Stage 2 is Expensive but Stage 3 is the Most Painful

4 Stages After Ransomware Breach

No, we’re not talking about some 12-step program here… we’re still sticking to IT, network architecture and cybersecurity, people!

What we’re referring to are the stages in the image that accompanies this blog post.

We’ve taken that image straight from one of our vendors, affixed our logo (with their permission) and are going to use it as the basis of a food-for-thought exercise.

Question: is your company committed to cybersecurity? Or, as we see so often, do you occasionally look at additional layers of protection, consider them briefly but do nothing, hoping the hackers will pass you by and hit someone else instead? If you fall in the latter category, A) that’s foolish and B) this post is for you.

The attached image suggests 4 phases of response if your company does get breached.

As an aside, let me proudly state that not one of our clients has suffered a ransomware episode. That said, I hope I’m not jinxing us because at the moment we have two relatively new clients who simply are not listening to our security recommendations… it is just SO short-sighted (and frustrating!).

…but I digress. Let’s dive into the stages shown in this image.

Stage 1

Okay, this is supposed to represent the immediate response phase. Changing employee credentials is a perfectly fine recommendation. But “check your network segmentation” and “assemble a breach response team?” These are both things that should be planned for and structured ahead of time.

You should have already created a breach response team as part of your disaster recovery plan. And we’ve taken over so many poorly architected networks that we can say this: if you’re not sure if your company’s network is properly layered and segmented, have a pro take a look right away. Proper architecture is one of the many elements that can prevent a small breach from becoming a big one. It’s the “build” in our Build IT, Manage IT and Secure IT tagline.

Stage 2

Story time for a moment…

A month ago, a 400 employee, ~$100MM SaaS company near us was locked up by a ransomware attack that brought operations to a halt. The hackers’ payment demand was $7 million. The company “successfully” negotiated it down to just over $2 million, which it of course paid in Bitcoin.

Problem was, their situation required a very fancy team of forensic and legal specialists to determine how they were breached, what in fact was missing and which of their clients they had to notify (it sounds like it’ll be everyone – and I say “sounds” because this one is ongoing, it’s very fresh — but back to that in a minute). The forensic and legal fees are going to be double what they paid the hackers, bringing to total cash outlay for this little fiasco to nearly what the hackers asked for in the first place!

The only problem with this stage in our accompanying image is: it ain’t just healthcare companies who have to be extra careful. Does your company have industry regulations to consider? Do you possess client data, credit card info and other sensitive info? Oh, and what about all the sensitive employee information your HR department holds? Yup, most companies will have lots to deal with if they get breached and trust us: the expense will bring pain to organizations of all sizes.

Stage 3

Notification: this is the one that hurts. And its economic affects are potentially longer-lasting than the initial ransomware-related expenses.

First, your clients will be pissed but you have to tell them. Do you answer to regulators? Here’s how that one goes: if you have thoughtful, substantial cybersecurity layers in place but still get breached, they’ll give you a break but if you were clearly careless, they’ll hammer you. And when the clients that didn’t leave find out the regulators are hammering you – and they will find out – they may leave, too.

No one likes having their data stolen but clients do not forgive if it was stolen thanks to your carelessness.

If you know your organization isn’t doing all it should be to protect its network, just sit back and imaging being out of business for a week while you scramble to open a Bitcoin account and get your files back. Imaging having to tell your clients, investors, counterparties or patients. Image having to explain to regulators.

So many layers of cyber protection are actually really inexpensive, there’s just no excuse to keep waiting, to keep risking the biggest, most painful phase of incident response: notification.

Stage 4

Again, we have one item listed that should be done ahead of time (and regularly): the review of information systems because they are constantly evolving along with a business’s needs.

And as for dark web monitoring that’s pictured, that is merely one small layer in a multi-pronged cybersecurity protection plan. It’s cheap, so that’s good, but it’s also fairly low value.

Most of the time, we have found that stolen credentials being traded on the dark web are old and outdated. That said, the 5-ish percent of the time we do uncover active credentials for one of our clients, it is highly valuable – worth every penny. And there’s only one fix: changing that password immediately.


Everyone’s making infographics these days. It’s certainly no easy task to sum up a ransomware breach response plan in one image so this effort was fine, if incomplete.

That said, you should have noticed an underlying theme with our comments and critiques of the steps in this image: most of them should be done ahead of time!

When it comes to protecting your data, your employees and your business reputation, there is no substitute for proper cybersecurity planning.

Contact us if you’re finally ready to take action.

Related Articles

Scroll to Top