Paying a ransom is not the way to deal with a ransomware attack; instead comprehensive business continuity and disaster recovery planning provides the best solution says Paul Barber.
When the Titanic set sail on its ill-fated voyage in 1912, it was woefully underprepared to save the 2,200-plus souls on board. After it struck an iceberg in the North Atlantic Ocean, more than half of the ship’s passengers and crew perished, partly because there were not enough lifeboats to accommodate everybody.
Though the ship could carry enough lifeboats, the final count was far less to save money. That scenario should sound hauntingly familiar to any business that has cut back on its data security and business continuity procedures to reduce costs. Just as the Titanic wasn’t prepared for an emergency situation, many businesses don’t make the necessary preparations to survive a ransomware attack.
While you might have escaped a major ransomware attack up to this point, statistics indicate it’s not a matter of if you’ll be attacked, but a matter of when. The recent WannaCry global ransomware attack only serves to emphasise this point.
Data gathered by data security company SonicWall revealed that there were 638 million ransomware attack attempts globally in 2016. SonicWall estimated that $209 million (over £161 million) in ransoms was paid in just the first quarter of 2016.
As we are half way through Business Continuity Awareness Week and the theme is cyber resilience, I want to take a look at ransomware’s effect on businesses, how to respond and how to prepare. Without a plan, your business will be scrambling for lifeboats.
How ransomware attacks affect businesses
Almost half of the NHS trusts in England that responded to a freedom of information request by NCC Group revealed that they were hit by ransomware last year. The Northern Lincolnshire and Goole NHS Foundation Trust (NHS NLAG) was among the hardest hit when an unspecified virus forced the trust to cancel surgeries and direct major trauma cases to other facilities. Security experts believe it was a ransomware attack.
While no NHS trusts had reported paying for decryption keys as of January 2017, some UK businesses have been more open about how they were affected. Hosted desktop and cloud services provider VESK paid 29 bitcoins (£18,600) after a ransomware attack in September 2016. Small businesses can also be targeted, as a hairdressing salon in Scotland found out. The salon paid £1,600 worth of bitcoins when its system for client bookings and contact details was held hostage in June 2016.
The London financial sector was a common target in 2016, with some of the top banks and law firms getting hit almost 10,500 times, according to Malwarebytes. Banks also seem to be the most willing to pay for decryption keys since they have reportedly been buying bitcoins to have ready in case of an attack.
Why paying isn’t the key
While some businesses, such as VESK or banks, opt to pay the ransom to quickly regain access to their systems, security professionals are urging businesses not to use this approach. By paying the ransom, not only are you supporting a criminal enterprise, but you’re sending the message that you’re willing to give in to hackers’ demands, which leaves you susceptible to future attacks.
How to plan ahead
Comprehensive business continuity and disaster recovery plans, with a strong focus on cybersecurity, can ensure you have the resources required to survive a ransomware attack. At minimum, you should have a perimeter anti-malware system that filters out malware at the edge of your network, but even that won’t stop everything. That’s why it’s important to implement multiple layers of defence / defense, including managed firewalls, sensitive data encryption and full backups of your IT environment.
Having secure and recent backups allows you to restore your environment from before the attack and avoid paying the ransom. However, restoring from a backup can take a significant amount of time if you’re not prepared. Therefore, it’s important to know your maximum allowable downtime in order to determine your recovery time objectives.
Any vendor you work with to back up your environment should provide a service level agreement (SLA) that holds the vendor responsible for restoring your company’s data within a specified number of hours.
Monitoring and scheduled testing is also vital, not only to prove that the backup is viable but also to ensure that the required recovery SLA is achievable.
Emphasising cybersecurity in your business continuity and disaster recovery plans will help you recover from ransomware in a timely manner and avoid losing customers and revenue caused by downtime and data loss.
Paul Barber is integration manager at IT Specialists UK. For guidance on improving cybersecurity within your organization, IT Specialists has compiled a cybersecurity awareness kit, which is available for download here.