Duncan Bradley, Director of Customer Engagement, UK and Ireland Cyber Resiliency Practice at Kyndryl goes over what you might not know about your resiliency to ransomware.
Every cybersecurity professional knows, on a deep level and from hard won experience, that the human factor is as significant to an organisation’s defensive posture as any tool or technology. It’s a message that gets repeated again and again: no perimeter can hold fast if a user is tricked into handing over their credentials; no encryption can help if somebody leaves print-outs of sensitive documents behind on a train.
Another certitude about the human factor, is that it’s much easier to spot risks in others’ behaviour than in our own thinking. Being reflective and identifying your own misapprehensions isn’t easy for anybody. The importance of security teams and leaders examining their own assumptions was dramatically illustrated by the findings of a recent IDC report on ransomware preparedness. By interviewing nearly 1,000 security stakeholders, across a range of sectors and countries, the report’s authors found that companies are generally putting real investment into cyber-resiliency efforts, which should guard against ransomware. Malware scanners, and backup and recovery tools for instance, each have a deployment rate of over 83 per cent, while a majority of businesses are actively adopting zero trust tactics.
And yet: at least 70pc of respondents had been successfully targeted by ransomware within the last year, of whom two-thirds chose to pay the ransom and 90pc said that the attack exfiltrated company data. An unlucky 9pc, in fact, paid the ransom but were still unable to fully decrypt the affected data. The conclusion drawn by the authors here – which I am inclined to agree with – is that companies are routinely over-estimating their level of ransomware preparedness.
How we got here
That conclusion seems right to me because, while one could read these statistics as merely indicating how difficult ransomware prevention is, I’ve seen from experience how mismatches have grown between the ransomware threat and the response to it. There are two big factors to understand in the context of this. The first is about the long drive towards more consolidated infrastructure in the interest of making data more available. This process has been at the heart of digitalisation initiatives, and has enabled more efficient processes, better collaboration across business units, and more informed decision making, amongst other things.
It has also created ever greater reliance on these integrated systems, incentivising businesses to invest in solutions like clustering and storage replication to increase the resilience of the infrastructure. That works really well for some incidents, like natural disasters, by orchestrating access to alternative sources of the same data when machines go down.
Quickly replicating data across many locations and invisibly guiding end-users towards the most available source of that data is also, however, a fertile environment for ransomware to spread. The job of redundant storage solutions, after all, is to mimic the business’s data in multiple locations, and it won’t inherently distinguish between a healthy data and data which has been illegitimately encrypted, corrupted or deleted by an attacker.
That’s where the second big factor comes in. The demand for always-on IT services has driven the creation of increasingly stringent service-level agreements, tracking both network functionality metrics like uptime and latency, as well as resiliency metrics like backup frequency and accuracy. Viewed – as these SLAs often are – through the lens of a consolidated dashboard, stakeholders are likely to be greeted by a page full of green lights implying a high level of preparedness.
This masks a knowledge gap, in that a successful backup (for example) might not actually mean that the organisation can recover from compromise. In fact, in a ransomware event, finding identical data, data which has been encrypted, corrupted, deleted or mirrored in the backup system, is the opposite of good news.
Where we can go
In other words, we have built environments where everything being done right, and every system performing to specification, can in effect be a state of maximum vulnerability to ransomware – as over two-thirds of businesses apparently discover every year. The appetite to protect against ransomware is clearly there, but rather than further extending existing practices to better account for the nature of this threat, businesses need to work backwards from the realities of ransomware and introduce features and tools which are more specific to it.
The first key attribute of a Cyber Tolerant Recovery Solution should be the inclusion of physical or virtual air gaps which can halt the propagation of compromised data during an attack. Backup data should also be protected by immutability and retention lock policies, keeping valuable data recoverable even when backups are deliberately targeted, with adequate RBAC controls to protect against the malicious insider attack. It must also be possible to scan those backups for anomalies, to detect and cleanse data before bringing them back into the production environment, and then to make the necessary bandwidth available to rapidly restore that known-good data.
The most important step, however, is probably to start by understanding what a realistic response currently looks like for your organisation and what level of response you need in order to mitigate the risks to any given system. I have had a number of conversations with IT leaders in which they were surprised to learn that their likely recovery timelines are measured in days or weeks rather than hours.
Needless to say, the best time to learn about a vulnerability is always before somebody takes advantage of it. A Cyber Tolerant Recovery Solution is possible, if we design for it and test its effectiveness regularly.
