Protecting your organisation's critical data is a costly endeavour, with security budgets continually being squeezed to mitigate against the ever-expanding threat landscape.\nRansomware is undoubtedly one of the most crippling cyberattacks, catching victims unaware and ultimately causing long-term consequences for the companies that become infected.\nAlthough ransomware attacks have started to stabilise, now is not the time to get complacent with your security strategy.\nRansomware attacks are still happening and just because your organisation might not be individually targeted, if you fail to patch properly there\u2019s a very real chance you\u2019ll become the victim of a wider attack, designed to infiltrate any system that has been left vulnerable.\nHere, we provide a brief overview of ransomware alongside a list of steps security professionals advise you take in the event of a ransomware attack alongside a couple of things you should aim to avoid.\nWhat is ransomware?\nRansomware first came to prominence in 2005 and since then, it has become the most pervasive cyberattacks across the world. Since day one, its purpose has been to generate revenue from its unsuspecting victims and recent calculations from Cybersecurity Ventures put the estimated cost of ransomware attacks around $11.5 billion.\nThere are two major types of ransomware; crypto and locker. Once a malicious link has been clicked on or a misleading application has been opened, crypto-ransomware will encrypt all the files, folders and hard drives on the infected device, promising to reinstate once a ransom has been paid to the attacker. By comparison, locker-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ransomware simply locks users out of their devices.\nUnfortunately, ransomware attackers aren\u2019t fussy when it comes to who they target. Attacking a business might see them do the most damage but regular end-users who aren\u2019t necessarily clued-up on cybersecurity are more likely to pay the ransom in an attempt to retrieve their files.\nAs a result, cybercriminals launching this type of attack usually take a scattergun approach, as even if only a small minority of the victims pay out, ransomware is so cheap to deploy the attackers are guaranteed a profit.\nFalling foul of a ransomware attack can be damaging enough however, if you handle the aftermath badly the reputational damage could be catastrophic; causing you to lose much more than just your files.\nWhat should you do in the event of an attack?\nTrace the attack\nThe most common way ransomware makes it into your system is through a malicious link or email attachment. If you\u2019re lucky, the malware will only affect the machine it was opened on however, if you\u2019ve failed to patch your entire network (hello WannaCry) your entire system will end up becoming infected.\nFirst you need to locate the machine that was initially infected and find out if they\u2019ve opened any suspicious emails or noticed any irregular activity on their machine.\nThe sooner you find the source, the quicker you can act. Ransomware attacks tend to have a time limit on them before files are erased.\nUnplug\nOnce it has initially infiltrated a machine, ransomware spreads via your network connection, meaning the sooner you remove the infected machine from your office network, the less likely other machines are to become infected.\nWhen notifying employees about the need to unplug devices from the network, don\u2019t forget to reach out to any remote workers you might have. Just because someone isn\u2019t physically in the office, if they\u2019re connected to the network they can still fall victim to the attack.\nIn the perfect world, your security team or equivalent should already have a plan for situations like this, so it might be the case that you just hand over to them and allow them to mitigate the damage as best they can.\nIn the instance that a plan doesn\u2019t exist, a meeting should be held to outline what needs to happen next. It\u2019s important to let everyone know exactly what is expected of them.\nNotify your IT security team or helpdesk\nIt\u2019s not uncommon for bigger organisations to have an IT security team and even a dedicated Chief Information Security Officer who will be the one to execute your plan of action and handle protocol in the aftermath of an attack.\nHowever, for some smaller companies, budgetary restraints often mean having these experts in-house just isn\u2019t feasible. In that instance, it\u2019s important that the CIO is fully briefed on all security issues and can take the reins in the event of a crisis.\u00a0\nIt\u2019s also helpful to map out a timeline of the breach. This should help for future attacks and help you learn about your current security systems.\nOften cyberattacks leave clues in the metadata, so a full search of that will be necessary in most cases.\nNotify the authorities\nIf your company handles data that belongs to citizens inside the European Union, GDPR now requires you to inform the ICO within 72 hours of a breach having occurred. Failure to do means your organisation is non-compliant with legislation and with potential fines of 4% of annual global turnover or \u20ac20 million, that\u2019s something you cannot afford to do \u2013 literally!\nIf the data stored has numerous identifiers, you should alert a data protection officer or equivalent.\nInform all employees and customers\nTransparency is key in situations like this. When it comes to cyber-attacks, your weakest link is often your employees and despite our best efforts, we can all easily make mistakes that can jeopardise company data.\nRather than pointing fingers, inform your staff that there has been a breach, what this means and what action you plan on taking. You should also let them know of any expected system downtime which will impact their work.\nIt\u2019s also important your upfront with your customers who might have had their data compromised in a ransomware attack. Obviously, there\u2019s no point putting out a statement the minute you discover the breach as at this point you won\u2019t know all of the facts surrounding the attack.\nOnce you\u2019ve had a bit more time to establish exactly what went wrong, that\u2019s when you need to inform them. It\u2019s important your customers hear the bad news from your company, not a media report.\nUpdate all of your security systems\nPatch, update, invest and repeat. After the incident is over, you\u2019ll need to perform a total security audit and update all systems.\nThis may take some time, and even cost some money, but if you value your data and your company\u2019s reputation, you\u2019ll do it.\nWhat you definitely shouldn\u2019t do\nPanic\nWhile we would always to advice you have a plan in place before you fall victim to a ransomware attack, if the worst happens and you don\u2019t have a strategy it\u2019s important you try not to panic. Impromptu decisions won\u2019t help your situation, if you need help, ask for it.\nAny obvious disorder could potentially be exploited by cyber criminals, leaving you vulnerable to further attacks.\nPay the ransom\nRansomware attacks saw a significant spike a few years ago because criminals realised they can make relatively large amounts of money for a small upfront cost.\nMost alarmingly, research has shown that one third of companies admit that it\u2019s actually more cost effective to just pay the ransom each time than invest in a proper security system.\nUnfortunately, this has created a vicious circle where businesses continue to pay the ransom meaning ransomware will continue to be a popular money-making tactic, serving only to perpetuate the problem.\nGenerally, cybercrime experts and authorities advise against paying the ransom for many reasons. Firstly, just because you\u2019ve paid the ransom, it doesn\u2019t mean that you\u2019ll receive an encryption key to unlock your data. Secondly, it might encourage the hackers to request larger amounts of money from future victims.\nUltimately, only you can assess if your data is worth the cost.