What SMEs should be thinking about in the wake of 2017’s ransomware explosion
During the “WannaCry” ransomware outbreak of 2017, Australia initially proved itself to be that “lucky country” once again. Whilst we largely escaped any large-scale fall-out from the first of many subsequent ransomware attacks, Wannacry was a big, big deal for many, many others – disaster recovery became a major problem for more than 200,000 victims in 150 countries over the first weekend in alone. Unfortunately as time went on, WannaCry’s variants and derivatives, along with all new strains, did start affecting Australian businesses. Today, when you tell someone you know a business that has been “cryptolocked”, people know what you’re talking about!
One thing’s for sure, there will be more attacks; better and more sophisticated. Why? Because these are not lone hackers in basements wearing hoodies anymore, but professional criminal networks whose job it is to orchestrate a continuous stream of same-same but slightly different hacks, scams and malware to wreak cyber terror and evade any newly patched systems.
You may feel secure that you’ve dodged a bullet so far. You may even have taken away some refreshed learnings from 2017’s Wannacry and other crises. Many businesses are starting to understand that human error and employee education are key and that a combination of internal and external IT resources is optimal to cover all bases. (Check out our Top Tips to Protect against Ransomware Infographic and Do You Understand the Phishing Threat Guide)
But, there’s a piece of the puzzle that most organisations simply don’t think about strategically, much less plan for!
Losing your data is bad, but what comes next is worse!
Getting hit by ransomware does not just result in data loss or lock-out; it causes organisational paralysis. You need to ask yourself what this would look like for your organisation? Organisations hit by ransomware find themselves battling disabled systems, dealing with reputations and client relationships in crisis, most with data still locked up, and grappling with the moral dilemma of whether to pay up or not (despite expert recommendations not to pay).
Why having a good backup system is no longer enough
By and large in the SME world, we do backup systematically and there is pretty good awareness about the regularity of backing up. Yes, this will help you sleep a bit easier at night and help you restore data that you can no longer access…eventually… provided the back-ups are recent, complete and viable.
Business viability depends on three key elements:
- data and systems are available;
- data and systems are secure;
- data and systems can be recovered at any given time.
Systematic backup and using secure cloud-based storage solutions might ensure data is available, implementing security best practices to protect against cyber threats and human error might bolster your security. But if your business was to suffer a breach or cyber-attack, are your resources…or even your business… recoverable?
Things to consider as part of a disaster recovery effort:
- How long would it take for you to recover your data, systems and operations?
- Where you would do this?
- How much would this cost?
- Who needs to be involved in this process?
- What legal and compliance issues do you need to satisfy in this process?
Why a Disaster Recovery Plan is essential
Businesses in the digital age need to complement their security and backup measures with a separate and distinct disaster recovery plan. How long would it take you to retrieve your backed-up data? Would you even be able to use that data if you were locked out of your business-critical systems too? If your business reliant on digital infrastructure, waiting minutes, not to mention days or even weeks, to reinstate your data or systems from a backup could be crippling…there’s a never-ending list of scenarios where the longer your down-time, the greater your exposure to financial loss and business disablement. In fact, 31% of businesses have said that their business would not be able to survive beyond a week, if disabled by cyberattack – now the potential fallout gets up into the millions!
It’s telling that in the most recent PwC Annual CEO Survey, 80% of CEOs in Australia said that they are concerned about cyber threats, but when asked about areas of business they want to strengthen to underpin new digital business opportunities – not a single CEO mentioned cybersecurity!
Entering 2018 the stakes are even higher, as a suite of new data privacy process and compliance rules come into effect for Australian businesses that will require businesses to have strategic incident response and reporting plans in place ready for immediate execution if needs be, or else suffer some major penalties.
Given the ransomware goings on of 2017, pro-active cybersecurity might now be more prominent in business leaders’ minds. But business leaders still need to take that final step and start treating recovery planning as the new backup; as an equal part of the security equation to guard businesses against even costlier and much longer term hamstringing effects post-cyber-attack.