Background
Colonial Pipeline, Scripps Health, Ireland’s National Healthcare and JBS Meat Packing have all made the headlines in recent weeks as victims of ransomware including the payments of close to $16M.
Ransomware is a malware that prevents access to computers, servers, and company data by encrypting the data. At a minimum, the bad actors demand a ransom to be paid to unlock the files and restore access, but some variants are stealing data and releasing it online. These attacks continue to rise in frequency and are becoming more complex with each new variant.
Ransomware massively disrupts business operations and the amount of time it takes to recover is significant along with financial, reputational, and legal costs.
1. How would we know if a cyber-incident is occurring?
Ransomware attacks are often the final event in a sequence once the bad actors have accessed the network and figured out where data resides, how backups are configured and if they want to steal data prior to encrypting it for a second round of extortion. This dwell time can be as short as a few hours to weeks depending on the size and complexity of the environment along with the resistance they encounter to thwart their efforts.
- What monitoring roles, tools, and processes are in place to detect bad actors once they are inside?
- What resources are in place for staff to report suspicious behavior like emails or weblinks that returned an error?
- Are all IT assets identified and protected from bad actors accessing them?
2. What measures do we take to minimize the damage an attacker can do inside our network?
Attackers can move quickly through the network based on its configuration including user permissions, passwords, and remote access. While encryption of the data takes a significant amount of time to accomplish it is not uncommon for it to hit enterprise wide as opposed to a single computer on the network.
- How is access granted and removed for users?
- Do users have the least amount of access required to get their job done?
- Is network traffic restricted to and from the Internet as well as on the local area network or are all users able to move throughout all systems by allowing all traffic as a default?
3. Do we have an incident response plan for cyber incidents and how do we insure it is effective?
An incident response plan provides a framework for responding to an incident when it occurs as opposed to taking actions and making decisions on the fly.
Some of the components include:
- Key contacts on the response team, legal and insurance partners and any regulatory or law enforcement parties that would need to be involved.
- Critical decision making and escalation processes.
- Contingency plans for critical applications or functions like Internet access
- A copy that is not stored on computer systems which might not be available.
- Reviewing and practicing the plan on a regular basis, especially when systems change such as new software, locations, or key personnel are hired or leave the company.
4. Does our incident response plan address ransomware specifically?
Ransomware creates specific incident responses that will have a greater impact than other cyber incidents created by other malware or exploits. Foundational items in an IRP to address ransomware include:
- How and who would handle contact with the cyber criminals?
- How would decisions be made to pay a ransom?
- What is the process to notify the insurance carrier of the cyber incident?
- Is the company prepared for extended downtime related to the response and recovery phases of the IRP which could result in lost revenue and brand reputation damage?
5. How is data backed up and are we confident that the backups would not be affected by a ransomware attack?
Ransomware often targets data backups as leverage to make the company pay. Data backup is the only viable resolution to a ransomware attack although the recovery process to put all systems back in production can be weeks or even months. Some points to explore regarding backups include:
- How often are backups run on all systems including critical data?
- How often are backups tested for recovery?
- Where are backups stored and are they offline?
The rise of ransomware attacks is massively disruptive to both small and medium businesses due to the amount of recovery time to bring systems back online as well as the damage to a company’s reputation. Some attacks can be high profile enough to spur both public and media interest. Two key components to detecting, responding, and recovering from a cyber-attack are an incident response plan and data backup. Make sure to ask the above questions of your IT department of managed IT services vendor to increase the level of confidence in your ability to survive ransomware.
Scott Cooper is the President of Tower 23 IT, an IT outsource solution for small to medium businesses specializing in protecting client health and financial data to meet privacy, compliance and security requirements in the healthcare, legal, financial, real estate, and insurance industries. Scott can be reached at scottc@Tower23IT.com or 858.877.6219.
