A critical and timely question was asked early this week at IT World Canada’s MapleSEC conference, during a panel that revolved around ransomware and its many implications: What steps should an organization take when it comes to mitigating the impact of an attack?
The panel, entitled Ransomware Attacks: You don’t have to be a victim, was moderated by Epsit Jajal, the virtual chief information officer (CIO) of Ricoh IT Services; he was joined by panelists Maryam Asgariazad, director of information security at Alterna Savings and Credit Union Ltd., which has a network of 47 branches across Ontario, and Greg Markell, president and chief executive officer (CEO) of Ridge Canada, an insurance company that specializes in specialty risk management.
The MapleSEC show guide describing the panel stated that “ransomware attacks are becoming more common, and their effect can be devastating as you lose control of your business and face a dilemma as to how to respond.
“But there’s a sense of fatalism out there – as if companies are helpless. That’s not true. There are key, practical steps that every company can take to prevent attacks and mitigate the damage when attackers do break through.”
All three speakers brought unique perspectives to the conversation. Jajal and his firm were the external cybersecurity advisors, Asgariazad the end user, who, if there is an attack, will be the one who must have some sort of Plan B in place, and last, but not least, there was Markell. A leading expert on the topic of cyber and privacy liability, he holds the keys to the castle in a sense, for he is the one who decides if a firm qualifies for cyber insurance coverage.
Whether or not coverage is approved depends on many factors, such as the level of preparedness prior to an attack occurring. Asgariazad, who holds a master’s degree in information systems security, and the bank she works for would likely qualify, based on the fact a cybersecurity framework has been put in place.
The policy itself, she said, focuses on five key elements: identify, protect, detect, respond, and recover. A key piece of it revolves around a business impact analysis, she said, adding that it is imperative for “all organizations to know which functions are critical in order for the business to survive.”
The five-pronged approach she described would not only allow an IT department to know what data has been captured should an attack occur, but also implement an action plan that has been defined well before the attackers swoop in on an organization.
Markell stressed that having the type of contingency planning that is now in place at Alterna is not just a nice-to-have, it is a need-to-have if any organization hopes to qualify for coverage. Much of that has to do with the sheer number of claims relating to ransomware and other cybersecurity attacks.
“The cyber insurance sector in Canada is the least profitable sector in insurance,” he said. “We have surpassed hail insurance, which is a pretty big feat, and not one we should be proud of.”
The adversaries, he said, “are advancing way faster than anyone an keep up with. They are well run organizations and they are just that, organizations, with full-blown HR departments and recruiting departments.”
Jajal recalled a phone conversation with a ransomware attacker that had a similar setup to a call centre. “You call a toll-free number, and they reply, ‘oh, you are from ABC Company, Jake is handling your attack. I will put you through.’ At the end of it, they actually sent us a two-page security report outlining how they got in.
“There are large networks of people who are working together, either formally or informally. As a result, you are up against some pretty serious threats.”
In terms of what to do once attacked, Markell recommends calling a lawyer, one who is trained in what best to do if a client becomes the victim.
They won’t provide any information on coverage, he said, but they will help “quarterback the situation” and propose steps that can be taken, be it reaching out to forensics companies that “are basically on standby to deal with these things and help support the IT security teams to figure out what, where, and how.
“Once you have the intelligence about what’s going on, and how it’s happened, then you can make informed decisions on how to handle it.”