The Expert View: business recovery after a ransomware attack

Ransomware attacks are increasingly common and can be crippling for businesses. Introducing a Business Reporter breakfast briefing at the Goring Hotel in London, Chris Butler, Resilience Director at Databarracks, said the priority is ultimately to get your business back up and running efficiently. This requires planning and preparation to be able to move speedily from response to recovery.

 

He told attendees, all senior executives from a range of sectors, that “getting back up and running requires an end-to-end approach” involving the whole organisation. Many companies don’t know where to start, and there will be an expectation of a fast response and rapid recovery within the business. This is a struggle for many organisations, however. Attendees had plenty to say about the obstacles to a successful business recovery and shared strategies for improving the situation. At least, all agreed, this is now definitely accepted as a business and not an IT problem.

 

The reality of a ransomware attack

 

The main obstacle, attendees said, is lack of experience. If an organisation has not been through an attack, and senior staff have not experienced one, then it can be hard to understand the potential impact and the need for preparation. In training, one executive said, staff often deny the risk of attack entirely and insist that their preventative measures will protect them. Everyone agreed that it’s necessary to prepare for an inevitable breach, rather than hope that your defences will hold firm.

 

Inexperience can also create unrealistic expectations about what will happen during a breach. Many businesses think they can recover far more quickly than is feasible, for example. Organisations might set targets for recovery time, but the reality of a ransomware attack means that it might be impossible to even begin recovery until insurers or law enforcement have carried out a full forensic investigation.

 

Attendees also said that many organisations don’t have sufficient knowledge of their IT environment to plan a recovery. They need to know what systems they have, who is responsible for them and how critical they are to running the business. Gathering all that information is hard, particularly where legacy systems are present because it is entirely possible that nobody in the company understands exactly how they work. Modern-day hybrid IT environments are very complex and complicated.

 

Planning for a rapid recovery

 

Nevertheless, a plan is needed, so these obstacles must be overcome somehow. A sensible starting point is to determine who leads the response. Those at the briefing recommended a senior committee, with the authority to take meaningful decisions, who would meet at least quarterly to discuss strategy. Such a committee should also undertake regular exercises to explore its response to a range of demanding scenarios and practice the decisions it would have to make in each case. This senior committee must have ownership at the C-suite level.

 

A key early decision would be to identify the priorities for recovery. That means determining what Butler called a “contingent operating state”. What are the two or three systems that absolutely must work so that the company can function? As one person at the briefing pointed out, every department tends to think it is the most important, so priorities must be determined based on the business impact analysis.

 

That approach typically uncovers the organisation’s important business services and from that point it is possible to plan which critical IT services should be recovered first. Even so, it’s important to accept that risks are unpredictable. For example, not so long ago, most organisations expected that in a disaster they would relocate to a backup site. Few expected the situation that arose from the Covid pandemic, in which people could not work together in any location, so businesses had to instead make a rapid switch to home-working.

 

The vital importance of backups

 

Central to any recovery plan, attendees agreed, are data backups. These must be carefully planned and managed. A key priority is to ensure that backups are not also infected in the ransomware attack. Once they are, the company risks restoring already infected data.

 

Therefore, it is necessary to make regular backups, so the organisation always has the option to restore clean data from before the point of infection. But it would be far from ideal to have to rely on a three-month-old backup because so much business activity would be lost. Attendees said that means taking steps to protect backups from infection. Having them properly air-gapped – kept off the main network, managed by a separate team, and ideally stored off-site – is essential.

 

Sometimes it is better to entrust that to experts. Butler said that Databarracks had sometimes been the first to spot a breach because it had noticed suspicious anomalies in back-up data before the customer had noticed themselves. Databarracks could then alert the customer and secure clean backups in preparation for recovery.

 

As Butler put it, nobody wants to be typing “ransomware recovery plan” into Google on the morning of a breach. Organisations must accept that no prevention plan is perfect, so they need to plan for the worst and regularly practice implementing that plan. It is never too soon to begin planning.

 

In summary, businesses need to plan their recoveries in advance. This needs strong ownership at board level, and a sound understanding of business and technology priorities. What’s really important to you and your company? Often, the only reliable way out of a ransomware attack is having clean, offsite backups available to be restored into a trusted environment.

---

For more information visit www.databarracks.com.