Be Ransomware Resilient: Know How to Operate Manually

A ransomware attack has the potential to leave your organization without its computer systems for days or weeks. Make your business ransomware resilient by figuring out how to perform your most mission-critical tasks manually. 

 

Imagine Losing Your Computer Systems For Weeks

How would your company manage if it was deprived of the use of all of its computer systems for days or weeks?  

Everyone knows ransomware attacks are on the rise. Less well-known is that a ransomware attack has the potential to deprive your company of the use of its computer systems for as much as three or four weeks. This is not a theoretical problem; we have seen it happen. 

Many factors can extend the amount of time an organization is unable to use its computers following a ransomware attack. These include, potentially, the need to rebuild everything from scratch, clean infected resources, inspect backups to make sure they are clean, and reimage affected devices. Only when these steps are done can the organization begin the recovery process, which can itself be highly time-consuming. 

Preparing For This Unpleasant New Realit 

Every organization should be aware of the reality that its systems might be down for days or weeks. Every responsible one should take steps to prepare for it. Being prepared will give your organization a fighting chance of keeping its most important operations going even if its computer systems are down, thus reducing the impact to your stakeholders.  

Being prepared will also reduce the power the extortionists have over your organization since the more prepared you are to carry on without your computer systems, the more freedom you will have to ignore their demands. 

Knowing How to Operate Manually 

The way to be ransomware resilient is straightforward: your organization should be prepared to carry out its mission-critical activities manually for up to three or four weeks. 

Many of our MHA Consulting clients, when we inform them of this need, tell us it’s impossible. 

However, organizations that find themselves unable to use their computer systems for an extended period of time immediately begin scrambling to accomplish this “impossible” feat as best they can (and under highly adverse circumstances).  

Figuring out how to carry on manually is not impossible; it’s merely hard.  

An intelligent, sustained effort will produce results. Every little bit of preparation helps, and the results will pay off if the organization ever does face a major ransomware attack. 

Like Driving with a Donut Tire

One of our client organizations that has a clear understanding of the challenge of operating manually for an extended period came up with an excellent way of describing it. They compare the process to driving a car using a donut tire, the undersized spare found in many cars.  

The analogy gets at some of the key facts about operating manually: it is a temporary, imperfect way of doing things, but it’s better than nothing. A car with a donut on it has to take it slow and is limited in range. However, at least it is not immobilized on the side of the road, leaving its occupants stranded. 

Companies need to imagine that it’s 1970 again. How did they do everything then, before computers? They need to recover the abilities and arrangements they might have used then.  

“Skinnydown“ Your Operations

The challenge of operating manually for an extended period can also be compared to going backpacking. Hikers who backpack into areas without electricity or running water “skinny down” their routines for grooming, cooking, and so on. They eliminate nonessential tasks (like shaving, perhaps) and have to find new ways of performing the essential ones (like brushing their teeth using purified stream water rather than tap water). 

In the same way, organizations have to skinny down their operations, identifying essential tasks and figuring out ways to do them without computers, and putting nonessential activities on hold. 

Developing a Cyber Event Plan 

In business continuity terms, what’s needed is to develop a major cyber event plan that will be part of your BC plan. The following are some considerations to keep in mind in developing this plan: 

  • Creating the plan can’t be done in two hours. It takes time and careful thought. 
  • The first step is identifying what tasks need to be performed to keep things going. 
  • The organization won’t be able to do everything it normally does. 
  • In identifying the critical activities, the BIA is a good starting point, but BIAs are about processes; manual operation often takes place at the simpler level of tasks. 
  • The second big step in developing this plan is working out manual ways of accomplishing the critical tasks. 
  • The third step is developing an activation checklist. 
  • The activation checklist exists because employees typically have some advance notice (e.g. 30 minutes) before systems are shut down; during this time they can pull key reports, obtain essential information, and notify important contacts of the coming outage. 
  • The activation checklist can be compared to what people do when they realize their cell phones are about to run out of power and they lack the means to recharge them. 
  • Companies typically need to find manual ways of paying people, putting money in the bank, ordering supplies and equipment, performing quality assurance, and tracking expenses (for eventual payment when systems are back up). 
  • Manual workarounds often involve the use of human runners, a common element of the pre-1970 workplace. Part of the plan should be making sure these people are physically able to get to where they need to go. 

The goal of the cyber event plan is not to allow the company to keep doing everything, flawlessly, in the total absence of computers. It is to enable it to limp along for the duration of the outage. In most cases, this is the best that can be hoped for. It will also most likely be enough. 

Back to Highway Speed

As ransomware attacks grow more common, companies should make sure they have the ability to carry out their critical tasks manually for up to three to four weeks. They should create a major cyber event plan and add it to their business continuity plan.  

A major cyber event plan identifies the critical tasks that need to be performed to keep the company running, lays out manual ways of accomplishing those tasks, and includes an activation checklist that can be followed before systems are shut down. Having such a plan will enable the company to keep its essential activities going until its systems are restored and it can resume driving on four good tires and at regular highway speed. 

Further Reading

For more information on ransomware attacks and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: 

About
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
emergency operations centerbusiness units to take ownership of BCM