Organisations throughout the world are looking to protect against disruptive and destructive cyber attacks such as ransomware. Enhancing their cyber resilience – the ability to withstand, adapt to and recover from cyber disruptions – is a terrific way to enhance the level of protection while also focusing on business outcomes instead of just technical controls.
Unfortunately, there are still some misunderstandings about how to build cyber resilience, along with pitfalls that should be avoided. Here is a list of ten “Myths of Cyber Resilience” to consider, which can help organisations build resilience and avoid common traps and challenges.
1. My organisation is not a target
Some organisations believe that they are too small to be of interest to attackers or are in an industry that is not commonly targeted. While it’s true that the size and industry might impact the amount an attacker demands as payment, the reality is that most criminal bad actors are opportunistic. If they can obtain access to an organisation through a successful phishing attack or by purchasing a compromised credential, they will often take the opportunity to encrypt systems.
In addition, some organisations have been victimised as collateral damage from attacks on larger organisations where the smaller victim serves as an access point when part of the supply chain, or when malware has spread on its own without a specific target. Remember that motivations by bad actors vary widely.
2. We are fully resilient because our backup data is immutable
Many data storage platforms have a capability, often referred to as “immutability”, which prevents inadvertent changes and malicious attempts to alter or corrupt data during a specified locking period. This capability is often deployed on primary storage platforms as well as with backups.
Storage-based immutability is an excellent control, and organisations can very quickly and inexpensively enhance their resilience by activating this capability where it is available. But immutability should be just one component of an overall strategy – it’s not the end of the journey. Without a full range of recovery options and planning, immutable storage might be inaccessible, and it could take critical days to validate that the data is intact. A strategy to restore from backups after a cyber incident should also consider that it might include compromised systems or data.
3. If attacked, we will fall back on our manual processes to run the business
An ability to fall back to alternative processes is a part of a good cyber resilience strategy. In scenarios where IT systems are unavailable, the ability to manually process orders, treat patients, check bank accounts, sell groceries, etc. could all enhance an organisation’s cyber resilience.
Unfortunately, our digital-based economy has eliminated manual processes for many organisations. Or, if they are available, they are often too cumbersome or limited to support an organisation’s ongoing viability for a sustained period of time, as dependencies on connected IT systems have become the norm.
Consider what manual processes the organisation can meaningfully rely on if required – and for how long (hours, days, weeks). For example, paying staff with paper checks, using post it notes and relocating staff to branch locations during the recovery of the business.
4. My data is in the cloud – so it is secure by design, and is my cloud provider’s problem
The cloud has helped the world to digitise at pace. Many critical services now run in cloud environments, managed by large systems integrators or public cloud providers. There are inherent security benefits to the cloud: consistent software that is regularly patched and updated, single interface to manage business applications and operations, clear monitoring, and reporting of activity to find bad actors quicker and prevent threats from impacting the business.
However, the cloud is still a place where your data lives. As organisations grow in their trust and reliance on a single cloud partner, it is increasingly critical that leaders understand how their data is safeguarded in the cloud and what tools and processes are necessary to protect, manage and recover critical data sets in the event of an event directly or indirectly affecting Cloud infrastructure.
What will the process to recover data look like? How will I be prioritised over other organisations? What number do I phone? Can my team get involved to help the recovery process?
Just because your organisation’s data is in the cloud – does not mean it is not your responsibility to safeguard and recover data. Based on the abilities of your Cloud providers, consider the impact of your data being in the Cloud and complement these capabilities to stay in control.
5. We have a disaster recovery plan which will enable us to recover from a ransomware attack
This myth remains prevalent among many organisations and can result in carrying a lot of invisible risk. The idea is that cyber-attacks are just another form of disaster, and most organisations have already invested in backup and disaster recovery (DR) capabilities that should kick in after a cyber-attack.
The problem is that DR typically anticipates geographically limited incidents such as a natural disaster, flood, or another non-adversarial outage. Having a second site in a different area, with data and applications ready to go, is the solution to the problem.
But a destructive or ransomware cyber-attack has two main differences from a physical disaster. First, if the systems are connected in any way – which they often are to enable data replication – the DR site is susceptible to the same attack. Second, the bad actors know that backup and DR can prevent them from getting their ransom payment and so they usually attack those systems too.
Regularly reviewing the Disaster Recovery strategy and testing the plan against cyber security attacks – including real-life drills of destructive ransomware attack simulations – is critical to ensuring it is implemented appropriately and supports the business recovery expectations.
6. Cyber Recovery plans are a loss of time, because we need to recover all systems anyway to maintain the business running
There are several variations of this myth, but the most common one is that we need to recover all systems to bring the business back online, so there is little point in doing anything about it.
However, there are strategies to shorten the recovery times: alternate recovery locations can be created, shared platforms used, etc. It is also important to understand that not all infrastructure, processes and data are business critical and therefore are not imperative to recover immediately. As such, if you have less critical infrastructure, processes, and data to restore, you can do it faster, while other non-critical elements can be done at an alternate non-impactful pace.
The key point is, however, that it can be very painful and expensive to recover an entire environment without proper strategy, planning, recovery systems and testing, which is why it is so important to invest in cyber resilience and in building and maintaining an effective cyber recovery plan.
7. Our data is already encrypted, so ransomware cannot impact it
Because ransomware blocks access to your data by encrypting it, some organisations believe that they can pre-empt a ransomware attack by encrypting the data on their own.
The reality is that encryption for data at rest is mostly used to protect a different aspect of data – its confidentiality. An attacker who obtains access to and exfiltrates encrypted data will have a challenging time using or selling that data unless it can first be decrypted. But a ransomware or destructive attack affects the availability of the data, not the data’s confidentiality. So even data that has been encrypted can be re-encrypted and requires both keys to return to its original form.
8. We have cyber insurance
Many organisations purchase cyber insurance to help to offset some of the expenses, fines, damages and potentially even ransom payments resulting from attacks. And while it is a key part of an overall cyber resilience strategy, cyber insurance is not a substitute for good security. In fact, cyber insurers increasingly require specific security controls from their customers before issuing policies. Also, cyber insurance coverages have limits and exclusions – they do not cover certain incidents or expenses, sometimes including ransoms payment. And cyber insurance typically is not designed to cover lost revenue from an attack that might take weeks or months from which to recover. More recently some insurance has stated they will not pay out claims on cyber-attacks that come from a nation-state. This could apply to many of the known ransomware criminals.
9. Worst case, we’ll pay the ransom
In many cases, organisations victimised by ransomware plan to pay the ransom demand, obtain a decryptor tool and then begin the process of recovering their systems. But relying on this approach as a strategy is very risky:
- Not all attacks will have a decryptor tool available for recovery, with surveys suggesting this problem in 20% of cases. This may be the case when the attack is from a nation state whose goal might be espionage and is masking its activities with a ransomware deployment, or an activist group who simply wanted to destroy data. In other cases, an attacker might have an untested version of malware which cannot be decrypted or the keys were incorrectly generated or have been lost. Some systems also might not be able to be recovered even with decryption keys due to data corruption or ransomware implementation.
- Some organisations may be prohibited by law from making a ransom payment. For example, in the United States, the Office of Foreign Assets Control (OFAC) notes that payments cannot be made to certain restricted parties. Other countries have similar laws that could prohibit or restrict payments. In addition, some states in the US have passed laws prohibiting or substantially restricting government agencies from making ransom payments.
- Consider the aftermaths of paying the ransomware; the threat actors are here to monetize and will often have extracted data from the systems to perform a double extortion – threatening to reveal the information extracted. Paying a ransomware group also exposes you to further ransomware attacks and ransoms demands.
10. Our cyber capabilities are very strong, and will prevent or stop any significant attack
Some organisations are greatly confident in their ability to protect against attacks. Cyber defense capabilities are more important than ever – preventing an attack or limiting the scope of a successful attack are two of the best possible outcomes.
However, there’s a great acceptance that complexity, interconnectedness, reliance on technology and the sophistication of criminals and nation states means that it’s important to plan for attacks that will eventually be successful.
Organizations should continue to develop, test and benchmark their cyber protection, detection, response and recovery capabilities against evolving threat actors’ techniques and technical abilities to minimize the window of opportunity, as well as the recovery time and business impact when an attack occurs.
Next Steps
In this exercise, the top 10 myths of Cyber Resilience have been highlighted alongside the reasons why we feel they are often not correct.
However, it remains important for organisations to do their due diligence and prove their due care regarding the protection of their systems and their data.
Whilst organisations might feel some of these myths are not applicable to them it is advisable not to become solely dependent on these assumptions and ensure they have a way to operate their critical processes whilst their environment is being recovered following a disruptive attack.
Below are 3 key actions we advise organisations to take to support their cyber resilience and particularly enhance their ability to limit business impact and recover from an attack:
- Implement a “lifeboat” scenario: review technology dependencies, understand what the critical processes and assets are, what the RTO/RPO requirements are, implement and regularly test recovery processes. When this is in place, organisations can continue operating whilst other parts of the business are being recovered.
- Ensure the obligations of third parties align with the organisation’s requirements: whether it is the organisation’s cloud provider, their insurer, or any other provider, assess which of the critical processes and assets are being managed through them, validate the scope, thresholds, liabilities that have been contracted are aligned with the organisation’s requirements.
- Test the organisation’s recovery capabilities: cyber attackers are ever more sophisticated, new tools and processes appear often, and it is difficult to keep up with this evolution, so it is important to have external experts simulating an attack on an organisation’s defences, how the IT and the business team would react and providing guided recommendations for improved security posture and resilience.
As cybercrime continues to grow in frequency and severity, it is important for organisations to build greater levels of cyber resilience. Dell Technologies and Accenture collaborate to help organisations identify critical services and operations, protect key services, and enable recovery of operations in the event of a catastrophic cyber-attack.
Accenture brings decades of experience and insights from work in the market helping clients detect bad actors and respond to cyber incidents. They have been recognised as the No.1 cybersecurity service provider in the world.
Dell Technologies is the market leader in data resilience and vaulting solutions, helping organisations to protect and recover key services and enable recovery in the event of catastrophic cyber-attacks. The Dell Technologies Power Protect Cyber Recovery Solution remains the most sophisticated solution in the market today, endorsed by Sheltered Harbour and used by thousands of organisations globally.
Together – Accenture and Dell Technologies provide significant, practical experience of delivering resilience environments for critical services. We have experience in delivering cyber resilience solutions for our clients across a range of industries, using our proprietary techniques and tooling. We can design, implement, and improve resilience solutions and support the operating model which enables them.
Do not fall into these traps, get help from experts. Please contact Accenture and Dell Technologies to discuss how best to mitigate risk and build cyber resilience in today’s complex threat landscape.
Contact us:
Director of Cybersecurity and Compliance, Dell Technologies
EMEA Advisory and Cyber Lead, Dell Technologies
Europe Cyber Resilience Lead, Accenture
.
.
.
.
.
