Ransomware is no longer an edge-case scenario. For many organisations, it is the most likely crisis their leadership team will face. Systems go offline without warning. Operational decisions must be made under extreme pressure, and the difference between a contained incident and a full-scale disaster often comes down to preparation.

In his discussion with Valery Rieß-Marchive of LeMagIT, Andrius Liepinaitis, Senior Incident Response Manager at Kudelski Security, offered clear, practical guidance for CISOs and business leaders who want to strengthen their resilience before an attack happens. His perspective comes from handling hundreds of real cases: the repeat patterns that cause incidents, the gaps that slow recovery, and the leadership behaviours that determine outcomes.

This blog captures the most important lessons from that conversation.

The Most Common Weakness in Modern Breaches: Identity

When ransomware operators break in, they almost always start the same way: with legitimate credentials. Attackers increasingly rely on password spraying, MFA fatigue attacks, and exposed remote access points rather than malware exploits.

“Most intrusions start with valid accounts,” Andrius said during the session. “Attackers come in through VPNs or remote gateways, and no alerts fire because the login looks normal.”

This trend is widely reflected in recent reporting. In 2024, Microsoft’s Digital Defense Report highlighted that over 80 percent of breaches they tracked began with compromised identities, not software flaws. Identity has become the new perimeter, and for many organisations, it’s too easy to bypass.

What CISOs should prioritise:

• Enforce multi-factor authentication on every external entry point
• Audit and remove legacy accounts and unused administrator credentials
• Review identity provider integrations frequently
• Harden Active Directory hygiene (lateral movement often hinges on misconfigurations)

Identity compromises are preventable, but only if leadership treats access management as a strategic priority, not a technical checkbox.

The Silent Failure: Incomplete or Unverified Logging

One of the first things Andrius’s team checks during an incident is whether logging is available. The answer is often disappointing.

“It is impossible to reconstruct what happened if logs are missing or scattered,” he said. “Sometimes we discover that VPN logs are kept for only 24 hours, or the organisation thought logging was enabled but it never actually collected anything.”

The challenge is not just storage. It is knowing which systems matter and whether logs are being forwarded centrally. Without that visibility, organisations lose hours or days trying to understand how the attack unfolded.

This aligns with the 2024 UK National Cyber Security Centre (NCSC) “Logging Made Easy” update, which states that incomplete logging is one of the biggest barriers to rapid incident response and containment.

CISOs should ensure:

• Centralised logging for identity, VPN, endpoint, and critical infrastructure
• Retention periods long enough to analyse attacks that unfold over weeks
• Regular validation that log forwarding is functioning correctly
• Clear ownership for log maintenance (IT? security? both?)

The quality of logs directly affects the quality of response.

Backups: A Strategy, Not a Storage Location

In the webinar, Andrius stressed that having backups is not enough. Many organisations believe they are protected because backups exist somewhere, until they discover during an incident that the backups were online, untested, or already corrupted.

“Attackers go after hypervisors and backup servers almost every time,” he said. “They know that if they destroy backups, they gain leverage.”

Recent incident reporting shows that modern ransomware groups increasingly target backup infrastructure directly, deleting snapshots or encrypting backup volumes to remove easy recovery options and increase pressure on victims. It is a trend that aligns closely with what responders see in real cases.

What matters is not the presence of backups, but their separation, immutability, and recoverability.

CISOs should focus on:

• Maintaining at least one offline or cloud-isolated backup tier
• Using immutable storage where feasible
• Testing restores quarterly, not annually
• Separating backup infrastructure from identity and domain systems

Small and mid-sized businesses are especially at risk. For many, a backup failure is not a setback, it’s a company-ending event.

Preparation is Leadership

When a ransomware attack hits, the organisation looks to leadership. In the webinar, Andrius emphasised that the most successful recoveries share one trait: calm, decisive leadership from the start.

“The worst thing that can happen in the first hours is blame,” he said. “The best thing is a leader who keeps everyone focused and lets the responders do their work.”

A prepared CISO does not just invest in tools, they shape culture, accountability, and decision-making during crisis.

Leadership actions that matter most:

• Designate an incident commander before an incident ever happens
• Ensure communication channels are known and rehearsed
• Establish a clear escalation path for technical, legal, and business decisions
• Keep business leaders informed and aligned without micromanaging technical work
• Avoid knee-jerk decisions such as shutting everything off or engaging threat actors prematurely

The organisation will mirror the behaviour of its leaders. Calm leaders produce calm teams. Panicked leaders create chaos.

Build Relationships Before You Need Them

One of the strongest messages in the webinar was that you cannot “build” incident response capabilities in the middle of an incident. You need trusted partners, established retainers, and tested playbooks long before anything goes wrong.

“You do not want to be searching for help at 2 a.m. when everything is encrypted,” Andrius said.

Recent government guidance from the Cybersecurity and Infrastructure Security Agency (2024) stresses the same point: organisations with pre-established incident response relationships recover significantly faster than those scrambling to find expertise during a crisis.

CISOs should have ready:

• An incident response retainer with a reputable provider
• Pre-approved legal counsel for cyber incidents
• Clear authority for authorising decisions such as network isolation, disclosure, or negotiation
• Out-of-band communication channels

Incident response is not only technical, it’s logistical, legal, behavioural, and strategic.

The Best Time to Prepare is Always Now

Every attacker wants the same thing: speed, leverage, and surprise. Preparation takes those advantages away.

What Andrius made clear throughout the webinar is that incident response is not an act of heroism; it is an act of preparation. Teams that rehearse recover faster. Leaders who understand their responsibilities make smarter decisions. Organisations that harden identity and protect backups limit the damage.

Preparation is not a luxury. It is the only real advantage defenders have.

Strengthen Your Readiness Before the Next Incident

If you want to improve your organisation’s ability to detect, respond, and recover from ransomware or other cyber incidents, the best time to prepare is before the crisis.

Learn how Kudelski Security’s Incident Response and Digital Forensics team helps organisations build resilience and respond with confidence:
https://kudelskisecurity.com/services/ir-and-digital-forensics

‍