13 December 2021 | Scott Nursten
Drilling teams to fight more than fire
When a well-known UK business was hacked with ransomware, it took them seventeen days to issue a press release. How can they have been so unprepared for this increasingly common scenario? The answer lies in a flawed view of how IT continuity should be managed and tested.
Models for business continuity and disaster recovery follow the good old-fashioned fire drill. An alarm is triggered, a building is evacuated, critical systems are isolated and everyone participates. The standard protocol remains the same, regardless of how the fire started. Overcoming potential damage is not even considered as part of the drill.
IT continuity management requires a different drill because unlike natural disasters like fire and flood, the nature of threats to IT networks and data assets keep changing. This unpredictability requires a different approach to disaster preparation that builds a library of responses.
Why your BCP and DR model does not work for IT continuity
BCP and DR were the stuff of thought leadership articles in the ‘90s. It has taken over twenty years for best practice to become commonplace, but threats have moved on. These models prepare you for a disruption to IT function caused by natural disaster but were never designed to help you prepare for a cyber attack.
IT continuity testing is part of your cyber resilience strategy, aiming to ensure your business can anticipate, withstand, recover, and evolve from an advanced, sustained attack. Testing your resilience to advanced threats means thinking up worst-case real-world scenarios and playing them out.
Are you prepared to tackle 1,500 simultaneous fires?
Ransomware is a classic example of how ill-prepared most businesses are for shifting modern threats. Ransomware was relatively rare until 2011, when it really took off. Then, according to a McAfee Labs Threats Report, cases leapt from 100,000 in 2014 to 720,000 in 2015.
Since then, both frequency and cost of attacks have increased. When Kaseya was hit by a supply chain ransomware attack, it impacted 1,500 businesses at once – and IBM puts the average cost of a corporate breach today at $3.86 million.
In terms of recovery, paying the ransom is only the start. There is no guarantee that your data will be released or not sold on the dark web. Backups help a lot, providing they are immutable: at least then you can recover your data yourself. If your backup data can be overwritten or deleted, you must test for any threat here as well. But what about recovering from the aftermath of far-reaching reputational damage and ongoing costs? Do you have a pre-prepared press statement, for example? Or a plan for managing the situation with your customers? Your staff?
One year after getting hit by the NotPetya cyberattack in 2017, FedEx Corp. and Merck & Co. were left dealing with millions of dollars’ worth of technology clean-up, disrupted business and lost sales. For FedEx, the bill stretched to $400 million in remediation and related expenses. At Merck, manufacturing, research, and sales operations were disrupted. Orders went unfulfilled, such as many relating to the Gardasil 9 HPV vaccine, and costs of $670 million were reported.
Prepare for worst case scenarios, not generic disasters
Businesses almost invariably believe they are better prepared for a cyberattack than they are, yet they are reluctant to test the resiliency of their IT continuity plans. I always ask clients, “Would you install the latest variant of a piece of ransomware on five critical machines?” The answer is usually, “Are you mad? Why would we do that?”
Yet this is exactly what we need to be doing: creating scenarios that test the systems in place to protect us, before a proper, advanced attack shows us our weaknesses in the most damaging way.
I believe people should write down on pieces of paper, the worst things that could happen to their network and drop them in a bag. Once a month, someone should randomly select one of those pieces of paper and whatever is written on it gets tested. It could be “we’ve just had a massive ransomware attack”, or “we’ve just had a data centre fail”, for example.
Watch Maze ransomware get detected, defeated and quarantined in 2 minutes ...
Rehearse your IT continuity management like a sports team doing drills
Businesses should be running drills as routinely as they test the fire alarm. IT continuity management is all about being prepared to recover as quickly as possible. It is not only about having systems in place to alert you when an attack inevitably happens, but also about testing your response.
Technology is too often seen as a pre-emptive panacea that can prevent a cyber disaster. This is a mistake for two reasons: it creates a false sense of security and takes focus away from how the business should respond to a crisis.
Even the best cyber security systems can fail. What happens then? Crisis response should be so well rehearsed that it becomes like corporate muscle memory. Everyone needs to know their position and actions for scenario A, scenario B etc. Think of set pieces in sports. Testing your IT continuity should be treated the same.
This article was originally published in Platinum Business Magazine