Ransomware attacks are increasing in frequency and severity. As a business continuity professional, there are steps you can take before and during such an attack to help your organization get through with the minimum amount of damage.
The BCM Pro’s Role in a Ransomware Attack
Most business continuity professionals have gained some familiarity with ransomware attacks. (For those who want a quick refresher, see this guide from the FBI. To see some statistics about the rising frequency and cost of such attacks, see this page from PurpleSec.)
One thing we at MHA have noticed during exercises is that many people like to engage with the subject of whether the company should pay the hackers. However, the front-line business continuity management (BCM) professional is unlikely to ever play much of a role in this decision. For the typical BCM pro, time spent talking about this is time taken away from doing the things they can and should be doing to help their organization get through the incident.
What should the frontline BCM pro be doing? During times when the company is not under attack, they should study, gather information about, and document the interdependencies among their organization’s business and IT processes. During an attack, they should use their knowledge (and the resources they previously assembled) to guide the company’s damage limitation and control effort.
Isolating the Infection vs. Maintaining Operations
When an organization realizes it has been hit with a ransomware attack, the main priority from a damage control perspective is to identify the location and extent of the infection and isolate it, preventing its spread through the network.
However, most organizations would also like to avoid a total shutdown, to the extent this is possible and safe.
There are middle points on the spectrum between keeping everything running and shutting everything down.
This is where the BC pro’s coordination with the IT and Security team on the technical architecture along with knowledge of the organization’s processes and interdependencies comes in. That knowledge can guide the organization’s decisions on what to shut down and what can keep running.
Finding Better Options
The kind of knowledge we’re talking about has the potential to give the company options other than shutting down everything (with all the costs that entails for the stakeholders). The knowledgeable BC professional can help the company find options and be prepared to shut down based on knowledge and planned actions vs. reacting at event time. The goal is to help the organization get through the ransomware attack with the minimum amount of damage and disruption.
As an example, suppose there was a question of whether to shut down the payroll functions (just to be safe, during a cyber event not impacting payroll). You should know ahead of time what the ramifications of doing so would be. What would the impact be at various times of the week or month? If you knew that the cost of shutting payroll down right now would be minimal, this would make the decision to do so easy. If you knew the cost would be severe, that would tilt the conversation in a different direction.
Deciding Whether to Amputate
A good comparison might be a doctor treating a patient with a leg infection. An ignorant doctor might recommend amputation as the only sure way of saving the patient. A more knowledgeable doctor might know of a treatment method that is just as effective but less drastic.
When it comes to ransomware attacks, you should aspire to ensure the organization has the information needed to be that knowledgeable doctor who knows how to isolate and treat the infection without amputating the patient’s leg.
Gather the Information Ahead of Time
The information regarding business and IT processes, technical architecture, network segmentation, what devices are on what segment, and interdependencies should be gathered, documented, and learned ahead of time. During an event is the worst time to be researching and mastering complex new material.
Going back to the doctor analogy, if you were the patient, you wouldn’t want your doctor to be researching how to perform the operation you need while you’re on the operating table. The time to learn is before the operation (and before the ransomware attack).
The information should be part of your crisis or BCM documentation set. The IT part might be addressed in a document called Network Architecture with Network Segmentation and Devices. The part on business impacts could be expanded out from your BIAs.
And Keep in Mind…
Here are a few more points to keep in mind:
- Any organization trying to figure out the extent of a ransomware attack is in a very funky and weird place.
- Many people are likely to find the situation stressful.
- Each company has to decide how aggressive it wants to be in isolating the infection vs. keeping its operations going.
- Taking down any system or process (as part of limiting the infection) will put you in a business continuity situation
- You are obliged to communicate the incident to any stakeholders that might be affected (in same cases this obligation might be legal and contractual).
- As a result of the incident, your SaaS providers might shut down your connection to protect their networks. You’ll have to get by without them.
- The incident will probably last longer than you anticipate.
- The more time you spend gathering information, the longer it takes to make and act on decisions.
Before an Attack Occurs
The BCM professional’s role in dealing with a ransomware attack is to participate in the effort to isolate the infection while also trying to keep the critical business processes going to the extent this is feasible and safe. Doing so requires them to learn and document the interdependencies of the organization’s business and IT processes before an attack occurs.
For more information on ransomware attacks and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: