By Stephen Cobb, Senior Security Researcher, ESET
Responding to a crisis can bring out the best in people. Organizations that demonstrate resilience in the face of adverse incidents often enhance their brands. But too many organizations leave crisis response and disaster recovery to chance. Sure, you may be able to muddle through an emergency without a plan, but why risk it? I ask that question today because this is Business Continuity Awareness Week, an annual global event that aims to demonstrate the value of business continuity and help people understand why they should apply it to their organization.
Of course, you might be saying, “We have a business continuity plan, and it includes incident response and disaster recovery, so we’ve checked that box, and we’re fine.” To which my response is, “Good for you—but have you really? And when was the last time you tested that plan?” There is a lot of evidence to suggest that many organizations either don’t have a plan, don’t have a complete plan, haven’t tested the plan, or haven’t properly informed employees about what’s in the plan. Let’s review the evidence, starting with some statistics, and then pivoting to a growing pile of unsettling facts brought to light by the current plague of cyber-badness known as ransomware.
Lack of Cyber-Incident Preparedness Is Rampant
When ESET commissioned the Ponemon Institute to survey 500 healthcare organizations about their cybersecurity, we learned that only 50 percent had cyber-incident response processes in place. And it’s not just healthcare. When NTT Com Security surveyed 1,000 businesses, mainly in the banking and retail sectors, it found that only 49 percent of organizations had a full security incident recovery plan. Shocking? Yes, but that number does not entirely capture the scope of the problem. Even firms that have gone to the trouble of putting plans in place are at risk of botching their response to adverse events because “more than half of all respondents (54 percent) are not fully aware of what is in their organization’s disaster recovery plan.”
More worrying still is that one in seven employees said they had no idea what would be needed from them in the event of a catastrophic data loss. And there is no reason for complacency just because yours is a big company. While NTT found that larger companies were more likely to have disaster recovery plans, their execs were less likely to be fully briefed on them.
Sadly, fresh evidence of a lack of cyber-incident preparedness is emerging every day in the wake of ransomware attacks. In a typical ransomware attack, a criminal somehow gets malicious code, such as Cryptolocker, onto one or more of your computing devices. That malware then encrypts any of your data that it can find and issues a demand for money in return for the key to unlock the files. Based on research into Bitcoin, the hard-to-trace digital currency usually demanded by purveyors of ransomware, it’s clear that thousands of people are paying up, generating millions in ill-gotten gains for the scumbags who perpetrate this crime. However, a reasonable response to this phenomenon is to ask: Why pay to get back files of which you have copies? Why not just restore those copies and keep the ransom money for something worthwhile?
Sadly, and all too obviously, the most common answer is, “We don’t have backups.” Other answers include: there’s something wrong with the backups, or the person who knows the recovery process was fired last month, or recovery person still works here but is currently on a two-week quest of self-discovery in a desert retreat that has zero connectivity. Which brings me to the “responsibility” portion of this article. What is the responsible response to ransomware?
How to Beat Ransomware? Back Up
Deflecting attacks is a good start, and a comprehensive set of up-to-date cybersecurity policies backed by appropriate controls and employee education is a good first step. ESET has plenty of good advice on how to protect against this type of attack, but you’re still going to need to address the possibility of a ransomware attack in your crisis response plan. For a start, what is your organization’s policy on paying the criminals if ransomware does succeed in locking your files? Does every employee know the policy? What’s to stop a sysadmin from paying the ransom because he or she can’t be bothered to do a proper job of recovery? (And yes, I know of cases where that happened.)
At ESET, we agree with the most recent guidance from the FBI, which strongly advises against paying ransomware demands. There are several reasons for following this advice, including our collective social responsibility not to encourage this type of crime. History tells us that if the bad guys can’t make money at a particular scam, they’ll move on. However, here’s the reason for not paying a ransomware demand that is most relevant to Business Continuity Awareness Week: You should be able to restore all the files from backup. After all, you already need dependable backup and recovery to cope with threats that go beyond ransomware (fire, flood, earthquake, tornado, hurricane, and comet strike, for starters). For a case study in how backup saved a company from a ransomware attack, check out this article from our partner StorageCraft, and learn more about backup and recovery solutions here.
One final point about responding responsibly to ransomware: Be sure to report all such incidents to law enforcement. Politicians looking at crime-fighting budget requests always ask for stats. How many cases? What was the impact? And so on. You can help build the case for a bigger focus on cybercrime by letting the authorities know whenever it happens.
To better understand ransomware and the steps you can take to protect your files and data, read our new “Cryptolockers and Other Filecoders” white paper. Additional resources to ensure your business is ready for the unexpected are below:
Getting Started with Business Continuity (free webinar)
Business Continuity Management: Key to Securing your Digital Future
Planning for Anything: Business Continuity and Disaster Recovery (free webinar)
Free Business Continuity Planning Kit for Small Businesses
I will be doing my bit during Business Continuity Awareness Week by helping out at the San Diego Business Resilience Summit, organized by the local chapter of the Association of Contingency Planners. We’ll be doing an exercise designed to improve everyone’s ransomware response. I hope you now feel inspired to dust off your response plans and make sure ransomware is addressed.