As Copeland Borough Council continues to recover from a ransomware outbreak, its experience serves as a firm reminder that every organisation should invest in a good incident response (IR) plan to avoid this length of downtime.

A well-prepared IR plan is the first step in being able to effectively handle incidents of this scale. The IR plan should be complemented by an emergency communication plan and clear understanding with management and key stakeholders about roles and responsibilities. 

With the help of security tools normal activities for networks, hosts, systems and applications should be baselined.

System backups should be regularly tested for consistency and integrity, which helps with the containment and eradication phases of IR. 

If systems need to be restored to their last known good/working state, the last thing anyone wants to hear is that a backup is either many weeks or months old, or worse, is simply corrupt and unusable!

Once the root cause has been determined and artefacts removed, services should then be restored to service carefully and monitored for possible further remnants.

Lastly, lessons should be learned from the outbreak. These are needed to discuss the incident but also to address weak spots in the organisation's defences - whether they are technical or human defences in terms of new security solutions, or hiring more people.

In short, this problem is not going away, and even if it isn't feasible for a company to invest in an IR team of its own there are plenty of companies out there that specialise in IR that are worth considering to reduce the impact of such outbreaks. 

For those who are more fortunate, investment in staffing, on-going training, and testing of disaster recovery and IR procedures is paramount. 

Unfortunately, in this instance, the UK government need to prioritise cyber defences for public services, as vulnerable public services are likely to be used as a foothold later when the eventual critical infrastructure and ICS network attacks commence in force.