever possible, in case incidents occur during holidays or when key people are unavailable.

Keep It Clean

The best security practice is to make sure that general IT services are well-maintained. These include the basics:

  • Changing default passwords on devices and services
  • Regularly updating systems
  • Immediately identifying and patching systems or hardware as CVEs are identified
  • Scheduling regular backups that are stored offsite or in a separate cloud environment

That’s really just a starting point. Some of the more complicated aspects of a recovery come when the infrastructure and data are not well understood. Be familiar with and document every aspect of your infrastructure.

  • Identify all datastores for all services, and what kind of data is stored there (particularly PII or confidential data)
  • Identify and map all domains, cloud environment, physical systems, and hardware across your infrastructure. This can be extensive; the main thing is to know what general operating environments you have and to avoid shadow IT or deprecated environments.
  • Identify dependencies across environments.

And the last part is to understand who (both users and machines) has access to your infrastructure and make sure that their access privileges reflect their role.

  • Define different Active Directory domains for different operating environments and physical locations.
  • Use role-based access control or similar approaches to restrict access to services unless necessary.
  • Use operating system-level management to restrict permissions granted to processes (including containers or virtual machines).
  • Set strong password requirements, including reasonable password expirations (not too long or too short).
  • Look out for any smart devices, like security cameras, which may be connected to the network. Make sure that these are properly secured and updated.

Build a Team

Not every useful resource is going to be internal to your organization. One major example is cyberinsurance. The majority of organizations have cyberinsurance, and these companies usually include forensics teams and investigators are part of their coverage.

Also make sure that you have dependable and knowledgeable legal counsel (either in-house or a recognized partner). Legal help is invaluable in directly dealing with ransom or extortion demands, settling terms with the insurance company, and managing any obligations because of contracts or service agreements that are affected by the attack. Ideally, the legal counsel will be separate from your cyberinsurance company to ensure that you get unbiased advice.

If you are working with an MSP for IT services or an MSSP for security services, make sure that they have experience with cyberinsurance claims. We have been able to help clients before by being able to ensure they were compliant with the terms of their insurance and that they could appropriately document and substantiate their claims. We have seen claims get denied or coverage dropped because of how other service providers addressed an attack.

Anyone can be a victim of a security breach, and the odds are that you will be at some point. Good security is like good health. It is the result of continual good habits, maintenance, and awareness. This is what it means to build a security-aware culture.

And of course, if you need guidance or ideas for your incident response plan, you can always contact Thrive.

Other posts in this series: