In Part 1, we discussed an evolving BCP/DR planning approach, moving from annual testing and major updates only upon significant internal corporate changes or external events to “BCP/DR-as-a-Process.” Ongoing quarterly meetings with an intradepartmental team focused on discerning potential rapidly developing threats and proactively preparing for them.
The world is simply “moving faster.” Events emerge suddenly and develop rapidly. In Part 1, Covid was the example used. Virtually no one’s BCP/DR Plans were applicable, despite the potential for a global pandemic being within the range of possibility. There are, however, additional threats currently circulating capable of causing substantial damage to companies, and we’ll address the second in this article: ransomware.
Hacking has been around since the beginning of the internet. At first, it was mostly “script kiddies,” doing it just for the challenge. There was little to be gained, as it took several years for corporations to develop eCommerce sites and even longer for consumers to feel comfortable using them. As this developed, the first generation of criminal hackers emerged. It became possible to make a lot of money by cracking websites and networks that housed or processed financial transactions.
However, this has developed into something even more dangerous in the past decade or so. Disciplined groups of highly trained criminal organizations use perpetually evolving tools and tactics. Perhaps worse, nation-state actors are now involved. Governments (with huge resources) actively target other governments or large corporations. Attacks on computer networks can do significant damage. Stealing highly protected Intellectual Property can be much more lucrative than hacking an eCommerce site. Cyberwarfare is, unfortunately, now part of 21st-century armaments.
The most recent trend is the most disturbing development to date: ransomware. This is a recently emergent threat. It has become increasingly possible to engage widely due to the advent of cryptocurrencies (demanding ransom in the form of suitcases full of cash or bearer bonds is not easy or practical). Crypto was the final piece of the puzzle. A group of bad actors can gain control of a network using software tools (generally through phishing emails) and encrypt files, demand ransom, and get paid in Bitcoin without ever leaving the comfort of their homes. Many attacks occur in places where governments do little to find or prosecute perpetrators and may even support or be indifferent to what is happening.
In the past, targets were almost always financial, i.e., Financial Services firms, eCommerce sites, etc. – places where financial transactions are processed or where data is stored. These sites and networks generally have the highest levels of protection. Often with the most expensive security tools, some firms even have threat centers designated with monitoring activity.
With ransomware, it no longer matters whether a company does eCommerce, banking, or exposes any financial data at all. Thieves are going after multiple targets, from utilities to infrastructure, schools, and even hospitals. Even city governments and state agencies have been attacked. In the modern corporation, IT security is often handled by a division of the IT Department, in conjunction with Risk Management to focus on threat mitigation.
We argue that this should also be in every company’s BCP/DR plans. They have a different angle of vision with different emphases. They have a different angle of vision and emphasis, not primarily looking at “how do we stop an attack,” but rather “what happens if we are successfully attacked.” A great deal of what goes into responding to an attack depends on variables including the nature of the network, policies (and security) around backing up data, ransomware tools used, and the criticality of the compromised data and systems.
Acting proactively can make it much easier to recover. The principle point here is that “scenario planning” into BCP/DR plans is critical because virtually any company or organization can become a target. Scenario planning is a series of “what if” exercises. What would be the Day 1, Week 1 steps? Could you restore systems from backups? Complete reboot or only partially? How quickly? What could you do right now to make recovery more possible?
If ransomware successfully infects and encrypts “xyz” (not just drives – it is possible to attack targets in the cloud), and you cannot restore from backups, would you pay the ransom? Federal law enforcement agencies universally advise against it but also understand that for some, there simply may not be a choice. If you pay the ransom, how do you decide the legitimacy of the Bitcoin account you are sending money to? What if it is sent and the software to decrypt your files is just not sent? Once you pay in crypto, the money is (usually) unrecoverable. Even further, how would you run the decryption program sent by the attackers in the first place? Would you trust it on your network?
Bottom line, we are strongly encouraging clients to develop robust ransomware sections in their BCP/DR plans. Large companies in multiple industries that got hit over the past few years had virtually no preparation. Do you want to consider the questions above when you have the time and leisure to plan ahead or at the last moment after you’ve been hacked?
Case in point, one of the biggest occurred in 2021. On May 7, Colonial Pipeline, the largest petroleum pipeline company in the U.S., was successfully attacked (incidentally, it was through a single leaked password). Multiple systems were taken offline, and the pipeline was shut down for a matter of days. The company wrestled with how to handle the situation and ultimately decided it had to pay the ransom ($4.4 million in Bitcoin – though some were later recovered). Organizations need to assess if they have a crisis response that’s been well thought-out, otherwise, the entire senior management team will be scrambling through sleepless nights to figure out on the fly (and under the gun) what should be done about the threat of ransomware that is becoming common and is increasing in frequency at an alarming rate.
COVID-19 and ransomware are two timely examples of companies being unprepared. Most BCP/DR plans were unequipped to deal with them, and firms must consider future scenarios. Contact me at jrc@enterpriseiron.com if you’d like more details about the “BCP/DR-as-a-Process” approach to keeping your firm prepared.