No matter how mature your security stack is, one slip can open the door to chaos.
On Reddit, IT managers from across industries shared their firsthand experiences of dealing with malware attacks, from the importance of comprehensive processes for restoring backups to refining their multifactor verification (MFA) processes. Each story revealed key vulnerabilities and the practical lessons learned the hard way.
For IT and UC leaders traversing todayβs ever-evolving threat landscape, these insights hopefully offer a blueprint for refining defences, updating policies, and preparing teams for the next inevitable breach. When it comes to an issue as vital as cybersecurity, hindsight can be genuinely actionable intelligence.
- What Comms Lessons Can High-Risk Sectors Learn From the White House Leak?
- Google Workspace Security Best Practices: Essential Policies and Technologies for IT Leaders
Have a Comprehensive (and Organisation-Specific) Plan For Cross-Functional Incident Response
Have a plan. Work with an incident response or security firm to create a written, adopted, formal response plan with playbooks that outline what youβll do in the event ofβ¦an event. If you have legal or risk management departments in your organization, get them involved. Conduct table top exercises.β
Β
The importance of cross-functional teams (silos suck), communications, and actually having an incident management plan (βwhat plan?β)β¦β
This advice cuts to the core of effective cyber preparedness: donβt wait for a crisis to figure out your response. Too many organisations still treat incident response as an IT-only dilemma when, in reality, it demands coordination across legal, risk, communications, and leadership teams.
A formal, written plan with clearly defined playbooks is essential for rapid, unified action. Tabletop exercises help surface gaps, build muscle memory, and break down silos before real pressure hits. For IT leaders, the message is plain: a well-rehearsed, cross-functional plan isnβt a luxuryβitβs your first line of defence when minutes matter most.
Have Pre-Planned, Thorough Processes for Restoring Backups
Have backups and know how to use them. Weβve only had one successful malware attack on the company that I work at in the 15 years Iβve been there. That was in 2013 when cryptolocker came out. A couple of sales people got infected and by extension encrypted the sales file share. We quarantined their machines. Then, we restored from before the infection that night. We had hourly snap backups happening. It happened on a Friday, no lasting impact.β
This story highlights an eternal cybersecurity truth: backups are only as good as your ability to restore from themβquickly and confidently. The organisationβs hourly snapshots and practised recovery process turned what could have been a devastating CryptoLocker attack into a minor disruption.
For IT leaders, the key takeaway is to have backups, regularly test restore procedures, and ensure critical systems are covered with minimal recovery point objectives. Rapid, reliable rollback capability can mean the difference between a routine fix and a disastrous crisis in a ransomware era.
Refine, Refine, Refine Your MFA Policies
Just making users click βokβ on an MFA app isnβt good enough, itβs too easy for bad actors to trick users by just logging into their account around the same time the user starts their dayβ¦. The user gets a second MFA prompt during their morning routine and assumes something went wrong with the first one and just clicks βOKβ without a second thoughtβ¦.. you gotta configure it to show a map of where the log-in attempt came from and require the user to enter a number from their screen into the Authenticator app.β
This insight exposes a common weakness in basic MFA implementations: user complacency and prompt fatigue. When MFA relies exclusively on approval taps, attackers can take advantage of predictable routines to manipulate users into authorising malicious logins.
IT leaders should move beyond default MFA settings and adopt more robust methodsβlike number matching and location-based promptsβthat force users to think critically before granting access. Enhancing contextual awareness in MFA interactions can dramatically reduce the risk of social engineering attacks. Itβs not just about having MFA in place but about configuring it shrewdly to close the human gap.
Consider Segmenting Networks to Prevent Data Loss and Limit Attackersβ Lateral Movement
Just remember, itβs not only not having access to your files but having all your data exfiltrated and someone else having it. Firewalls and subnets between servers and clients and between individual servers.β
This is a salient reminder that ransomware isnβt just about lost accessβitβs about lost control. When data is exfiltrated, the threat extends well beyond downtime to regulatory, reputational, and financial fallout. Thatβs why containment matters just as much as recovery.
Implementing segmentationβusing firewalls and subnets between clients, servers, and even critical systemsβlimits how far attackers can move laterally once inside. This is a pointer for IT leaders to rethink network architecture with breach containment in mind. The goal isnβt just keeping attackers outβitβs making sure they canβt go far if they get in.
Donβt Panic. Take Your Time, Identify With Precision, Execute Your Plan, and Trust Your Team
Donβt rush restore and understand what is actually happening. Too many people are running around with heads cut off, creating more stress than is needed. Big wig calling shots with zero technical knowledgeβ¦β
Β
And then restoring backups that are also infectedβ¦but they have no proper way or method to vet backups to be sure they are clean before being restoredβ¦β
This lesson emphasises the importance of a calm, coordinated response and a transparent chain of command during a cyber incident. Restoring infected backups can compound the damage, turning a bad situation into a full-blown crisis. IT leaders must ensure a validated, repeatable process for verifying backup integrity before restoration, especially during high-pressure scenarios.
Just as critical is limiting decision-making to those with the technical context to assess risks accurately. Panic and top-down interference without expertise can completely derail recovery efforts. Plan, practice, and trust your technical team to lead when it matters most.
Do you have any cybersecurity best practices or recommendations to share? Get involved with the discussion on Reddit!
