- Security TWENTY
- Women in Security Awards
As ransomware attacks surge, disaster recovery plans continue to fall short, writes Chris Huggett, SVP EMEA at the IT, data centres and recovery services firm Sungard AS.
Businesses around the world continue to fall victim to ransomware attacks. Opportunistic cybercriminals have taken advantage of the evolving digital environments that individuals, governments, and organisations have embraced recently, with findings from Bitdefender concluding ransomware threats have increased by nearly 500 per cent since the start of the pandemic.
Unfortunately, disaster recovery plans in many organisations continue to fall short when it comes to this particular risk. Recent attacks on the colonial pipeline in the US, the Irish healthcare system, and Northern Rail’s ticketing shutdown in the UK (picture by Mark Rowe; inoperative ticket machine at Silverdale station last month), highlight no organisation should consider itself unattractive or immune to hackers. Attacks will only worsen as they increase in sophistication, and the prizes for successful breaches are set to have larger impacts on businesses and society as a whole too.
There is no silver bullet to make this issue disappear, so it’s essential that businesses extend thinking beyond a disaster recovery program, and produce a plan of action that allows a continuation of operations that enables ransom demands to go unpaid.
According to the 2020 Costs of a Data Breach Report, the cost of a ransomware attack is above average compared to other cyberthreats. This is in part due to the nature of the attack, with hackers demanding payment in return for data or services being reinstated. Whilst in such a desperate situation of having an entire business unit or practice shut down, some organisations are prepared to pay up to recover data. And because of this, attackers continue to raise the stakes. So how should businesses approach tackling this threat today?
Ensure the right team is on the job
With cybercriminals continuing to vary their tactics as ransomware grows in prevalence, many emergency reaction and disaster recovery plans that businesses have in place are simply no longer effective. Companies need to have a specific data recovery plan in place to prevent the need to pay a ransom and it must be readily available.
Companies must ensure a team of dedicated employees are in place, who, outside of their day-to-day roles, understand the steps that need to be taken should a disaster occur. This ensures action is swift, risk factors are reduced, and organisations can prevent any infected systems from spreading across the business.
The team will be equally responsible for executing data recovery following an attack, using support from cyber security specialists to ensure that backup data and configurations are malware free before returning applications and data back into the organisation’s IT infrastructure.
The plans and team capabilities that have been established for disaster recovery purposes might not apply universally to a cyber incident response and data recovery effort though, especially as attacks increase in complexity and change tactics. Companies must account for this too in planning.
Prevent a failed data recovery process
At the beginning of a data recovery process is the triggering event. This is the situation that puts company data into a compromising position, the malicious activity from an external or rogue employee. Following this, data recovery efforts are put ‘in place’, meaning the system or data that was impacted will either be rebuilt completely or replaced to ensure that it is malware free.
Organisations often plan to implement new hardware, so that they can preserve the malware-impacted hardware for further forensic analysis.
Then there’s the matter of the financial significance of the stolen or infected data, as well as the time it will take to recover the assets, both of which are compromised in the aftermath of a ransomware attack.
When businesses look to implement new hardware, many are reliant on the most recently replicated or backed up data. This type of data is going to need to be available for use as soon as the switch can be made, so that the business can continue operating. But in a situation where you are unsure of the extent of a malware infection, repatriating and validating clean data can be incredibly difficult.
The reality is, replicated data and recent data backups established for disaster recovery purposes will likely be of no or little value in a ransomware situation. Cyber attackers will first be targeting data that’s not so frequently used, so will have sufficient leverage for extorting payment.
Given the number of unknowns associated with ransomware attacks, it’s becoming increasingly challenging for organisations to recover cyber-compromised data. While it’s a major problem that most organisations recognise, it’s one that few have addressed programmatically and can honestly claim that they are truly ready with a planned, structured and proven response.
Create a cyber incident response
Disaster recovery plans no longer meet the needs of a business in cyber crisis. The cost, time and risk factors associated with any type of cyberattack are something businesses need to prepare for and put a specific plan into action.
Disaster recovery plans developed for physical disaster events such as a fire or flood, a technology infrastructure disaster like a data centre outage, or a power cut, are not sufficient to support the recovery process of a cyberattack on business. By building a cyber incident response, that puts in place a clear identification process, an immediate safeguarding reaction, and a data recovery process that works quickly and effectively is the only way for companies looking to survive a ransomware attack today.