The expert view: keeping the hackers at bay

Ransomware attacks are growing and organisations that fall victim to them can suffer severe consequences. Attendees at a virtual roundtable discussed the need for disaster recovery plans

‘People have been buying anti-malware software for years, but we still get malware,’ Vileen Dhutia, of cloud data management and enterprise back-up software company Rubrik, told an audience of senior executives at a virtual roundtable event. He explained that today’s focus on ransomware protection would bring a similar problem: the protection is only good up to a point.

Mr Dhutia added that ‘the barriers have been broken’ and businesses must assume they will be breached at some point, which means having a reliable recovery plan in place. Unfortunately, many organisations overlook their recovery plan or are unable to create one because infrastructure and security teams are not working together.

With ransomware a growing threat, how do businesses quantify their security measures and how prepared are they for the worst?

Ransomware attacks can have long-standing effects

One attendee, from a firm in the hospitality industry, gave a vivid account of what can go wrong. His company fell victim to a ransomware attack last year before he joined. He said the attackers had infiltrated the company’s systems months before launching their attack. The company’s back-ups were not air-gapped and therefore useless. Their only choice was to pay the ransom.

Even then, the delegate said, the company did not get all its data back. They had to rebuild their entire directory domain from scratch, on the assumption that the original could no longer be trusted. A lot of the missing data was financial data, meaning that regulators were conducting extra audits to be sure that everything was in order. The lack of a strong recovery plan had cost them extra time and money, as well as damaging the confidence of investors.

Despite this example, there was no consensus from attendees at the briefing on the right way to handle this threat. While some accepted the need for better recovery plans, others felt that it is still better to try to prevent a breach from happening at all.

One typical response came from an attendee who argued that preventative measures, even if not perfect, at least slow down the attacker. Another argued that ‘the best way to escape a bad position is not to get in that position in the first place’.

Developing the right recovery plan

Nevertheless, attendees accepted that the threats are so great that it is important to have a plan in place. The recovery plan needs to be carefully thought out, but it must also be rehearsed so that it can be implemented as quickly as possible. That means getting senior executives involved in testing the plan, which can be a challenge. One attendee said that the key is to emphasise that four hours of their time spent testing a recovery plan now will save vastly more time in the event of an attack.

Another attendee said it is essential to devise a plan for recovering the organisation’s ‘golden eggs’ after an attack. It is important to engineer with an attack in mind so that you can resist an attack, recognise when a breach has occurred and then recover from the damage. For that to be possible, the IT team has to have a good understanding of what is going on in the business, which many don’t.

All agreed that third-party risk can be a particular worry. It is important to assess risk appetite, carry out due diligence on third parties and rank them according to risk. However, as one attendee pointed out, a third party that had been compromised in the SolarWinds attack would appear to be entirely trustworthy.

Overall, there was cautious optimism about the present situation. Ransomware threats may be widespread and growing, but attendees were hopeful that organisations are beginning to understand their resilience, learn from threats against others and put in place appropriate controls. However, there is still clearly much to be done.