The Hardest Decision in IT Security
On Thursday, the University of Mississippi Medical Center (UMMC) did something that makes most business owners sweat. They deliberately severed their IT systems from the internet and closed clinic locations statewide. This wasn't a glitch or a power failure. It was a calculated, manual disconnect in response to a suspected ransomware attack.
For a massive healthcare provider, turning off the lights means canceling appointments, delaying surgeries, and reverting to pen and paper. It is chaotic. Yet, they pulled the plug anyway.
This incident highlights a specific phase of cybersecurity that often gets ignored during quarterly reviews: containment. Most discussions focus on keeping hackers out. But when the perimeter breaks, as it did for UMMC, the priority shifts instantly from prevention to isolation. You have to stop the bleeding, even if it means putting a tourniquet on your own revenue stream.
Lateral Movement is the Real Threat
Ransomware rarely lands on a single computer and stays there. It is designed to move. It hunts for mapped drives, shared folders, and backups. It crawls from the receptionist's laptop to the domain controller, and eventually to your cloud storage.
UMMC disconnected their systems to stop this lateral movement. Think of it like watertight doors on a submarine. If the hull breaches in one compartment, you seal it off. You lose that compartment, but the ship doesn't sink. If you leave the doors open trying to save everything, you lose the whole vessel.
In a typical SMB network here in Southwest Florida, those watertight doors rarely exist. Many networks are "flat," meaning once a threat actor is inside, they have visibility and access to nearly everything. If you hit a ransomware strain like Ryuk or LockBit, it can encrypt 10,000 files per minute. Speed is the only metric that matters.
The "Kill Switch" Trade-Off
Here is the uncomfortable truth: You are probably not ready to shut your business down on a Tuesday morning.
Most leadership teams I speak with view downtime as the enemy. They want 99.99% uptime. They want redundancy. But during an active attack, uptime is a liability. The longer your servers talk to the internet, the more data exfiltrates to a command-and-control server in Eastern Europe.
The trade-off is brutal. You must choose between guaranteed short-term financial loss (downtime) and potential catastrophic long-term loss (total data encryption and extortion). UMMC chose the former. They accepted the chaos of a Thursday shutdown to protect patient data integrity.
Do You Have a Plan B?
If you suspect an intrusion right now, what is your procedure? Do you have a physical or logical way to sever external connections without killing internal operations entirely? Or does your team have to run around yanking cables from the wall?
We recommend a predefined "isolation protocol." This isn't just a document; it is a technical capability configured in your firewall and switches. It allows you to segment the infected portion of the network while keeping critical, non-infected systems operational—or, in a worst-case scenario, to hit a digital kill switch that halts all traffic immediately.
The Human Friction of Response
Technology is rarely the bottleneck in these situations; hesitation is. I have seen business owners stare at a screen showing suspicious activity and debate whether they should wait for confirmation because they don't want to disrupt the sales team.
That hesitation costs you your backups. Ransomware developers know that backups are your get-out-of-jail-free card, so they target them first. If you wait 30 minutes to confirm the attack, your local backups are likely gone.
Recommendation: Empower your lead IT contact (whether internal or us) to pull the plug without asking for permission first. If the indicators of compromise (IOCs) match a ransomware profile, the authority to disconnect must be pre-approved. You can apologize for a false alarm later. You cannot decrypt files without a key.
Recovery > Prevention
The UMMC incident reminds us that prevention is ideal, but recovery is mandatory. Your defenses will eventually fail. A phishing email will get through, or a vendor will get compromised. When that happens, your survival depends on how quickly you can detect the breach and how decisive you are in cutting off access.
Review your disaster recovery plan this week. Look for the section on containment. If it just says "contact IT support," it is not enough. You need specific steps for isolation that prioritize data preservation over business continuity. Sometimes, to save the patient, you have to stop the heart.
