Ransomware: A CIO’s Guide to Mitigating the Problem

Cyberattacks happen. How can you recover quickly? If you are in IT management, everywhere you turn, you see warnings of malicious forces working diligently with the one aim of compromising your security and eating your data for lunch. It’s not a question of if anymore but rather of when. Many times the cyber security tools will not prevent the break-in, but only alert you of the compromise.

Over the past year, the number of ransomware attacks has grown dramatically and it is safe to say that this is the highest priority item on CIO lists and is what keeps them up at night. The IT world is flooded with ransomware protection tools, but any time you install a new tool, you can be sure someone just came out with a new threat for which your new software does not provide protection.

Just recently, millions of Microsoft Office 365 users were potentially exposed to a huge zero-day ransomware attack that included a sophisticated ransom note and audio warning informing victims that their files were encrypted. Another high-profile ransomware attack forced a Los Angeles hospital to pay $17,000 in bitcoin to the hackers in order to reobtain sensitive medical records and restore normal operations. The April Cybercrime Alert report, released by phishing defense firm PhishMe, says ransomware attacks will grow in size, as the malware changes faster than detection technologies, paying ransom is still the safest way to get your data back, and one successful attempt usually means another one will strike soon.

Prevention is Not Enough

At a recent roundtable of CIOs, there was discussion of their most pressing concerns. The main conclusion was that since these attacks are bound to happen at some point to organizations and cannot be totally prevented, what CIOs should concern themselves with is the ability to recover from such attacks as quickly and seamlessly as possible.

Management will understand and accept that their organization’s security was compromised but will not put up with a CIO who did not prepare for a quick and least painful recovery.

CIOs should have a set of detailed action plans ready for different attack scenarios.

These plans should cover the different application groups and environments, list proposed actions according to their priority and provide clear instructions to the IT staff. You do not want to start deciding on action plans in the midst of an attack…

The Steps to Take When Faced with a Security Issue

When faced with a security issue, CIOs should look to take the following measures:

  • Understand the situation at hand. Consult with the lead IT managers to evaluate the situation, understand what data’s been impacted and the reach of the breach.
  • Decide which action plan to invoke. Now that you’ve got all the details of the breach, work with your IT and communications team to decide which action plan should be invoked
  • Communicate to the executive and stakeholders team. Once the breach has ben evaluated, communicate to your broader executive team about it. Be prepared to give a full overview of how and why it happened, customers affected, what actions have been taken
  • Evaluate the aftermath. Post-event analysis is just as important as any other step in the event of a crisis. Understanding how and why your company’s security was breached, the exact point at which the data was compromised and the impact to your business in the short and long term are important considerations to understand. Going forward, a technology analysis may be in order to see if any of the major impacts on your business could be lessened or even removed if and when a crisis like this happens again.

An evaluation of your environment may reveal that the time between when a breach occurs to when you’re notified of an issue is too long. Or, it may reveal that you’re able to pinpoint when the breach occurred, but can only recover data from a few hours before the attack. .

Imagine such a scenario – you have been compromised and you receive a ransom demand. Your first wish is that you could go back in time to just before the attack and clear all of your data of any damage caused by the attack. Most storage systems have native snapshot capabilities which allows saving scheduled images of your data every few hours. Your only resort is to go back to such a snapshot but this would mean losing a number of hours of work (typically 4-12 hours).

It would seem the most important technology for recovering from a cyber compromise and specifically from a ransomware attack with the least impact to the organization is the ability to go back to the exact moment before the attack.

This technology would enable the organization to resume its operation almost seamlessly and do so in a timely fashion.

A Three-Pronged Approach

In summary, preparing for cyber and ransomware attacks requires a three-pronged approach:

  • Have the right tools to alert of an attack immediately
  • Prepare the procedures to be deployed for each kind of attack
  • Have the technology to go back in time to the moment before the attack seamlessly and quickly.

Protecting, responding and recovering from cyber attacks will likely continue to be one of the top concerns for CIOs during the foreseeable future and CIOs should constantly be on the lookout for the best tools for dealing with them.