If you believe the news, ransomware is the biggest cyber threat to businesses today: A company is hit with ransomware every 40 seconds; 6 in 10 malware payloads were ransomware in Q1 2017; and the average ransom demand has risen to $1,077. Every vendor has a ransomware solution and companies are tripping over themselves to implement mitigations.
But is this the right response?
When ransomware hits, parts of your infrastructure become unavailable. This sounds very like a server “crash” or a data centre “outage” doesn’t it? We already accept that computers crash outside of our control and we have plans in place to mitigate damages. If the outages are big enough, we will engage our Disaster Recovery Plan (DRP) which is just a more expensive mitigation to address an even more expensive outage. There are probably a few different scenarios described in your existing recovery plans; one hard drive crashes, the power supply breaks down, the entire server is broken, etc. The point is that you don’t have a different plan for every different scenario and you don’t need a different one for ransomware.
It is a good idea to review your recovery plans on a regular basis. Things are constantly changing and you need to be sure the plans are still relevant. The next time you review the plans, consider the impacts of ransomware and make any adjustments if necessary. A few key points to consider:
- The impact of an encrypted hard drive is like a crashed hard drive
- Mirroring and RAID solutions are not viable defenses against ransomware
- Backups are good ransomware defenses
- Ransomware spreads through your environment like a virus, consider your anti-malware plans too
There are strong opinions on both sides for whether to pay a ransom or not. This should be a practical business decision, not an ideological one. If the cost of the ransom is considerably less than the cost of recovering or recreating the information you should consider paying – recognizing that the bad guys don’t always provide the promised decryption keys. But think of a crashed hard drive context. Would you try to recover the data through extraordinary means if the value of the information is high enough even though there is no guarantee it will work? The same principles apply in this case.
Ransomware is just another way that your systems could become “unavailable”; you are already protecting yourself against a handful of other scenarios. If you have been hit by ransomware, you know where you are vulnerable, but you may still choose to not plug the holes if the costs of mitigation significantly exceed the costs of recovery. Protecting your company from, or dealing with a data hostage incident, are operational situations just like the ones you already face every day. Ransomware is not unique. We should resist the urge to spend a lot of money and turn everything on its head just because ransomware is getting a lot of media attention.
Steve Biswanger is Director of Information Security at Encana Corporation and is the first President of the new CISO Division, CIO Association of Canada. On Twitter at https://twitter.com/itsabouttrust. This is the first of five blogs marking Cyber Security Awareness Month.