No Ransomware Defense Is Complete Without Resiliency Planning
The scale of the “WannaCry” attack began to become evident on May 12, when the United Kingdom’s National Health Service was taken down by the now-infamous ransomware assault. From there it spread to computer systems in Asia and elsewhere, locking corporate and personal data away until victims paid hundreds of dollars in fees.
In the days that followed, the internet was flooded with advice for companies afraid they might be targeted next. Most of the commentators echoed the same three points: Update your operating systems, back up important data, and make sure you’re using a robust antivirus program.
Solutions like these are important, but they are all technological, and therefore subject to many of the same vulnerabilities as the systems they are designed to protect. (On top of that, two of these strategies are useful only after an attack has occurred.)
Companies that rely on information technology to conduct everyday business must consider investing in a more holistic defense, one with two key elements: resiliency planning and awareness training.
The First Steps: Resiliency and Crisis Planning
Resiliency planning can be resource- and time-intensive, but will prove its worth in the face of an attack like WannaCry, though. A good resiliency plan starts with a business impact analysis (BIA), an assessment that determines the financial consequences of losing information systems and other resources as a result of cyber attacks and similar crises. Which assets are critical, and why? How sensitive is the information they store and transfer? What is the recovery priority of assets critical to the organization’s business strategy? How long will it take to recover our critical assets after a major interruption?
Trying to protect enterprise-level information systems without first answering these questions through a BIA is like setting off on a cross-country road trip without a map: It can be done, but not easily or efficiently.
Another key element of resiliency planning is crisis-management planning. Roles and responsibilities must be assigned to all core personnel, with clear ownership and accountability. Planners must also define escalation triggers, the events most likely to occur in the type of crisis being modeled. (The event trigger in the WannaCry attack was the ransomware notification, with its accompanying threats and payment instructions.) As a result, key stakeholders will know exactly what they should do and whom they should communicate with during an attack. This allows them to focus on resolving the situation and minimizing financial and reputational loss.
Following Up: Awareness Training
Resiliency and crisis management plans are useless if no one knows what to do with them, and this is unfortunately the case in most organizations. Staff members need to be trained and repeatedly drilled on the roles they must play in an attack if they are to become “human firewalls,” potentially the most effective form of cyber defense. A human firewall pays attention, identifies attacks at early stages, uses common sense at every juncture, and knows when he or she needs to escalate issues and perform other critical duties.
The implementation of a good resiliency plan and an ongoing awareness-training regimen requires significantly more time and money than installing a patch or updating antivirus software, but the benefits are far more lasting. Properly executed, they will instill a sense of security ownership within every member of your staff, and your company’s systems will be exponentially safer as a result.