It took just one leaked password to breach Colonial Pipeline in the May 2021 cyberattack. A few months earlier, in March, more than 30,000 U.S. organizations were hit by hackers who used Microsoft Exchange to gain access to email accounts. In June a cyberattack took down the IT systems at JBS meat processing plant, resulting in the temporary closure of all nine of its U.S. locations.
These headlines are just a fraction of the recent cyberattacks on companies. And experts say we’re in for a long, vulnerable ride. According to Cybercrime Magazine, ransomware attacks against businesses will occur every 11 seconds this year and cause $6 trillion in damages. By 2025, the grand total is expected to hit $10.5 trillion annually. That’s why it’s not enough to build a response-to-recovery playbook. Organizations have to have thorough, vise-like cyberattack prevention measures in place to ensure it’s (mostly) business as usual.
“Incident and crisis management are the key pieces—business continuity is the umbrella,” InterimExecs RED Team executive and CISO, Zeeshan Kazmi says. “But who’s taking care of all the other stuff? Recovery without formal plans can’t blunt the impact. But with a plan, you face an initial crisis and recover from it. And then pretty quickly, you’ll come back.”
Here he breaks down the background on ransomware, the impact of cyberattacks, how to protect your company, and a step-by-step guide if—gulp—you’ve been hit.
What is a ransomware attack?
A form of a cyberattack, ransomware involves hackers infiltrating an organization’s systems to extract as much data as possible before encrypting it. With that upper hand, they can blackmail the business with the threat of, “If you want your processing capability back, you have to pay up.” In March 2021, for instance, insurance firm CNA had to shut down for three days and pay a $40 million ransom to recover stolen data following a “network disruption.” In recent attacks, there’s even a third vector at play: contacting customers and suppliers and blackmailing them for their data.
Once the files are encrypted, you’re essentially toast. In fact, 54% of IT decision-makers say cyberattacks are too advanced for their own IT teams to handle.
“We’re talking about supply chain and risk that’s outside of the IT area altogether to be able to get processing ability back,” Kazmi says. “You may go out of business because of the level of scandals with the terms of price fixing, or you may go out of business because customers think, ‘You know what, I’m not dealing with the likes of you—you didn’t update me, you weren’t there, and you couldn’t restore.’ So, it’s really business continuity.”
It’s no surprise, then, that a seasoned cyber executive, or Chief Information Security Officer (CISO), is now expected to have it all, with expertise that straddles business, risk, legal, and technology. In some cases, CISO compensation may eclipse that of the COO or CIO.
Your cyberattack prevention strategy
A cyberattack is costly in more ways than one. The average remediation tallies $761,106, average downtime following an attack is 19 days, and in recent surveys, only 8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data. In a nutshell, it pays to be prepared and that doesn’t just mean battle-testing your systems.
How can cyber security breaches be prevented? Kazmi recommends implementing Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions. A more updated take on “antivirus,” these two work in tandem. The former protects endpoints of an organization’s IT infrastructure, while the latter oversees the entire enterprise, integrating data from all corners. This enables prevention and detection before threats happen, as well as automated responses. Kazmi names CrowdStrike, SentinelOne, and Cortex from Palo Alto Networks as some of the best options. In fact, SentinelOne has heuristics that can detect if an encryption operation is taking place or being asked to take place. They’ll notify your business and preemptively put a stop to it just to be safe.
“These are the tactical items to do right away, and then get some help,” he says. “Build business resilience with business continuity planning with a focus on computer incident response and management in the beginning and build that whole plan together.”
Keep in mind that the recipe for safeguarding your systems looks a little different based on your organization size. Large businesses have the enterprise architecture and overall security wherewithal to absorb and dampen any impact. The Colonial Pipeline attack is a prime example. The fuel company immediately contacted law enforcement to explain the level of criticality, then got in touch with insurance, which gave them the reassurance to take out the cash to pay. Organizations of this size also typically have legal teams who are up to speed on current Department of Justice policies. (To that end, the DoJ even launched the Ransomware and Digital Extortion Task Force earlier this month to streamline their efforts.)
For Colonial, after authorities had given the OK to pay the ransom, the company provided the DoJ with the bitcoin address of the hackers who then moved the money to at least six more addresses. By the end of May, the DoJ was able to follow the money and seize 63.7 bitcoins, worth $2.3 million, that had been paid to the cybercriminal hacking group, DarkSide.
“Large organizations have support materials and their reputation,” he says. “They also have either a PR firm or an internal communications director who can handle the news media and inquiries a lot better. Then in about three to six months people will forget that they had a problem.”
For a smaller organization, Kazmi says it’s more about evaluating risk. According to the National Cyber Security Alliance, following a cyberattack as much as 60% of small- to medium-size businesses shutter within six months. That’s because the future of your business can hinge on just how much you’re investing in your security structure, whether you can pay lawyers, fund tape recovery costs and other one-off expenses completely outside traditional operations.
You’ve been attacked — now what?
What to do when your company has been hacked? When you’re in crisis-management mode after a cybersecurity attack, things have to move quickly. While the IT team is in the corner working to get your systems restored, there’s a checklist of vital tasks business leaders need to handle asap. Here, Kazmi outlines the steps:
- Call law enforcement: It’s about getting on their good side because the wrong move can shut you down. For example, he says, if you end up transferring money to a corporation that’s already on the OFAC (Office of Foreign Assets Control) list, you’ve broken the law. But by staying in communication with the authorities, the government will try to track down the ransomware source and essentially give you leeway in your decision, whether that’s recommending payment to get your operations back up and running or not paying because it’s someone on the OFAC list.
- Call your insurance: Make sure you’re covered for ransomware because not everyone is. Ransomware can’t be covered under an Acts of God-type clause.
- Connect with your employees and customers: Establish how people are going to get paid even though they’re unable to work. Set policies around returns and continuity of information with customers, including product shipments.
- Increase communications with your IT department: Figure out where your backups have been, and work on restoring transaction systems and any other data.
Today’s remote work and mobile environment reiterates the importance of that age-old mantra: “An ounce of prevention is worth a pound of cure.” In the world of cyber security, that means testing over and over (and over).
“My number one recommendation is: do your backups and test your backups,” Kazmi says. “Don’t just believe somebody saying, ‘We got everything backed up.’ It’s like, ‘Oh, everything? Can you please quantify ‘everything’?’ You only know it’s everything if you physically test and count. That’s how you know it’s everything.”
Kazmi says as a first world economy, we have invested in technology and will continue to invest more in automation as an essential part of GDP growth and net exports. “There is no going back,” he says. “It is imperative that we invest in managing the risk that is directly related to technology that can impact organizations strategically, reputationally, and operationally.”