Think cyber scammers that perpetrate ransomware attacks are easily defeated? Note this: When the WannaCry ransomware epidemic struck in May 2017, scammers doubled down by targeting people who were already attacked and who were scrambling to retrieve their encrypted data. They sent them emails offering data protection, services that could prevent future attacks, and bogus WannaCry patches, all in an attempt to steal the beleaguered users’ personal information.
In June, another round of ransomware attacks, going by various names and featuring numerous variants, crippled the networks and operations of several multinationals:
After June’s incidents, will ransomware, a kind of malicious software designed to block access to a computer system until a sum of money is paid, be considered a serious operational risk? Will companies devote the capital and effort to protect against it?
It’s actually deceptively easy for companies to protect against ransomware, but obviously not all of them have done it. In a May 2017 blog post, Alexander Volynkin, a senior research scientist at the Software Engineering Institute of Carnegie Mellon, wrote that ransomware continues to proliferate simply because “users have not been properly trained or made aware of the dangers of opening malicious email attachments.” (Phishing emails to unsuspecting employees are how most ransomware is delivered.)
In addition, on the other side of the transaction, the perpetrators are getting more skilled at “social engineering.” Gone are the misspellings, bad punctuation, and unknown “from” addresses that made malicious emails easy to identify. “Advances in online translators and spell-checkers help in crafting appealing phishing narratives, while it has become increasingly difficult for a user to identify spoofed email addresses,” wrote Volynkin. (See “Repelling Ransomware,” below.)
The single most effective deterrent to ransomware? Regularly backing up and verifying a system, says Volynkin. However, “backups should be stored on a separate system that cannot be accessed from a network and updated regularly to ensure that a system can be effectively restored after an attack.”
Assessing a company’s ability to recover its data and systems and making changes to be better prepared for a ransomware attack require an organization to move beyond the two-dimensional approach of detecting and preventing intrusions, says Roy Golding, CFO of Zerto, a provider of business continuity software. The new approach must focus, at least in part, on building a resilient IT infrastructure.
“Having an actionable disaster recovery plan in place can make it easy to rebound after an attack with just a minimal impact on business operations,” according to Nitin Donde, CEO of Talena, a data management software provider. “The most important measure one could take in this regard is to have a rigid security hygiene,” he says.
At the user level, that means “exercising judgment and prudence while dealing with unknown data,” such as emails, attachments, PDFs, and JPEGs. At an organizational level, it means ensuring every user “is running the most up-to-date [operating system] versions and that incoming and outgoing data are properly vetted using state-of-the-art security procedures.”
Donde says the second line of defense should be “a rock-solid backup architecture.” As he explains it, historically, OS vendors have been slow to catch up to new and evolving security threats. Consequently, there’s always a short window of opportunity for attackers, when they can hack into systems and take control of critical data and applications before the OS vendors have had the opportunity to release a security patch. (The WannaCry and Petya ransomware attacks in May and June took advantage of vulnerabilities in an older Microsoft OS.)
“Having a backup architecture that involves making multiple point-in-time copies of data across geographies provides protection against such eventualities,” according to Donde. “Moreover, the backup architecture must be smart enough to make copies of not just the data but the metadata as well. An organization that was backing up data and metadata in this manner would have been impervious to all of the recent ransomware attacks.”
Cloud platforms can be used to increase the mobility and protection of mission-critical data and applications, says Zerto. The cloud makes the recovery process easier, faster, and more affordable, he notes. In addition, “cloud-based disaster recovery capabilities are much more comprehensive than traditional hardware-based backup and constrained physical IT environment methods,” Zerto explains.
CFOs are a key part of keeping IT operations resilient. They need to meet regularly with CIOs to examine IT risks and how to mitigate them, says Zerto. They have to evaluate whether the CIO has adequate resources. And they must determine if the business can continue to grow and scale while maintaining an effective disaster recovery strategy.
When revamping disaster recovery plans or evaluating new or existing supporting technologies, Zerto says, CFOs and CIOs need to ask themselves multiple questions, including:
Will CFOs and CIOs get pressure to start answering these questions, if they haven’t already? After May’s globally coordinated WannaCry ransomware attack, which also disrupted some multinational organizations, BDO Global’s cybersecurity group called on boards of directors to “immerse themselves in the cyber issue and allocate sufficient resources to identify and ensure the effective management of cyber risks.” As to what a board is responsible for, the group noted that “a board’s accountability includes the way organizations protect, detect, respond, and recover; boards have to lift their organizations to the appropriate level of cyber resilience.”
After the June attack, Reckitt Benckiser stated that it had “significant” cybersecurity measures in place and that it was “reviewing what further measures [could] be implemented” to minimize both the likelihood and potential impact of any future cyber-attacks. Maersk, meanwhile, said it was conducting a “forensic investigation” into the attack and that “different and further protective measures” have been put in place.
But will these and other organizations go further, educating employees about ransomware and putting in place comprehensive plans to keep IT operations resilient? The answer is not clear. Economic incentives usually drive companies’ behavior related to cybersecurity. So even a major disruption like June’s far-reaching ransomware incidents may not push cybersecurity up the priorities list—at least not to a point that warrants review by a board of directors.
“Unfortunately, there’s little market incentive for executives to take their focus off of growth and profits to worry about breaches,” wrote Kevin Magee, global security strategist at Gigamon, on CFO.com. “Even though hundreds of millions or billions of customers may be affected, their companies’ stock prices during and after the disclosure of high-profile data breaches may decrease only slightly and often quickly recover.” (See “Valuing Cybersecurity,” below.)
The companies affected in June did suffer minor financial hits: Maersk said the costs for dealing with the ransomware outbreak would be in the $200 million to $300 million range, and Reckitt Benckiser estimated that it would lose about £100m ($129 million) in revenue in 2017.
They would be remiss to not spend heavily to fortify their IT operations, because cyber scammers will keep trying to find a way in.
Here are five fundamental steps your company can take to curb its chances of falling victim to a ransomware attack.
Kelly Bissell is a managing director of Accenture Security.
Some of a company’s most valuable and vulnerable assets don’t even appear on the balance sheet. How much is a company’s email database really worth? Probably not much in conventional accounting terms, but consider what its value might be if it were completely locked down and made inaccessible by ransomware.
To even begin to place a proper value on cybersecurity, CFOs need to ask some hard questions:
Kevin Magee is a global security strategist at Gigamon, a network-visibility and traffic-monitoring technology vendor.