What a start to Business Continuity Awareness Week! The theme for this year is Cyber Resilience’, and the week has started with the investigations and continued fall-out from what has possibly been the world’s largest cyber security event which occurred on Friday afternoon.
A ransomware attack has spread throughout 150 countries, infecting more than 200,000 computers, and impacting a wide-range of diverse organisations, including a number of NHS Trusts, Telefonica, German railways, the Russian Interior Ministry, Fedex and Renault manufacturing sites. The full impact has not yet been fully realised, and even whilst I write this, not all systems have been recovered.
The investigations, recriminations and reports into this attack will be released over the coming months, and it is too early to speculate as to how the attack started in each organisation. However, it is worth noting a few key lessons:
There has been much in the media about how NHS Trusts are resorting to using pen and paper. If this is the strategy that has been adopted as part of the business continuity plan, then this makes sense. However, it remains to be seen whether business continuity plans have been fully effective at meeting the required Recovery Time objectives (RTOs) for each of the services that have been impacted.
If there is an effective back-up in place, organisations will be better placed to be able to recover or access their records. Having said this, it is known that some cyber attacks lie dormant and undiscovered for a period of time, and there is no guarantee that a back-up will be unaffected, particularly where mirroring techniques are used.
During this attack, most experts have been agreed about the recommendation not to pay a ransom, although I did hear one radio interview stating ‘just pay them’. Majority of ransomware demands are relatively small, and it maybe that organisations do decide that it is simpler just to pay; indeed by noon on 15th May, is was reported that $38000 dollars had been paid, although it is not known whether this led to the recovery of the files. In an exercise that I ran recently, there was a lengthy debate about whether or not to pay; it was then realised that the organisation did not know how to get bitcoins. By having a pre-determined strategy, the focus can then be on recovery rather than debating whether or not to pay.
Information Security is not purely an IT team issue. Staff need to understand which emails and links are safe to open. An example reported in the Telegraph today describes an event: ‘a few weeks ago, 15 of Donald Trump’s advisers received an email, apparently from a friend. It contained an invitation to edit a Google spreadsheet. More than half of the recipients clicked on the link. James Comey, then still the FBI director, actually replied to it. The email in fact came from the website Gizmodo. It wasn’t a hack, though it could have been. It was a stunt, intended to show how vulnerable our systems are to hackers’ number one weapon: human stupidity.’
We all grumble when the latest Microsoft updates foul up a PC for a day or more (well, I certainly do!), but many larger organisations hold onto patches to test them before rolling them out across the network. There may be further delays for devices which do not connect to the network regularly, such as laptops. The problem is further aggravated by Bring Your Own Devices (BYOD), where organisations allow staff to use their own equipment and mobile devices. It is critical that updates and security patches are applied in a timely fashion.
Operating System Updates
There is a cost to updating systems and sometimes, such as in the ill-fated Vista and even Windows 8, there appears to be a valid reason for not being an operating system bellwether. However, when systems, such as Windows XP, are no longer technologically supported, the organisation must understand the risks related to continued use of this system, and must ensure that strategies and plans are in place in the event of things going wrong. It is quite possible, in this instance, that the short term financial saving of not updating will be completely wiped out by the longer-term impact of this cyber attack.
The Way Forward
Not all organisations will want to certify to ISO 27001. However, by following the standard, and implementing a comprehensive information security management system, which includes a systematic process to understand, assess and mitigate risks to security, and which ensures that an incident management plan is in place, as well as back-up and business continuity plans, an organisation will be much better placed to prevent or respond to such attacks.
Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning, Call us on 0800 035 1231
Written by Helen Molyneux