Technology

Lessons in resilience from a ransomware workshop

Last week's IT outage wasn't the first cybersecurity-related incident this year to throw airports and critical systems into disarray. Travellers who passed through Jakarta's Soekarno-Hatta International Airport on 20 June and subsequent days would have found the massive queues familiar: the only difference was that while the outage of 19 July was caused by a security update, the June outage was the result of a cyber attack that affected 210 institutions in Indonesia and almost forced the Indonesian government to pay a US$8 million ransom.

“Money cannot prevent a cyber attack,” commented James Blake, the head of global cyber resiliency strategy at security firm Cohesity.

Speaking at a ransomware resilience workshop conducted by Cohesity in Singapore earlier this month, he said that business continuity plans are also next to useless in the event of an attack like the one that hit the Indonesian government. If anything, he added, the larger an organisation is, the more likely it is to be hit and hit even harder, because that is exactly where the attackers can profit.

Instead, he recommended that organisations pursue cyber resilience instead: the ability to respond and recover while limiting disruptions to business. What does this involve?

The first step to recovering from ransomware: backups and crisis plans

The backups have to at least cover the most critical data; the crisis plans need to include step-by-step crisis management processes, lists of key personnel and their contact details, login credentials and so on. And very importantly, these need to be stored somewhere they cannot be affected by a cyber attack. Ideally the system where these are kept should be air-gapped from the main system or if possible, even in hard copy. And they need to be updated on a regular basis.

Systems down? Set up another way to communicate

Depending on how an organisation's systems are set up, a ransomware attack may cut off communications throughout the company. But it's critical to get all teams back in touch with each other, especially customer-facing teams who will be responsible for further communicating with affected external stakeholders. So an end-to-end line of communication needs to exist independently of the company's systems, whether it's as simple as a set of WhatsApp/Line/WeChat groups, or mailing lists hosted on an external cloud service.

Responding to cyber attackers? Bring in your insurer and your security provider

If the company has insurance against cyber attacks, or has engaged an external security provider, or both, it is always a good time to stay up to date on what that insurance covers and how well the security tools are working. In the event of an attack, one of the first steps should be to reach out to both these providers and draw on their capabilities to respond – which is where crisis management plans and communication come in.

Thinking of paying the ransom? You might be held culpable

Most companies are already aware that a successful cyber attack potentially exposes them to massive liabilities: besides lost revenue, there are lawsuits from customers and investors, penalties from regulators, fallout from sensitive data being exposed, and more. But paying a ransomware demand can also carry just as much liability. Many jurisdictions strongly discourage paying a ransom to cyber attackers, and some, including the US, criminalise it – meaning that an executive who authorises the payment of a ransom may be jailed for doing so.

They're pressuring you? Take back control of the narrative

The level of liability created by a ransomware attack means that anything less than complete transparency can severely backfire. The attacker will often put the company on a clock, exercising high pressure tactics in a short period of time to frighten executives into paying. Companies need the capability to be just as quick in their response with external communications: informing regulators and corporate stakeholders as rapidly as possible, issuing their own public statement if needed before rumour runs ahead of them and worsens the situation.

Still thinking of paying the ransom? You might not get your data back

One very important thing to know is that if a company gives in and pays, the problem still has not gone away. Even if the attackers keep their word and give out the decryption keys, the affected company will not be able to recover all the lost data. The decryption by itself will involve lengthy and complex technical difficulties, including matching keys to databases; and after all that work, the organisation might at best recover 60-80% of its data, with no guarantee that the most critical items will be among the recovered content. And then, of course, there is no guarantee that the attackers will act in good faith at all. They may release or resell the stolen data for their own profit, or they may demand even more money.

But don't wait until a ransomware attack actually happens

It can be terrifying to find yourself on an attacker's timeline, with criminals in control of your data and stakeholders pressuring you to resolve the situation. But organisations and executives are not exactly helpless in the face of a ransomware attack. There are plenty of actions they can take to regain some measure of control, as long as they move quickly, draw on all the resources available to them, and work together with external parties to mitigate the fallout. And most importantly, they need to put the processes that enable response and recovery in place before an attack actually happens

“You need to act as though you're going to get attacked,” advised Blake.

Browse more in: