When emergency strikes and there is no admin in sight


Many IT emergencies would have far fewer consequences if everybody knew what to do and who to contact. Especially when dealing with security issues, every second counts.

Mr. Jones works in the accounting department of a medium-sized mechanical engineering company with 96 employees. On Friday afternoon, he just wants to get a few things done before taking off into his well-deserved weekend. But then his computer throws a spanner in the works: just as he is about to leave, an e-mail comes in - but that's supposed to be the last one for today.

"Great," he thinks - "another one who wants to submit his invoices just before the deadline". Annoyed, he opens the mail attachment and just wants to click on "Print" when the computer suddenly comes to a standstill. "Oh, great...just what I needed.", he mutters under his breath and thinks "Oh well. Let the machine open the attachment properly - in the meantime I can finish up this spreadsheet." From the corner of his eye he suddenly sees that some files in the Explorer window have changed. Then the text appears: "Your files have been encrypted".

Mr. Jones has often heard of encryption Trojans - but is not sure how he should react. So he's looking for a contact person in the IT department - but the corridors are deserted. A look into some of the offices confirms his fear. He meets a colleague walking down the hallway with a cup of coffee in his hand. "Who are you looking for?" he asks. "I'm looking for someone from IT, I think my computer has a virus!" The colleague scratches his head and says, "Phew, good luck with that.. Gary is just out, and the others - no idea. You'd have to look upstairs, maybe one of them is still around there somewhere."

Correct action in the event of a crisis can limit damage

So Mr. Jones is on his own. He draws a blank with the telephone system, too: all the IT people in there have already logged off. The right action in the event of a crisis could minimize the damage in many cases - especially with encryption Trojans.

Many of these malicious programs propagate by themselves once they have infected a company network. Programs like NotPetya could paralyze entire global companies like the shipping company Moller-Maersk by searching for and encrypting network drives. The virus could eat its way through from department to department. It could therefore help to quickly disconnect infected computers from the network.

Raising awareness for IT emergencies

But for this, employees must firstly be trained in the basics of IT security. Moreover, they need to know who they can contact and when. Because those who have a basic understanding of IT security will not constantly trigger false alarms. But even if that happens: It is still better to deal with a false alarm than a completely unusable company network.

That's why, especially in a corporate context, it's important to reduce inhibitions for employees to report any strange behavior of their computers. Anyone who has to fear suffering consequences for reporting an incident will try to conceal the problem in case of doubt to the detriment of the company - and in doing so, will leave the criminals room to carry out their attack.

Sounding the alarm, made easy

In many office buildings there are signs on every floor with emergency instructions. Unfortunately, these are usually limited to fire protection or cases of illness and injury. It would make sense to make information available at central points on how to proceed in an IT emergency. To make it very clear: things like the empty toner, the expired password or the funny error message that has been coming up for days when starting the CRM tool and that you have been clicking away do not qualify as emergencies.

If the areas in question are frequented by the public, then this information should of course be displayed in such a way that no visitor can see it - after all, an internally used number does not concern anyone outside the company.

It can also be helpful to provide guidance for immediate actions that a user can implement himself before the emergency team arrives. These can vary according to requirements and may include things like disconnecting the network connection on a suspicious machine or disconnecting power.

Tips for businesses:

    Provide clear instructions on what to do in the event of an IT emergency
    Create handouts for employees to help them assess the severity of an incident, at least roughly
    Employees should be encouraged to talk about IT issues, so any attacks or mishaps are noticed and dealt with more quickly.


from Tim Berghoff
Security Evangelist