Welcome to Cyber Security Today. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.

What should management and IT leaders do when their organization is hit by ransomware? To help answer that question today, I’m joined by Imran Ahmad, a partner in the Norton Rose Fulbright law firm and Canadian co-head of the firm’s cybersecurity and data privacy practice. I asked him to be on the show because recently he was part of a workshop at a privacy conference on how to respond to a ransomware attack.

Imran Ahmad: I tell this to every single client of ours, ‘You’re not going to be judged by the fact that you had an incident. It happens a lot. It happens more frequently than people would like to admit. You’re going to be judged on the response — and having that really quick, methodical [incident] response on a go-forward basis is really critical.

Howard: When you get called for help, how many organizations aren’t prepared?

Imran: I think there’s always some level of preparation within an organization … They know what to do. They have been to conferences, they’ve read about this or they’ve attended sessions with their colleagues or talked to peers. So they have an idea. What they don’t necessarily have a good grasp on is the sequencing of how to proceed. For example, you know you need to communicate with your staff when systems are down, but what do you put in that communication? When do you push it out? How do you push it out? How frequently do you update your staff members? That’s the detail [missing]. Sometimes that can be a bit more challenging and I’ll pause after this one comment. I often say it’s not science but more of an art dealing with breaches. No matter how similar you hear about ransomware incidents attacking organizations, they’re all very, very unique. So you have to adjust accordingly.

Howard: What are the elements of a good ransomware response plan?

Imran: I’ll take your question a bit more broadly in terms of what is a good cyber incident response, and I’ll answer the question sort of in a reverse way: I’ve been teaching a course at the University of Toronto Faculty of Law for the last eight years. And one of the first exercises I do is ask the students to go online and research what in their view were some of the worst [incident] responses they’ve seen anywhere around the world. And almost to a student group, they all come up with the same ones. So you dig in and you ask ‘Why, why are these standing out as being not very good responses to a cybersecurity incident or ransomware incident?” And three things that come up over and over again.

Number one is, you can be down for a few days. But when you’re down for a month or more something really significant may have happened, which gives people the impression they [the victim organization] weren’t ready for it. Second, they seem to not have a handle on the situation. The communication isn’t clear or they change the story over and over again. New facts are being discovered that weren’t even in the realm of possible before, or they’re correcting previous statements. The third one that comes up is where organizations are being heavily investigated or sued in class actions or Congressional hearings or equivalent litigation is going on. Often just from an optics perspective — not necessarily on the merits — maybe gives the impression that the organization did something wrong because there’s allegations out there. So those three are sort of the hallmarks of poor response. I would argue the opposite would probably be hallmarks of a good response.

(This is a partial transcript of the discussion. To get the full conversation, play the podcast)

A programming note: I’m taking two weeks off to enjoy the summer. I’ll be back Monday, July 22nd.