Ignoring Post Ransomware Insurance Recommendations 2024

Published 6 months ago5 min readBackup for MSPs...
Cloud Backup Software for MSPs

Ignoring post ransomware protocols will be my topic for today. I will discuss the risks involved that service providers face when their client or even themselves suffer a ransomware security incident and they do not follow the very clear well worn path of not touching anything.

We will look at the risks involved if you ignore this advice as well as why some people still decide to “fix the problem” by, say, running a virus scanning tool or more likely recovering from a previous backup thinking this is an absolute guaranteed solution.

While you are here, take a look at some of our other backup content materials below that may interest you:

As usual, I am going to inject a little documentation wisdom where appropriate and let's face it, it's always appropriate. I will also discuss how documentation can help I.T network administration services manage and maintain information recovery solutions effectively as it specifically relates to this topic.

Knowledge management is also an essential aspect of the IT industry whether it be backup procedures discussed here or the steps involved on how to install the community edition of Nexenta so that others can fault find in a time effective fashion. It enables network admin services to manage and maintain the IT infrastructure of their clients effectively.

We have years of experience in working with service providers to write their processes and procedures and there is no area more important to a service provider than how their clients' procedures are documented especially during a ransomware attack.

Mandatory Client Cyber Insurance Policies

It's getting out of control these days with all the legal action and claims being filed against managed services organizations. Service providers, while the cost of their policies are going through the roof and it is easy to think that insurance companies are making a killing from us, it is actually not the case.

Plenty of insurance companies are turning their back on service providers or ramping up the costs and requirements to even get insurance and that is because many of them are running at a loss when it comes to technology related business such as SaaS providers or cloud backup service providers. The claims being made have gone rogue both in number and payout amounts.

One way that you can minimize your risk and appear far more attractive to insurance companies that offer Internet security policies is to make it mandatory for any client that is signing up to any of your technology agreements to have their own information security policy, like hippies trying to use the front door, there should be no exceptions, back door only.

MSP Cowboys - Not Always

With the lack of serious regulation in the service provider industry, it is no wonder we have a choose your own adventure. This is exaserbated because the solutions including backups are complex in nature and the technology that is used changes so rapidly.

So it is not uncommon for a service provider to have started their backup managed services organization from their bedroom back in the 90s. No doubt, hard working and conscientious, always trying to do the right thing.

Now pick an exact date where we went from a world that treated technology services companies like an undesirable grouping of nerds trying to convince other organizations that I.T was the way of the future to where we are today where companies cannot run without either outsourced technology providers or experienced technical staff.

Not easy is it? A lot of gray between 1990 and 2024 so it is understandable that there are a number of service providers out there who do things a certain way because they have always done them that way.

Reacting to a virus threat or other data loss event is no different. On one side, on hearing of lost client data, there is that twisting gut feeling of “gee I hope our backup actually works

That feeling does not go away no matter how good your backup system is as it is always an uncertainty. The other half is “OK let's get this sorted, I can relax as soon as we recover this data and the client will be happy the faster I get things done

That way of thinking was OK in the 90s, maybe even up to the early 2000s but somewhere after 2010 that protocol for reacting to a serious disaster recovery incident went out of fashion. You may be surprised to know that the only provider that would act that way today would have to be categorized as a cowboy.

You are not a cowboy are you? It is Ok if you are and are still doing this as long as you dismount the horse and throw away the spurs after reading this.

You Just Described My Bulletproof Recovery System

I get it, wanting to get the client up and running after a file server failure or virus infection is going to be about your only focus when something happens like this.

So I will give you a scenario that may help convince you that this is not the best course of action and you should ensure all of your help desk staff have access to the pre ordained steps on what to do during say a sudden ransomware incident.

So say for example, you ignore my advice on post ransomware checklists and rectify the initial problem and get the client back up and running within a short amount of time, then forget all about it.

6 months go by and you get a call from the client, turns out the ransomware attack you fixed was not just ransomware, the underhanded swine behind it are now selling your clients data records on the darknet for ten bucks a pop.

The client then explains to you how much more damage having their data stolen is doing than had they just lost all their information and had to start again.

Delayed Knowledge Of Data Theft

The problem you face when you have a serious security threat and you try and fix it yourself by restoring from a scheduled backup is that you are traipsing through the place like a herd of elephants, destroying evidence as to where the threat came from, how serious the threat is and also make it impossible to determine at that time if data has been stolen.

MSPs have always and will always be the equivalent of the jack of all trades. Sure you get a few level three guys in there who may have undertaken a specialist and high level networking course however they are not experts in infiltration by those of low moral fiber, they are not working on serious electronic security incursions day in day out.

We also throw the term security expert around far too easily. Let's all be honest here, the vast majority of service provider technical staff are in no way close to being a security specialist and that includes the people that label themselves as such. At most we use the term security expert as a marketing tool and usually because we have a security application we have subscribed to.

Expert Forensic Technology Experts

I have been in IT for 30 years now and I have yet to meet a true security specialist. They are few and far between, make more than most of us could afford to pay and live and breath serious damaging Information breaches every working hour.

They more than often work for insurance companies rather than service providers. These are the caliber of people that you need when a catastrophic security incident occurs and realistically, the only way we can access that level of expertise is through our insurance.

Make sure your Information security insurance policy covers expert advice during security incidents. They should because it benefits them to contain the situation so that it results in the least amount of damage possible.

By leaving it 6 months or a year between the incident occurring to finding out say data was stolen, you have taken what could have been a simple phone call to your broker where you can hand off the responsibility to a very real risk of an expensive lawsuit because of the unreasonable time between the data leak occurring and remediation occurring.

It's Not Our Fault

When has that ever mattered? Lawsuits are not about dishing out fairness.

How could you have known that data was stolen at the time of the confidentiality breach? Well you most likely could not have and that is the whole point.

There is no way with the expertise of the average provider that you are going to be able to forensically analyze the clues and determine information theft has occurred which is why it is absolutely imperative to have a plan of action before this happens so that you do not open yourself up to legal action because you were being “helpful”

Backup and Data Encryption

If it moves, encrypt it, if it does not move, kick it and then encrypt it. In many US states, if data is encrypted then a data intrusion involving already encrypted information does not count as an IT security incident. Take a look at the wording for GDPR (European Regulations) for instance where it excludes encrypted data from being considered a data breach.

This is because if it is encrypted then it cannot be viewed or used if stolen. Again I still recommend even in these scenarios, contact your insurance broker, you are paying for it anyway, you may as well use their advice on these situations because I do not have the expertise to know the strength of encryption required nor the way in which it needs to be implemented for it not to count.

Technology Based Insurance Broker

Check this article on Cyber security where I go into more detail. I know next to nothing about the technicalities of it, all I know is that I need it, you need it, your client needs it and if you do not have it then you are operating outside of what would be considered reasonable in today's marketplace.

Nobody is going to judge you for it as long as you now remedy the situation. If you want more information on insurance for MSPs then I recommend a guy called Joseph Brunsman if you are located in the United States.

I do not know him and have never undertaken business with him however he has a really good reputation on the MSP subreddit and that is a tough audience to please. His videos demonstrate an expert level of knowledge that is quite obvious.

Stop Everything and Call Your Insurance Specialist

Assuming you have a broker and policy that allows you to potentially make a digital security claim and includes forensic analysis as part of the policy, you need to attempt to lock down and minimize change both from your client and your staff as much as possible.

I cannot reinforce the fact that when a serious security situation occurs, you do not know the magnitude or the type from ransomware to data theft or even if the data was just looked at, you most likely will not without expert outsider help.

Does that stop you from facing a risk of claim from the client due to loss because of the delay? Absolutely not but it is the lesser of two weevils in most cases.

Remember in Pulp fiction when the wolf turned up and was able to quickly resolve an almost impossible issue. This is the caliber of technical expert your insurance company will hopefully have on hand. The other great thing about this process is it is very simple and it transfers the responsibility to the insurance company to analyze the issues.

The alternative is having Big Lez, your favorite second level support staff member playing around just trying to get things working again without attempting to locate evidence that will help paint a picture.

It also means they take the risk of making a mistake, they direct you to restore from backup and that action was a mistake and makes things worse, that is more likely to be on them. If it ever goes to court, it looks a lot better if you are saying “We do not have in house expertise to make these decisions so passed it of to our insurance forensic specialists

That is as close to a bullet proof answer as you will get versus: “We put our best guy Big Lez on the case and he said he will fix it no problems. His MCSE certificate in NT 4.0 as well as having gone on a 3 day bender with John Mcfee in the late 90s gave me complete faith in his abilities, I am not sure how we can be blamed for the cascading number of damages allegedly caused by our best tech, Lesley Mackerel

Conclusion

Ignoring post ransomware protocols and not having a pre ordained action plan in the form of a guide for all technical staff on how to handle a major security breach is a recipe for disaster.

The frequency and amount of incidents has gone through the roof in the last couple of years and along with our security response checklist that you have had pre-approved by your insurance broker and a cyber security policy that has a good reputation and has as much coverage as you can afford is the key here.

Most service providers, which probably includes yours, do not have the internal expertise to manage these incidents.

We have a number of other backup articles specifically related to clients listed below that will provide you with more detailed information on a number of related topics:

https://optimizeddocs.com/blogs/backups/backups-client-index

Our team specializes in strategies for Technology support providers and we assist in improving profit margins through standardization and consistent record keeping strategies, so you can be confident that our content is tailored to your needs.

Please feel free to explore our other articles and click on any that interest you. If you have any questions or would like to learn more about how we can help you with your documentation needs, please click the "Get In Touch" button to the left and we will be happy to assist you. Thank you for choosing us as your trusted source for technology documentation.

MSP Backups