Data, ransomware and a wake-up call
In this article, David Davies, the CEO of Navos, provides a wake-up call to businesses regarding ransomware and the dangers it poses to businesses.
I founded Navos, a technology services firm, after a decade on the Board of FTSE100 Hargreaves Lansdown. I introduced many aspects of information and cyber security including a security operations centre, CISO functions, together with a considerable amount of governance frameworks and technologies to manage risks of all kinds. During my tenure, the technology teams grew from around 20 in 2009 to around 550 in 2020.
At present, I see a very worrying theme occurring in that firms are failing to mitigate one of the biggest risks in business at present: ransomware. Some firms bat off the challenge of having mitigation in place without first understanding that the approaches have changed, and continue to evolve.
Rewind around four or five years and one such attack cost the NHS around £100m through the WannaCry Ransomware attack. One of many attacks that have hit the headlines, many others do not, but the constant is that a lack of treating the risk around this seriously will cost your firm money, or some executives their jobs, sometimes both.
It was once commonplace for hackers to target the operational (or live) environment, such as the web or application servers, within companies. Place a virus on these servers which would lock IT administrators (and everyone else too) out of the tech systems that would be encrypted, with the hackers the only ones with the key to unlock the encryption, who would hold the firms to ransom – pay up or lose your data.
Some organisations are so ill-prepared for such an attack they have no choice, despite measures being available in the market to help such occurrences from happening. Unfortunately, it is clear one trend exists where cyber is involved in the business world – any budget that was previously held back by the purse-string holders is suddenly sprung open in the event of an attack, or indeed after.
As the Board watch the money leave their company accounts to the cyber groups as quick as the proverbial horse bolts from the open stable door, many questions are asked in retrospect. Red-faced CEOs and CFOs are left looking at the CIO, CTO or CISO, who hold back on giving the hair-dryer treatment of “I TOLD YOU SO!”, alas professionalism usually prevails.
Inexperience counts for a lot where mistakes are concerned, but where there are gaps, some businesses are happy to take the risk of learning the hard way rather than being open to challenges. The all too common response of “we are all covered”, “there is no budget” or other distraction techniques are doing nothing but increasing the chances of being hit.
I mean, why should Boards be concerned when most Business Continuity Processes are tested robustly, every blue moon or weeks before the odd IT Audit – whichever happens first? And yes, that really does happen.
One of the main reasons for this is that ransomware recovery processes commonly mean erasing data or removing servers from the live environment, then reverting to backups as their ‘get out of jail free card’, taking a little data loss as collateral damages for the inconvenience.
Let’s fast forward to 2022 and the clear and present danger that sits at the door of every business, irrespective of size, industry or location. The World continues to move on, and Cybercrime is no different. It is now extremely commonplace for hackers to target NOT the live environment as before, but the data backups. This is now so common that some of the fastest-growing tech firms around are able to mitigate risks in this exact scenario.
As the introduction of immutable backup systems is now being rolled out into businesses across the land, some firms are still being left behind, others wishing they had included it in their annual “wish list”. I would recommend anyone who feels they have omitted to look at this risk to drop whatever they are doing, and investigate if they are susceptible to this prominent area of attack.
The truth is whilst some firms are focusing on writing decks, running through minutes of their last committee, or taking the odd Friday afternoon ‘off’ to sail their boats, the cyber groups are more than likely targeting firms just like theirs – or even already inside the organisation. The statistic that company IT environments are usually compromised for around 200+ days before being identified is something that should keep us all awake at night.
Like a game of chess and the inevitable sinking feeling of “checkmate” as your opponent makes that move you hadn’t anticipated – there is little anyone can do in the scenario of a backup data topology being encrypted.
Unfortunately, whilst some company executives happily live in inexcusable ignorance that “the” journey to the Cloud, or saving money by cutting “that expensive” line from the tech budget, those of us with experience watch with aghast. Whilst technology and digital enablement can be the springboard to the success of just about every business, it also has the potential for being the biggest banana skin.
For example, there is no point in having a beautiful house, spending a fortune on making it yours, installing an alarm system and wizzy cameras on the front door, then leaving the back door not only unlocked but unalarmed.
Until firms firmly grasp the appreciation of “not IF but WHEN”, the increasing number of hacks, compromises and fines, will continue to increase. Mark my words, this attack will mean more headlines are written, and it is only a matter of time before an issue akin to the NHS issue presents itself once again on the front pages of the newspapers. Backups may not be sexy, but they are critical to every business, and why they must be treated in the same way as your live data in terms of security.