How to be prepared for a ransomware attack: Check your data and backups
Expert says ransomware attacks will happen, and your company has to be prepared long before the attack hits.
TechRepublic’s Karen Roby spoke to Jim McGann, VP of Index Engines, about ransomware and how to recover from an attack. The following is an edited transcript of their conversation.
Karen Roby: Jim, we talk about cybersecurity quite often, of course, but most people in mainstream America, they didn’t know what a ransomware attack even was until just recently now that they’re starting to hear more about these large-scale attacks in the news, and it seems like a new one happens just about every day.
SEE: Security incident response policy (TechRepublic Premium)
Jim McGann: Yeah. Well, the average consumer didn’t really know this was going on, and I’ve seen some interviews on news programs where they’re saying, “How can we stop this?” And the fact is that these have been happening every day and they continue to happen every day multiple times every day. So, it’s not that it hasn’t been happening, it’s just been out of people’s radar. And when the Colonial Pipeline happened and people had to get up early and wait online for gas, and gas prices increased and it happens to affect the average consumer, that’s when people start to care. And now JBS Meatpacking, it seems like they’ve recovered fairly quickly, but meat prices are increasing. If there are shortages of hamburgers for Fourth of July, average consumers will care and then it’ll get a voice in the press, and it will become very, very public and very much a conversation topic.
I mean, my neighbors really didn’t care what I did for a living and now they’re like, “Hey, you’re in security, right? Tell me about this ransomware,” and they care now, which is very unique for me because it’s never happened before. But I think when it affects the average consumer, the conversation or the talk track just increases, it’s on the news constantly, and it’s something that people say, “Hey, we need to solve this,” and it becomes important, and the government needs to step in and it becomes a thing that the public cares about. And that’s the difference.
Karen Roby: Yeah, all of a sudden people want to talk to you about what you do now that they’re hearing more about it. Jim, backup systems, that’s something that we don’t talk about very often that are very vulnerable, too.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Jim McGann: This week in Washington when the CEO of Colonial Pipeline testified, he actually said they didn’t have a recovery plan, a cyber-recovery plan, which is pretty shocking that an organization doesn’t. I mean, cyber attacks have been around for a long time. We use the statement, “It’s not if, it’s when,” and that is a fact. So if you’re not prepared for it, that’s another issue. But what a lot of companies do is they assume that their disaster recovery products will support a cyber-recovery attack. So disaster recovery is not cyber recovery. The two are very different. So if you think of disaster recovery, it’s your data center being in a fire or a flood or an earthquake. It’s really the infrastructure that’s destroyed. In a cyberattack, it’s the data that’s corrupted. The cyber criminals want to go after the data. They want to lock down your system, your active directory, your network infrastructure, your core databases, your production data, contracts, intellectual property.
They want to lock that down so you can’t come in on Monday morning and do business as usual. So, it’s about the data and it’s about checking the integrity of the data. There’s some backup solutions that are doing that. They’re just bolting onto their backup disaster recovery solution some analytics and some capabilities to check the integrity. It’s not good enough. And when you see people taking weeks or months to get full back into production, you would think if you had a disaster recovery solution, that should be a 24-hour or a couple of hours to get back in production, and that’s not happening. So, what I think we’re seeing is disaster recovery is not cyber recovery and customers are struggling with that fact.
Karen Roby: All right, Jim, what happens from here say six months down the road if there’s no change?
SEE: Cybersecurity: Don’t blame employees—make them feel like part of the solution (TechRepublic)
Jim McGann: Well, I mean, change is complicated. I mean, if it was an easy answer, technology would fix it. It’s really a combination of technology. … I’ve talked to companies that have 75 different security applications running, and you ask the question, “How’s that working for you? Do you feel you’re safe from a cyberattack?” And they’re like, “We hope we are, but not 100%.” So you have decades old, robust security, real-time security, perimeter security that’s not 100% effective. So, it’s not only technology. It’s Bitcoin, it’s financial, it’s regulatory, it’s government, it’s international relations. We know they’re coming out of a number of different countries. So, it’s a multifaceted problem that needs to be solved. What an organization needs to do, whether it be a local school system in Texas or whether it be a global financial services firm is have a plan, have a data resiliency plan. Make sure your data has integrity and you can recover from an attack.
The worst case is if you do nothing and they come in and they destroy your active directory, your network infrastructure. They basically pull the foundation out of the company and you have to rebuild that. That process is massively complicated, and if you’re a regional school system or a regional government, you don’t have the resources or the infrastructure or the support to do that. It’s complicated. My biggest advice is to have a data resiliency plan, inspect your data, make sure it has integrity, make sure that you can recover, and don’t just rely on your backups. Because if you go to your backups and they’re corrupted or the data inside is corrupted, that is the last time you want to figure that out when you’re in a crisis mode. You want to check that integrity on a continual basis.