11/03/20 | Security
By: Peter Bailey, General Manager, Aura Information Security
Could your company survive for three weeks at the busiest time of the year using nothing but pens, paper and telephones? That’s precisely what’s happened at Travelex, the international foreign exchange company hacked in December, which was still down well into the new year.
And here’s the stark reality: this kind of hack can and will happen to anyone, including a business like yours.
Travelex was aware of the system vulnerabilities which hackers exploited using Sodinokibi ransomware, and this leads us to some uncomfortable facts we must consider.
Business systems today are intensely complex. Your time, resources and budgets are limited, and every single system once deployed starts ageing immediately. This means even the ‘latest greatest’ is soon legacy equipment. New attack methods are constantly devised by hackers and ‘bad actors’, software is updated constantly with endless patches, updates and fixes published by the hundreds or even thousands of vendors you’ll typically find in the modern enterprise.
While organisations like Travelex may have entire teams of people dedicated to IT and information security, they just have to miss one patch, one update or one fix and they are done. Back to using pencils and paper, with data locked down, a demand for a payoff in Bitcoin, and the threat of customer data being released on the web.
While folks tend to be quick to point the finger of blame and say, ‘that’s lazy or sloppy’, it has happened before, and it will happen again. The sheer volume of systems and their complexity makes it difficult or close to impossible to catch it all. At the RSA conference that I attended in San Francisco, much discussion was made on the fact that organisations are increasingly failing to keep up with patching, even for well-known vulnerabilities.
And as we constantly say, you’re only as strong as the weakest link.
Bear in mind too, that the most probable reason your business isn’t down like Travelex’s is, at the busiest time of year, is that you haven’t yet been seriously targeted.
Is this Mission Impossible, then?
If we assume that your business is in the firing line (and my professional view is that at some point it will be) and it is more down to good fortune that you haven’t yet been targeted, what are you supposed to do about it? Faced with such a grim reality, you’d be forgiven for imagining that yes, this is all a bit Mission Impossible.
But there is an answer and it is preparation.
Understand firstly that all the basics including educated staff members, hardened systems and sound defensive systems are absolutely necessary and will keep out a majority of attacks.
At the same time, accept that if a targeted attack comes, it will succeed.
Preparation means having a plan. Having a plan starts with imagining what work will be like with your entire network and all systems down, how you will react and how quickly you can recover.
In this circumstance, who makes decisions? How will people work? What is the path to recovery? What are the commercial, legal and financial implications? How will you communicate with customers, and what will you tell them?
Attacks today are so prevalent that in the event of a serious compromise it’s best to be honest. The easiest way to manage reputational risk is showing you were diligent in the first instance and being upfront about what has happened and how you’re resolving it.
Time to own up
This brings me to the point and a serious question every Kiwi business owner has to ask themselves: Have I tested this scenario in my organisation? Do I know for certain how my business will respond and what the outcome will be?
There is no better way to prepare than to simulate a real incident and see what happens.
Having the opportunity to test your processes in the most realistic setting possible is the best way to expose flaws and ultimately improve your response plan. As with any exercise, this allows you to discover the weak points and correct them before they happen in a real-life situation.
So, here’s the bottom line. Breaches can and do happen to anyone. Anticipating it and preparing with your IT, communications, legal, commercial and financial people gives you the best chance of a rapid, orderly recovery. Don’t leave it to chance.