- Published: Monday, September 25, 2017 07:30
By Stephen McGrady
Those responsible for Business Continuity Planning (BCP)—i.e. having plans in place to keep a business running after disaster strikes—understand that the world really can be a dangerous place. Although hacking, malware and ransomware aren’t really “new” threats per se, they have certainly grown in frequency and impact.
As some recent high-profile situations have shown, terrible things can and do happen to organizations everywhere. Case in point: Disney was recently hit with a ransom demand by hackers who claimed to have stolen the latest “Pirates of the Caribbean” movie. A few weeks before that, hackers stole the latest season of “Orange is the New Black” from Netflix, and leaked episodes when the firm refused to meet their ransom demands. And then there’s the widely-publicized “WannaCry” ransomware attack, which affected over 200,000 computers in 150 countries in May.
Quite often these attacks are not caused by hackers “pounding down the doors” to get in; instead, they’re set in motion when unsuspecting employees click on something that they shouldn’t. Someone opens an email attachment that looks important, or that comes from someone they know (whose email turns out to have been hacked), and the next thing they know the entire company’s computer system is locked up, with all of their files encrypted. When they try to access the system, all they can see is a screen demanding a ransom, with a countdown clock or short deadline creating enormous pressure to act.
While the average ransom demand from the WannaCry attack was just $300 (in Bitcoins), a January 2017 Ponemon Institute survey found that 51% of 618 small and midsize businesses had been hit with ransomware in the previous year, with the average ransom request being $2,500. Of course, many large companies have faced ransom demands much larger than that.
You need to be prepared
Business Continuity Planning recognizes that having a pre-planned response to these types of attacks is vital. Just thinking specifically about malware attacks (versus any of the other potential disasters and crises which BCP should address), some of the many things to consider include:
- Who will be responsible for the response? You should have a crisis management team in place and a response plan with several scenarios pre-defined. Because attackers will set short deadlines for you to respond, you will not have adequate time to formulate a response strategy in real time.
This team should meet periodically to review existing plans against current threats, and update the plans as needed.
- What is your principled response to ransom? Peter Coroneos, the former chief executive of the Internet Industry Association and an expert on cyber policy, said whether or not to agree to ransomware demands presented practical and ethical dilemmas. “As a matter of principle,” he has stated, “the answer should always be no…based on the simple dynamics of perpetuating bad conduct. However, as a matter of practicality and necessity, the situation is somewhat more complex.”1 Getting corporate buy-in in advance for the “always say no” position is essential if you’re to hold your ground in a ransomware scenario.
- Are there any circumstances under which you will ever pay a ransom? If the answer is yes, even sometimes, you need to ensure that you have a mechanism in place to be able to pay a ransom in Bitcoins. After all, most of us don’t have Bitcoin accounts. As stated above, if the answer is no, you’ll never pay ransom, or you won’t pay a ransom under most circumstances, you need to have a robust response procedure for dealing with the attack.
- Are you replicating your data in real time? Do you have a risk management plan in place that ensures you always have up-to-date backup copies of your data that are firewalled off, so that if your primary data source is locked up by malware, you can restore everything from this backup source?
You need to provide end-user training
Of course, a huge part of BCP when it comes to dealing with the threat of ransomware and other malware is prevention. Prevention is especially important because the most vulnerable part of your system is your people. Everyone in the organization needs to be trained on how to recognize suspicious links and attachments, and what to do (and not do!!!) when they receive one.
- If you get an email saying that you must act immediately or something dire will happen, know that the bad guys are trying to panic you into taking action that would open the door for them to get in.
- If you receive an attachment from an unknown source, or something out of character from someone you know, call the sender and verify what it is before you click on it.
- If you get an email that appears to be from your bank, check to see what url the email is coming from. If it’s from, say, BankofAmerica[at]accounts[dot]com, delete it. Even if it does appear to be coming from your bank’s url, open up your browser and enter the url directly to check things out, rather than clicking on the link in the email.
- If something seems too good to be true, such as a free version of a popular app that is not free, don’t download it.
- And so forth.
You need everyone to be vigilant, because once the wrong people get into your system they can be very disruptive and damaging to your business.
You need to have a plan in place
Prevention is imperative. But if something does get in the door, you need to have a plan for dealing with it. This is where Business Continuity Planning—which is one of CIO Professional Services’ areas of expertise—comes in. For assistance getting BCP in place at your organization, contact us today.
1 The Guardian, “Don’t pay WannaCry demands, cybersecurity experts say,” May 15, 2017.
About Stephen McGrady
Stephen McGrady has served in technology vision and leadership roles, including Vice President of Services, Chief Information Officer (CIO) and General Manager, for over 20 years. Since 2006 he has focused on executive management consulting that enables business clients to improve performance through intelligent use of information technologies.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.