Sooner or later, everyone runs the risk of falling victim to ransomware. Whether you are a production company, a (local) government body or a care institution. The examples are legion. The disadvantages are well known: from downtime to reputational damage. But how can a strategic business continuity plan ensure that the damage remains limited and that your business will soon be fully back on track?
‘Yes, but our network is well protected with the best tools. It won’t happen to us.’ Something we hear quite often, and yet a good security policy is much more than the tools. Every organization needs to have a Business Continuity Procedure (BCP). That is a protection and a plan of approach against all possible crises: a strike, a technical breakdown due to a natural disaster or a pandemic. And IT plays an important role in this. IT is increasingly the beating heart of a company. The business depends on applications, and so anyone who wishes to protect his or her business must protect the apps.
What is the best way to go about this? First, we look at the client’s business. In so doing, we try to calculate the potential financial impact of a ransom attack. First, there are the direct costs of the downtime – an average of 7 days – and the indirect costs. Think about the reputational damage and the morale of your own employees that will suffer. And then, of course, you have the costs after the attack: restart, analysis, extra protection, missed orders, etc.
The aim of such a plan is to keep the time between the downtime and the restart as short as possible. What is important is to find and save the necessary evidence so as to be able to analyze it. Just as in CSI: a special team comes in to take stock in detail of all the traces on-site before the corpse can be moved from the crime scene.
There are a few challenges to be met when drawing up a BCP. No one likes to talk about disaster recovery. It takes a lot of time, is sometimes complex, and managing it is far from straightforward. It is still too often seen as an IT project, whereas in fact, it is a business project. Raising awareness of this in the organization – and among the board of directors – is a lengthy endeavor. This kind of project often begins via the IT service, but it is important that the business units and the C level are involved from the outset. An external “translator” can facilitate the discussions between IT and the business.
A BCP needs to have an answer to three questions:
In our approach, we focus on the most important critical apps and examine what a 24-hour downtime would cost for each of these apps. For each gap. We also check how much data you can lose, and we attach a rating to each (Tier 1 is very important, and so its recovery time must be kept as short as possible). This is an important exercise for a company. Everyone finds his or her app and tools the most important, but our objective overview provides a clear financial picture of the importance of each of the tools used.
The following step is the GAP analysis, which reveals the difference between what the business asks for and what IT can deliver today. These gaps may differ in scale and importance for each app.
With these data, you can define actions to address each gap. These are not necessarily always IT-related items. And of course, you have quick wins that you can implement very quickly. Next, you can draw up a roadmap in which you define the short-, medium- and long-term actions and determine the priorities. With this objective and quantitative analysis, you as an IT department can more easily persuade the board of the importance. It is only after this analysis has been completed that you can start thinking about technological solutions. A crucial aspect of such a BCP is that you have to be able to test the consequences of an application.
Companies sometimes decide to pay the ransom demanded. If (1) the recovery would take too long or if (2) the backup is also encrypted. Or, if they don’t know which documents (3) are encrypted, and which are not.
If you pay the ransom, you are of course continuing to feed the system.
To prevent this, you need a healthy mix of security components, but the backup is also a crucial part of the story. It is the last bastion you can rely on, for it provides an answer to the three above reasons. With a direct launch from the backup, you have instant recovery (1) and a short recovery time. Immutability (2) is a system in which files that end up in the backup can no longer be modified. That way, you are sure that the data are safe and not encrypted. To know what is and what isn’t encrypted, you have to work on better visibility (3). And that is perfectly possible in the backup, where all data come together. By analyzing the back-ups – are there differences with yesterday, have file names changed or large quantities of data been moved – you can do this very efficiently. The time savings for an IT team is enormous and the recovery is also much faster.
Your backup as an impenetrable bulwark is the foundation of a good BCP. Without this basis, there’s really no point in starting to look for other security solutions.