No matter how mature your security stack is, one slip can open the door to chaos.
On Reddit, IT managers from across industries shared their firsthand experiences of dealing with malware attacks, from the importance of comprehensive processes for restoring backups to refining their multifactor verification (MFA) processes. Each story revealed key vulnerabilities and the practical lessons learned the hard way.
For IT and UC leaders traversing today’s ever-evolving threat landscape, these insights hopefully offer a blueprint for refining defences, updating policies, and preparing teams for the next inevitable breach. When it comes to an issue as vital as cybersecurity, hindsight can be genuinely actionable intelligence.
- What Comms Lessons Can High-Risk Sectors Learn From the White House Leak?
- Google Workspace Security Best Practices: Essential Policies and Technologies for IT Leaders
Have a Comprehensive (and Organisation-Specific) Plan For Cross-Functional Incident Response
Have a plan. Work with an incident response or security firm to create a written, adopted, formal response plan with playbooks that outline what you’ll do in the event of…an event. If you have legal or risk management departments in your organization, get them involved. Conduct table top exercises.”
The importance of cross-functional teams (silos suck), communications, and actually having an incident management plan (“what plan?”)…”
This advice cuts to the core of effective cyber preparedness: don’t wait for a crisis to figure out your response. Too many organisations still treat incident response as an IT-only dilemma when, in reality, it demands coordination across legal, risk, communications, and leadership teams.
A formal, written plan with clearly defined playbooks is essential for rapid, unified action. Tabletop exercises help surface gaps, build muscle memory, and break down silos before real pressure hits. For IT leaders, the message is plain: a well-rehearsed, cross-functional plan isn’t a luxury—it’s your first line of defence when minutes matter most.
Have Pre-Planned, Thorough Processes for Restoring Backups
Have backups and know how to use them. We’ve only had one successful malware attack on the company that I work at in the 15 years I’ve been there. That was in 2013 when cryptolocker came out. A couple of sales people got infected and by extension encrypted the sales file share. We quarantined their machines. Then, we restored from before the infection that night. We had hourly snap backups happening. It happened on a Friday, no lasting impact.”
This story highlights an eternal cybersecurity truth: backups are only as good as your ability to restore from them—quickly and confidently. The organisation’s hourly snapshots and practised recovery process turned what could have been a devastating CryptoLocker attack into a minor disruption.
For IT leaders, the key takeaway is to have backups, regularly test restore procedures, and ensure critical systems are covered with minimal recovery point objectives. Rapid, reliable rollback capability can mean the difference between a routine fix and a disastrous crisis in a ransomware era.
Refine, Refine, Refine Your MFA Policies
Just making users click “ok” on an MFA app isn’t good enough, it’s too easy for bad actors to trick users by just logging into their account around the same time the user starts their day…. The user gets a second MFA prompt during their morning routine and assumes something went wrong with the first one and just clicks “OK” without a second thought….. you gotta configure it to show a map of where the log-in attempt came from and require the user to enter a number from their screen into the Authenticator app.”
This insight exposes a common weakness in basic MFA implementations: user complacency and prompt fatigue. When MFA relies exclusively on approval taps, attackers can take advantage of predictable routines to manipulate users into authorising malicious logins.
IT leaders should move beyond default MFA settings and adopt more robust methods—like number matching and location-based prompts—that force users to think critically before granting access. Enhancing contextual awareness in MFA interactions can dramatically reduce the risk of social engineering attacks. It’s not just about having MFA in place but about configuring it shrewdly to close the human gap.
Consider Segmenting Networks to Prevent Data Loss and Limit Attackers’ Lateral Movement
Just remember, it’s not only not having access to your files but having all your data exfiltrated and someone else having it. Firewalls and subnets between servers and clients and between individual servers.”
This is a salient reminder that ransomware isn’t just about lost access—it’s about lost control. When data is exfiltrated, the threat extends well beyond downtime to regulatory, reputational, and financial fallout. That’s why containment matters just as much as recovery.
Implementing segmentation—using firewalls and subnets between clients, servers, and even critical systems—limits how far attackers can move laterally once inside. This is a pointer for IT leaders to rethink network architecture with breach containment in mind. The goal isn’t just keeping attackers out—it’s making sure they can’t go far if they get in.
Don’t Panic. Take Your Time, Identify With Precision, Execute Your Plan, and Trust Your Team
Don’t rush restore and understand what is actually happening. Too many people are running around with heads cut off, creating more stress than is needed. Big wig calling shots with zero technical knowledge…”
And then restoring backups that are also infected…but they have no proper way or method to vet backups to be sure they are clean before being restored…”
This lesson emphasises the importance of a calm, coordinated response and a transparent chain of command during a cyber incident. Restoring infected backups can compound the damage, turning a bad situation into a full-blown crisis. IT leaders must ensure a validated, repeatable process for verifying backup integrity before restoration, especially during high-pressure scenarios.
Just as critical is limiting decision-making to those with the technical context to assess risks accurately. Panic and top-down interference without expertise can completely derail recovery efforts. Plan, practice, and trust your technical team to lead when it matters most.
Do you have any cybersecurity best practices or recommendations to share? Get involved with the discussion on Reddit!
This post originally appeared on Service Management - Enterprise - Channel News - UC Today.