March 29, 2017
Business continuity and disaster recovery (BC/DR) plans are a crucial strategy for preventing and recovering from ransomware attacks.
Organisations from many industries have recently fallen victim to the increasingly popular cyber threat known as ransomware. Financial institutions, government agencies, hospitals and more have all been targets of this type of malware, which essentially holds a system or device hostage until the victim pays a specified amount of money to the perpetrator.
According to a Malwarebytes survey, UK businesses are among the hardest hit by ransomware in the world. Fifty-four per cent of UK respondents were attacked by ransomware in 2016. UK businesses were also much more likely to pay up – almost 60 per cent compared to a survey average of 37 per cent.
The Telegraph reported in January that Barts Health Trust, the largest NHS hospital trust in England, was attacked by ransomware that held thousands of sensitive files hostage. Though the trust did not pay the ransom, it did cancel 2,800 patient appointments during the 48 hours its systems were shut down to fight the attack.
The consequence for not paying up can be more substantial for many organisations, as 32 per cent of those that responded to the Malwarebytes survey never saw their files again.
As cybercriminals continue to evolve and attack a growing spectrum of targets, business continuity and disaster recovery (BC/DR) plans are a crucial strategy for preventing and recovering from ransomware attacks. Here are some tips to help your organisation stay prepared in case your network is under siege.
While some businesses opt to pay the ransom to quickly regain access to their systems, security professionals and law enforcement are urging businesses not to give in to hackers’ demands. By paying the ransom, not only are you supporting a criminal enterprise, but you’re sending the message that you’re willing to pay up, which leaves you susceptible to future attacks.
The National Cyber Security Centre (NCSC) recently offered some guidance on dealing with ransomware, emphasising the importance of cyber threat prevention and data backup and restoration. However, while the NCSC recommends backing up data to help curb a ransomware attack, SC Magazine reported in 2015 that more than 36 per cent of users don’t think it’s necessary to back up their data.
Additionally, even organisations that do back up their data are finding that this response strategy has challenges of its own. Lukas Hospital in Neuss, Germany, for example, had complete backups of all systems in place, but when it was plagued with TeslaCrypt 2.0 ransomware, the hospital estimated that it would take up to 48 hours before its IT environment was fully functional again. As a result, 20 per cent of the hospital’s surgeries had to be rescheduled, and less critical care had to be temporarily shifted to other hospitals.
If paying the ransom is discouraged and backing up data doesn’t always work in your company’s favour, what’s the best way to dissolve the threat of ransomware?
The best way to recover when a ransomware attack hits your organisation is to have a comprehensive BC/DR plan that has a strong focus on cybersecurity. BC/DR planning allows your company to be more prepared for unforeseen risks like a ransomware attack so business processes and procedures can continue both during and after the attack.
The first defence to thwarting the spread of malware is to implement a perimeter anti-virus that can filter out viruses at the edge of the network. However, sometimes even if your business has anti-virus software in place, malware can breach the perimeter and reside undetected in the network. For this reason, it’s important to have your sensitive data encrypted and to have full backups of your IT environment.
If your data is encrypted by ransomware, backups allow you to restore your environment from a point in time before the attack and avoid paying the ransom. For example, we worked with an SME that had a critical server encrypted by ransomware. Because the SME had backups of its environment, we were able to recover the critical server before the client’s workday had begun. If the SME had not backed up its data, the business would have had no choice but to pay the ransom (and even then there was no guarantee it would have recovered its data) or to spend hours, days or weeks rebuilding databases, all while losing revenue and customers.
Note that in some cases, the amount of time it takes to restore a backup can cause a significant business interruption. Calculating your organisation’s maximum allowable downtime can help you determine your recovery time objectives (RTOs) for critical data and applications. You can then select a backup solution that has the ability to restore the backup files within the required time frame.
Any vendor you work with should provide a service level agreement (SLA) that holds the service provider contractually responsible for restoring your company’s data within a specified number of hours to minimise effects on business operations. Without an SLA, there’s no guarantee that you’ll be able to recover your data within your RTOs.
Implementing a comprehensive strategy that combines business continuity and disaster recovery allows you to proactively address your business’s weak points and ultimately prepare your organisation for unforeseen risks like ransomware attacks.
Practice your response
Although having a BC/DR plan in place is the best possible defence against ransomware, a BC/DR plan that isn’t regularly tested may have undetected problems that could cause your strategy to go wrong during a high-pressure situation like a ransomware attack.
The importance of testing your organisation’s BC/DR preparedness cannot be overstated, yet a report by eWeek recently revealed that only a little more than 30 per cent of companies test their plans at least once a year. While testing your BC/DR plan takes up time and resources, it ultimately reduces the cost and risk associated with a ransomware attack.
Having a BC/DR plan in place will not only better prepare your business for a ransomware attack and any other potential business disruption, but it will also help you avoid losing customers and revenue and give you peace of mind that your organisation can minimise downtime if an outage occurs.