Tens of thousands of companies, organizations and cities are being savagely taken offline by ransomware. Some targeted entities handle it relatively fine and are down a day or three. Others are down for weeks, and sometimes they are hit again. The difference between a quick recovery and a chronic problem often depends on who you call for help.I talked to one of the best in the game recently. John F. Mullen, partner with Mullen Coughlin, LLC, has been involved with thousands of cybersecurity incident responses in his career. His firm was involved in 1200 just last year.You probably never heard of Mullen Coughlin. I didn\u2019t before I spoke with a city CISO friend of mine. When he called the phone number his cyber insurance company gave him to pre-establish a relationship for security responses, he ended up speaking with John.If you have a cybersecurity incident and have purchased cyber insurance, your insurance company doesn\u2019t have the professional folks to handle your technical cybersecurity incident response, no more than the insurance company would patch the fiberglass of a boat after a hurricane claim. Insurance companies do insurance and underwriting. When a claim is made and the damage has to be fixed, they sub it out.Why use a specialized incident response firmJohn sees three reasons why an organization should use a firm like Mullen Coughlin after an attack. First, they have experience. Entities calling Mullen are often already working the incident response but using local IT firms they know. That\u2019s OK, but those local firms usually don\u2019t have equivalent experience of the forensic teams available to Mullen Coughlin. As John put it, \u201cIt\u2019s all we do.\u201d Plus, sometimes the reason the customer was compromised was because of something the local IT service did, like a missed patch or bad configuration setting.Second, John\u2019s team are all lawyers. Anything they discuss and do on behalf of the customer is privileged. That\u2019s legalese for \u201canything we discuss will likely not be shared with anyone else.\u201d Everybody John hires comes under the privileged communication umbrella. Local IT firms can\u2019t give you that.Third, and most important, firms like John\u2019s and the insurance carriers have already vetted all the necessary forensic, PR and mass mailing\/ID protection service providers needed to cover a customer\u2019s situation.Call ahead and do annual security reviewsJohn recommends that that if you have the opportunity, call the incident response firm your cyber insurance works with before an attack occurs. He said that maybe 1% of his customers call ahead of time to meet his team and find out how the process is going to work. He welcomes these customer calls because they allow him to establish trust and share how the process will work. This saves precious minutes when that emergency call happens. So, call ahead of time.John also recommends that every organization purchase cyber insurance and have an outside security review performed at least annually. He also suggests using an IT firm to conduct the review that is not the same as the one currently providing regular services. Make sure to change which outside firm you use every year. Different firms find different things, he says, and you want a unique, independent perspective each time you do it.How ransomware is changingJohn says ransomware attacks have changed over the years. Just a couple of years ago, ransomware typically activated as soon as it entered an organization and encrypted the desktop it was on. Now the attacker is far more likely to be inside of an organization for multiple days or weeks, figuring out how to maximize their access to the penetrated system. He says you can\u2019t automatically trust your offline backups, because the ransomware guys are working to block even that avenue of safety.I asked if social engineering was involved in the majority of cases of ransomware. John says that social engineering was likely involved in half or over half of the cases, especially if you include third-party service providers that are compromised to reach the ultimate victim. Misconfiguration and unpatched software also frequently played a role.Some research claims that paying a ransom demand does not result in getting a working decryptor key up to 40% of the time. John says his experience is different. \u201cNinety-five percent of the time, when the customer pays the ransom it results in less recovery work and downtime than if they didn\u2019t pay it.\u201dIf you ever need to call a firm like John\u2019s, he offers one piece of advice to make things go smoother: \u201cMake sure the people calling my firm have the necessary authority to make decisions. You can\u2019t imagine how many times we come up with a plan of action only to have to wait again while the right decision makers are contacted, and I have to say everything again to get a decision.\u201d Making sure the person calling has the necessary authority can only make everything happen faster.