[BreachExchange] Don’t Just Mitigate Ransomware

[Audrey McNeil]

http://ww2.cfo.com/the-cloud/2017/02/dont-just-mitigate-ransomware/

Almost every day, it seems, there’s news of another ransomware attack on a
prominent organization. In fact, according to one study, almost 40% of all
businesses experienced an attack from the summer of 2015 to the summer of
2016. To protect our companies against ransomware and its potentially
disastrous technological and financial consequences, we have to understand
what’s needed to shield information technology systems from the initial
infection and how to recover as quickly as possible.

For the uninitiated, ransomware is a type of malware software designed to
access and encrypt data and files by generating a private/public pair of
keys. The data are impossible to decrypt until the victim pays for a
private key that is usually stored on the attacker’s server. Unfortunately,
in many cases, even once the ransom has been paid, the attackers refuse to
provide the decryption key, leaving victims without their money and their
data.

As the saying goes, preparation is half the battle. Don’t wait for an
incident to happen. CFOs need to partner with CIOs to ensure their
organizations are not just multiple steps ahead of malicious intent, but
also building IT resilience that allows the business to truly thrive in the
face of adversity.

Your Closest Ally

As businesses grow and increasingly move critical data and applications
into cloud infrastructures and migrate them between data centers, CFOs are
becoming more involved in driving IT decisions, such as the purchase of
hybrid cloud disaster recovery (DR) solutions that protect brand reputation.

A CFO’s understanding of the risks that ransomware presents to the business
will help the CIO build the infrastructure and services needed to protect
and serve the company. As a CFO myself, when I talk with peers and CIOs
from customer organizations and discuss their disaster recovery (DR) plans
and infrastructure, I always advocate looking beyond the ROI elements to
the reputation of a company in the event of a ransom attack. We then
identify the areas considered to be risky and channel the requisite
investments accordingly.

For example, there are certain areas in a business that are important for
the future growth and scale of the company, areas where it will need to
invest in upgrading its technology. When a company changes technologies,
though, it is changing vital elements of the business, and that is where it
is necessary to identify and examine risks related to these new
technologies and to build DR plans for them. It all starts from an agreed
strategy — the CIO executes and the CFO makes sure IT has the proper
resources as it aligns to future goals.

CFOs need to open the line of communication with CIOs and encourage them to
voice concerns. Regular meetings should examine IT risks, how to mitigate
them, and evaluate if the CIO has adequate resources. The team should
determine if the business can continue to grow and scale while maintaining
compliance, and ensure that DR and hybrid cloud strategies are relevant and
effective.

Investing in Disaster Recovery Platforms

Part of a well-rounded IT and cybersecurity investment strategy involves
identifying on a regular basis the key applications and data that are at
risk and ensuring they are protected. Reach out to other CFOs to see what
technologies they are investing in and how they were selected. Gather as
many data points as you can before making a decision, but also cast a
critical eye: What is the cost of downtime, and what you would personally
consider acceptable as a customer? Be sure to also include the “long game”
view in these peer conversations. Often there are significant “vendor
lock-in” issues that others have encountered, which can severely restrict
the organization’s options down the road.

Today’s IT landscape is more dynamic and unpredictable than ever before. To
keep pace, an organization’s DR plan must be easily implemented and
regularly tested. Still, the number of unsuccessful deployments and
numerous failed DR tests continue to grow, given the complexity of IT
environments and their incompatibility with manual systems. That should
give any CFO and CIO serious pause to revisit their underlying
infrastructure and software.

There are several questions for CFOs and CIOs to consider when revamping
their DR plans and when evaluating existing technology or acquiring new
technology:

Can the organization recover (i.e., “rewind”) back to a point-in-time just
seconds before an IT outage occurs? Is it able to get critical data,
applications, websites, and individual files operational within minutes?

Is the organization able to successfully and quickly run DR tests with a
high degree of automation, or does such activity require long lead times, a
large support team, and expensive consultant resources?

Does the company’s existing infrastructure and DR technology stack give it
the flexibility to achieve continuous data protection with block-level
replication and enterprise-class scalability?

Does the organization currently experience vendor lock-in, making it
restrictive to use other technologies that are the best fit for its
business needs?

Cyber insurance policies are a means of mitigating risk and managing the
impact of IT breaches. Some policies involve putting money aside for the
potential payment of a ransom, but placing funds in reserve might not
always be the best option. That money should be put to use for the future
growth of the company, R&D, and sales and marketing. Consider instead
taking the right measures to protect the company by investing in solid DR
solutions.

In today’s risky IT world, it is absolutely necessary for the CFO and CIO
to work together to protect the company’s data. Their combined efforts are
needed to safeguard the company’s information and finances as well as its
most valuable intangible asset — the company’s reputation. Paying a ransom
is never recommended, as there is no guarantee that an encryption key will
be provided. The capabilities for immediate and full data recovery should
be in place so that that option never warrants consideration.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170207/203021c2/attachment.html>