Ransomware Survival – Part 3 Aftermath
OR Live, Work, but Don’t Repeat
I had to plug in my Serious Keyboard for this post. When the dust settles and some semblance of normal has returned, it is time to understand what happened, how it happened, and how to prevent or mitigate a repeat. However, many small to medium businesses are not so lucky. 60% of SMBs never reopen after an attack and are the preferred target at 62% of known attacks (Beazley).
Jung says… – Human psychology, as part of the grieving process, will want justice. Owners and investors will want someone to blame or punish for the attack since they will never find and prosecute the actual attacker. This typically turns into a witch trial, where everyone from the CEO to the mail room clerk are scrutinized and many are fired. However, this leads directly to wrongful termination suits and should be avoided.
AAR – The after-action report (AAR) is a great habit all businesses should already have as a staple. This report’s tone is centered on facts, not conjecture. This report may be required by insurance or reporting agencies as part of disclosure requirements. The goal is simple. Perform an unbiased investigation to detail the timeline of events from beginning to end. Bring in a third-party, if necessary, to prevent emotional conclusions.
Fall in to the… – Gap analysis comes as a direct result of the after-action report. Now is the time to identify and correct holes in security, missing policies and procedures, and other deficiencies. Most importantly, the gap analysis should work to prevent a similar attack from reoccurring. Be careful not to tighten security so much that productivity falters. Mandatory training for everyone, from the CEO to the mail room clerk, is typically the primary recommendation. Policy is the first step to better security. If your antivirus didn’t catch it, time to replace it.
Your Fired! – Short of criminal negligence, individuals should be met with training and understanding instead of admonishment from leadership. History has proven that many of these incidents are brought on by trusted members of leadership, even the CEO. He who is without technical faults, cast the first stone. Sometimes this requires a complete refocus of corporate priorities from productivity and profits to protection and people. Remember, without people, you have no organization.
Disaster Recovery to the Rescue! – I will stress again what should be tattooed on your brain by now. If your backups are failing or you have not tested them, stop reading now and go do it! This advice isn’t just for ransomware or attacks. Replace the word “ransomware” in the title with tornado, hurricane, flood, fire, asteroid, solar flare, EMP, terrorist attack, user error, power grid failure, killer clowns from outer space, or anything else. You MUST protect your people and your data, or you will not be in business long.
Some Like It Hot – Finally, secondary sites are available for companies to move people to during disaster or remodeling. These can be Cold, Warm, or Hot sites based on the readiness level required and the amount of money an organization is willing to spend. As the terms imply, sites may be an open warehouse space for Cold sites, an office suite with cubicles and a collection of off-site backups for a Warm Site, or a fully operational, regularly updated replica of your current production environment as a Hot Site. Mobile sites are gaining popularity, where a trailer or other fully network-ready environment is delivered to your parking lot.
Do I need to say it again? Yes, I do. Check your backups to the point of buying a brand-new computer, loading software, and restoring data. Why? Because you may very well be required to do this. If you don’t have the skills for this, find someone you trust.
Second, if you must focus your training on one thing, teach your employees (and yourself) to identify and fear phishing and spear-phishing attempts. When an email addresses you by your name, it’s hard to spot the fakes. Symantec tells us 65% of Advanced Persistent Threat actors use spear-phishing as their primary infection vector. Spear-phishing targets individuals using their name, an acquaintance, or other personal attribute to show legitimacy.
Finally, be vigilant about your password complexity, change it frequently, and, whenever possible, use multi-factor authentication. Snowden and Assange used default and weak passwords to access top secret information. Don’t be lazy! This is the livelihood of everyone in your organization and potentially your customers, vendors, clients, taxpayers, and family.
In a perfect world we all have adequate backups. We don’t pay hackers and they go away! If you are properly managing you Information Technology, starting with sound policy all the way through Incident Management and training, you can starve out these parasites. Will it ever be 100% safe? No and I may be crazy to think we can make a difference. But, because business decisions on cybersecurity are too often based on short-term gains, these are the leeches we are forced to deal with.
Need help? Reach out. We are all in this together.