Background: Just a few months ago, in an office far from the U.S. mainland, a contractor clicked open a seemingly innocuous email and it began.
Senior management at a well-known company awoke to their worst nightmare: systems all over their network infrastructure were locked up while employees and customers alike were already screaming for a solution to an, as yet, unknown cause. Is this a new story? Unfortunately, not. Read on though, there’s more to this than first met your eyes.
The Bad Guys
Ransomware – your money for your data; by now, we are all too familiar with this form of malware and the damage it inflicts. At first, it seemed to be the culprit but the accompanying message only asked for a very small of money. Attempts to pay the ransom did not work because the payment link was broken and, as it turned out, this was never about the money.
Meanwhile, the malware had raced across international boundaries turning servers, desktops and laptops, thousands of them, into useless bricks. Experts were scratching their heads wondering “what’s the point of this” if there’s no monetary payoff for the bad guys? The old adage of “cui bono?” didn’t apply this time.
When you remove a profit motive from ransomware and its intent is purely destructive it becomes “anarchyware.” ArsTechnica’s article is but one of many to describe what happened this time – this was a destructive “wiper” designed to wreak havoc and it did so without mercy. The end result for this company was weeks of downtime for thousands of employees contractors and customers, damage to their reputation, tens of millions of dollars spent to “recover”, delayed or lost sales and a huge blow to morale.
Where is all this going? Well, sadly, this did not have to happen. Indeed, you cannot always prevent an employee from opening a malware-laden email but you can put up roadblocks to neutralize, or substantially mitigate, the intended damage. The parallels to actual ransomware should be instructive to every CEO, CTO, CIO and CFO, no matter the size of your company.
(The following is an amalgam of conversations heard over decades in the IT security world, updated for today’s problem sets. Some of you might recognize it from your own budget discussion experiences.)
CEO to CIO/CTO: “Your proposed budget number for IT security infrastructure isn’t going to happen. We cannot spend that kind of money.”
CIO/CTO: “While I understand your thinking, let me explain mine. We are no longer just dealing with ransomware but anarchyware. It used to be that we had the option to pay a ransom for our data, ugly as that concept is, but now we have malware designed to wipe out our systems with no monetary motive. Preventing that kind of disaster is expensive but remediating one is even more so.”
CEO: “What about our disaster recovery plans and backups?”
CIO/CTO: Remember last year’s budget request for more grid infrastructure and the cloud implementations that were denied? You said to make do with a token budget increase. Those requests were just to help bring us to a minimal level of compliance with our DR plans.”
CEO: “So, what are you telling me? That you can’t keep us secure without this big increase? How will it look when we spend this money and nothing happens?”
CIO/CTO: The whole point is to look just as we do today, a company fulfilling its mission without severe/permanent data losses and work stoppages. Look at our friends at “XYZ Corporation” down the road who just spent five times what I am requesting to remediate a malware attack and still aren’t up and running as they were before.”
CEO: Ok, time for a Board-level discussion. To be continued……”
The message from the top IT folks was simple: “You can pay now or pay later – and paying later is exponentially more expensive.” With anarchyware, the paradigm has irrevocably changed and companies must realize that it is no longer about an exchange of bitcoins for data; your entire business is now at risk as destructive malware variants continue to proliferate on the Dark Web.
In this particular story, a fairly small investment would have prevented this anarchyware from doing its damage. The unseemly parallel is that making the necessary investments to secure your company from harm is like paying a ransom but will be smaller dollars than the true costs of remediation. And that’s only when you get a choice; anarchyware pays (no pun intended) no mind to your bank account – it is chaos for the sake of chaos.
Four Steps to Prevent Anarchyware:
By now you are focused upon the problem but your cash reserves might not be what Apple’s are. These four steps will help you to get on solid ground and prevent your organization from becoming the next victim of anarchyware:
- Step 1 – Risk Assessment: The songwriter, Joni Mitchell, told us “that you don’t know what you got till it’s gone.” Your first step must be to assess and inventory your risks to understand your vulnerabilities. Depending upon your employee size, geographic presences and business partners (yes, they can be a source of vulnerability and often are) the cost of a solid risk assessment ranges from five to seven figures; but make no mistake, a risk assessments is your first critical investment.
- Step 2 – Prioritize: Don’t let pride goeth before the fall and save the applause for what you’re already doing well; it is all about being honest about your security deficiencies. Set about fixing the low-hanging fruit and make a short list of your other top priorities, costs aside for the moment. Then, go to Step 3.
- Step 3 – Policies, Procedures and Plans: Yes, the dreaded work of knowing exactly what you will do both to prevent an IT disaster and to remediate one, if it occurs. This includes:
- Developing clear and concise IT security policies for your employees, contractors and business partners. Leave the IT terminology out and concentrate on educating your teams about why this is so important and about what can happen if unnecessary mistake are made.
- Look to the National Institute of Standards and Technology (“NIST”) for expert guidance in developing the procedures to safeguard your organization from harm.
- Plans are no different than what you use to build a home – measure several times and cut once. Among your most important plans is the one entitled IT-Disaster Recovery Plan. Look here for an excellent guide. Plans go hand-in-hand with your policies and procedures to address what you will do, both to prevent a cyber-based attack and to mitigate one.
- Develop a three-year plan. Honesty says that it will take many organizations a year or so to complete the first three bullet points of Step 3. So, it is really a two-year implementation plan that arises from the first year’s work. Besides, budgets are constantly reworked so anything longer than time period is a just a plan without an approved budget.
- Step 4 – Pull It All Together: It can be discouraging to document all the efforts required to prevent an IT disaster. However, it can be totally discouraging if you don’t do the work and a cyber-attack brings you to your knees. It’s also not helpful to your career as blame tends to flow downhill.
- Those priorities in Step 2? Budget them and multiply by 1.5. This is the budget you need to get approved.
- The work you did in Year One of your Three-Year Plan? Cull out the second-level priorities and budget those separately. This is the budget you want to get approved.
- Train your team about IT security. This doesn’t need a description, and you know why it’s here, but you must convince the budget gods that this is the most important, bang-for-the-buck item that will pay quick results in successfully preventing a cyber-attack on your business. Include this with the “Priorities” budget.
- Spend time with your CEO and other senior leaders as you develop your policies, procedures and plans – don’t be an IT island. Solicit their opinions, concerns and needs. Help them to understand that a few disruptions to implement improved security are nothing compared to the costs of weeks/months of downtime resulting from a malware attack.
- Ask your CEO to help you get the Board of Directors involved and to seek their approval. Leaving aside that you may be requesting some big money, which usually requires Board approvals, you want them to understand what’s at risk, what you can do about it and why you need their buy-ins.
- Twenty years ago, there were only benefits to establishing your online presence. Then, it became a necessity but the security challenges began. Now, we live in a brave new world where the bad guys are often a step ahead of us. At Loricca, we help our clients, large and smaller, address, manage and remediate their critical security issues every day.
- At Loricca, we began our work in the heavily-regulated healthcare industry and became of the nation’s top providers of IT security risk assessments. Leveraging that knowledge, we have branched into other vertical industries as security problems often require little to no domain-specific knowledge.
- We are experts at assessing your risks and helping you to take the Four Steps outlined above. Call us at: 800-600-3005 or visit us online at www.loricca.com for a free discussion of your needs.