Risk Management

Data Held Hostage

The damage inflicted in this year’s ransomware attacks will force corporations to review their IT resilience.
Vincent RyanSeptember 28, 2017

Think cyber scammers that perpetrate ransomware attacks are easily defeated? Note this: When the WannaCry ransomware epidemic struck in May 2017, scammers doubled down by targeting people who were already attacked and who were scrambling to retrieve their encrypted data. They sent them emails offering data protection, services that could prevent future attacks, and bogus WannaCry patches, all in an attempt to steal the beleaguered users’ personal information.

In June, another round of ransomware attacks, going by various names and featuring numerous variants, crippled the networks and operations of several multinationals:

A Better Way to Do Ecommerce

A Better Way to Do Ecommerce

Learn how Precision Medical leveraged OneWorld to cut the cost of billing in half and added $2.5M in annual revenue.

  • At Reckitt Benckiser (the company behind the Nurofen painkiller and Durex condoms) the Petya ransomware virus rendered useless 15,000 laptops and 2,000 servers—in less than an hour.
  • At pharma giant Merck, in the wake of the ransomware attack, sales representatives had to keep a paper record of their work and use a makeshift email server accessible only via a web browser. In late July, some of the company’s manufacturing operations were still not functioning normally.
  • At Copenhagen-based shipping giant A.P. Moller-Maersk, computer outages at the company’s APM Terminals in several locations meant cargo loading and unloading had to be tracked manually; some ports had to stop taking new cargo for several days.
  • At San Francisco radio and television station KQED, which has 350 employees, the disruption to operations lasted a month, blocking access to live data feeds and forcing show segments to be timed with a stopwatch.

After June’s incidents, will ransomware, a kind of malicious software designed to block access to a computer system until a sum of money is paid, be considered a serious operational risk? Will companies devote the capital and effort to protect against it?

Upping the Ante

It’s actually deceptively easy for companies to protect against ransomware, but obviously not all of them have done it. In a May 2017 blog post, Alexander Volynkin, a senior research scientist at the Software Engineering Institute of Carnegie Mellon, wrote that ransomware continues to proliferate simply because “users have not been properly trained or made aware of the dangers of opening malicious email attachments.” (Phishing emails to unsuspecting employees are how most ransomware is delivered.)

In addition, on the other side of the transaction, the perpetrators are getting more skilled at “social engineering.” Gone are the misspellings, bad punctuation, and unknown “from” addresses that made malicious emails easy to identify. “Advances in online translators and spell-checkers help in crafting appealing phishing narratives, while it has become increasingly difficult for a user to identify spoofed email addresses,” wrote Volynkin. (See “Repelling Ransomware,” below.)

The single most effective deterrent to ransomware? Regularly backing up and verifying a system, says Volynkin. However, “backups should be stored on a separate system that cannot be accessed from a network and updated regularly to ensure that a system can be effectively restored after an attack.”

Assessing a company’s ability to recover its data and systems and making changes to be better prepared for a ransomware attack require an organization to move beyond the two-dimensional approach of detecting and preventing intrusions, says Roy Golding, CFO of Zerto, a provider of business continuity software. The new approach must focus, at least in part, on building a resilient IT infrastructure.

“Having an actionable disaster recovery plan in place can make it easy to rebound after an attack with just a minimal impact on business operations,” according to Nitin Donde, CEO of Talena, a data management software provider. “The most important measure one could take in this regard is to have a rigid security hygiene,” he says.

At the user level, that means “exercising judgment and prudence while dealing with unknown data,” such as emails, attachments, PDFs, and JPEGs. At an organizational level, it means ensuring every user “is running the most up-to-date [operating system] versions and that incoming and outgoing data are properly vetted using state-of-the-art security procedures.”

Donde says the second line of defense should be “a rock-solid backup architecture.” As he explains it, historically, OS vendors have been slow to catch up to new and evolving security threats. Consequently, there’s always a short window of opportunity for attackers, when they can hack into systems and take control of critical data and applications before the OS vendors have had the opportunity to release a security patch. (The WannaCry and Petya ransomware attacks in May and June took advantage of vulnerabilities in an older Microsoft OS.)

“Having a backup architecture that involves making multiple point-in-time copies of data across geographies provides protection against such eventualities,” according to Donde. “Moreover, the backup architecture must be smart enough to make copies of not just the data but the metadata as well. An organization that was backing up data and metadata in this manner would have been impervious to all of the recent ransomware attacks.”

Cloud platforms can be used to increase the mobility and protection of mission-critical data and applications, says Zerto. The cloud makes the recovery process easier, faster, and more affordable, he notes. In addition, “cloud-based disaster recovery capabilities are much more comprehensive than traditional hardware-based backup and constrained physical IT environment methods,” Zerto explains.

The CFO’s Role

CFOs are a key part of keeping IT operations resilient. They need to meet regularly with CIOs to examine IT risks and how to mitigate them, says Zerto. They have to evaluate whether the CIO has adequate resources. And they must determine if the business can continue to grow and scale while maintaining an effective disaster recovery strategy.

When revamping disaster recovery plans or evaluating new or existing supporting technologies, Zerto says, CFOs and CIOs need to ask themselves multiple questions, including:

  • Can the organization recover (i.e., “rewind”) back to a point in time just seconds before an IT outage occurs? Is it able to get critical data, applications, websites, and individual files operational within minutes?
  • Is the organization able to successfully and quickly run disaster recovery tests with a high degree of automation, or does such activity require long lead times, a large support team, and expensive consultant resources?
  • Does the company’s existing infrastructure and disaster recovery technology stack give it the flexibility to achieve continuous data protection with block-level replication and enterprise-class scalability?

Will CFOs and CIOs get pressure to start answering these questions, if they haven’t already? After May’s globally coordinated WannaCry ransomware attack, which also disrupted some multinational organizations, BDO Global’s cybersecurity group called on boards of directors to “immerse themselves in the cyber issue and allocate sufficient resources to identify and ensure the effective management of cyber risks.” As to what a board is responsible for, the group noted that “a board’s accountability includes the way organizations protect, detect, respond, and recover; boards have to lift their organizations to the appropriate level of cyber resilience.”

The Aftermath

After the June attack, Reckitt Benckiser stated that it had “significant” cybersecurity measures in place and that it was “reviewing what further measures [could] be implemented” to minimize both the likelihood and potential impact of any future cyber-attacks. Maersk, meanwhile, said it was conducting a “forensic investigation” into the attack and that “different and further protective measures” have been put in place.

But will these and other organizations go further, educating employees about ransomware and putting in place comprehensive plans to keep IT operations resilient? The answer is not clear. Economic incentives usually drive companies’ behavior related to cybersecurity. So even a major disruption like June’s far-reaching ransomware incidents may not push cybersecurity up the priorities list—at least not to a point that warrants review by a board of directors.

“Unfortunately, there’s little market incentive for executives to take their focus off of growth and profits to worry about breaches,” wrote Kevin Magee, global security strategist at Gigamon, on CFO.com. “Even though hundreds of millions or billions of customers may be affected, their companies’ stock prices during and after the disclosure of high-profile data breaches may decrease only slightly and often quickly recover.” (See “Valuing Cybersecurity,” below.)

The companies affected in June did suffer minor financial hits: Maersk said the costs for dealing with the ransomware outbreak would be in the $200 million to $300 million range, and Reckitt Benckiser estimated that it would lose about £100m ($129 million) in revenue in 2017.

They would be remiss to not spend heavily to fortify their IT operations, because cyber scammers will keep trying to find a way in.

Repelling Ransomware

Here are five fundamental steps your company can take to curb its chances of falling victim to a ransomware attack.

  1. Adopt prevention programs. Prevention training and awareness programs can help employees recognize telltale signs of phishing scams and how to handle them. Guide employees on how to recognize and avoid fraudulent e-mails. Keep testing internally to prove the training is working.
  2. Strengthen e-mail controls. Make sure the organization has strong spam filters and authentication. Scan incoming and outgoing e-mails to detect threats and filter executable files. Consider a cloud-based e-mail analytics solution.
  3. Improve your CMDB. Companies need to be very diligent about building a complete configuration management database. It may be surprising, but most companies do not know all the IT systems in their environment across all subsidiaries and business lines. If you don’t know what you have, how can you protect it?
  4. Insulate your infrastructure. There are a host of solutions, from removing or limiting local workstation administration rights to seeking out the right configuration combinations (including virus scanners, firewalls, and so on). Regular patches of operating systems and applications can foil known vulnerabilities.
  5. Plan for continuity. Having a strong business continuity plan for recovery—one that’s regularly reviewed, updated, and tested—makes it easier to avoid paying ransom. Recovery objectives must be aligned to the critical tasks within an acceptable timeframe. Workstations and file servers shouldn’t be constantly connected to backup devices. Further, the backup solution should store periodic snapshots rather than regular overwrites of previous backups, so that in the event of a successful attack, backups will not be encrypted. —Kelly Bissell

Kelly Bissell is a managing director of Accenture Security.

Valuing Cybersecurity

Some of a company’s most valuable and vulnerable assets don’t even appear on the balance sheet. How much is a company’s email database really worth? Probably not much in conventional accounting terms, but consider what its value might be if it were completely locked down and made inaccessible by ransomware.

To even begin to place a proper value on cybersecurity, CFOs need to ask some hard questions:

  • What are the company’s most valuable digital assets?
  • Where are they are physically located, and who owns the hardware they’re stored on?
  • Does the company have a means of understanding and communicating what they are actually worth?
  • Who has access to them and how is access controlled?
  • How financially damaging would it be if they were hijacked or stolen or if the company were completely denied access to them?
  • If the company were hit with a catastrophic attack that shut down its most vital operations for a few weeks, perhaps a month, how would the organization recover? Would the company even continue to exist? —Kevin Magee

Kevin Magee is a global security strategist at Gigamon, a network-visibility and traffic-monitoring technology vendor.