Cyberattacks are disruptive. From dealing with data loss to frustrated customers, any company that has suffered an attack knows the impact reaches far beyond the original breach. And, for companies that are dealing with a ransomware attack, another issue arises: the question of whether or not to pay your attackers a large sum of money to recover systems, applications and data being held “hostage”.
For some companies, paying up might seem like a no-brainer, especially if they haven’t recently backed up their data or if the hackers are threatening to leak sensitive information online. While the cost of a ransom might be high, so is the cost of losing business-critical data altogether. Despite best practices to not pay a ransom and instead work with law enforcement in the event of an attack, the bureaucratic red tape around this process might feel too burdensome for an organization that needs its data now – especially in an industry like healthcare, which relies on readily available data for proper patient care.
What’s more, research commissioned by Arcserve has shown that consumers are growing increasingly intolerant of cyberattacks and the downtime that’s often associated with them. The report found that 37% of consumers would switch to a competitor if a company isn’t up and running within 24 hours following an attack, and an additional 41% would walk away from the business within two to three days. That’s some serious pressure for businesses to recover quickly.
The risks of a ransom payment
Paying a ransom doesn’t just mean taking a hit to your bottom line anymore. In an effort to curb cybercrime, the U.S. government has started imposing sanctions against paying ransoms to certain hacking groups, like the Evil Corp gang that recently attacked smart watch manufacturer Garmin and demanded a $10 million ransom. Evil Corp ultimately got their payout – but at what cost to Garmin? Not only are they short $10 million and still dealing with the fallout from the attack and its impact on customers, but they’re now also facing potential sanctions from the government.
What’s more, paying a ransom gives no incentive for cybercriminals to leave your network or prevent them from executing another attack in the future. Cybercriminals are financially motivated, so if they see your organization as easy money, you might be putting a bigger target on your back for an increased volume of attacks.
While you can’t predict when a cyberattack might strike, you can have a plan in place for when one inevitably does. Building a disaster recovery plan that tiers your data in order of importance, establishes a crisis team and creates a smooth path to data recovery can help you avoid potential fallout from paying a ransom – eliminating the question over whether you should altogether.
Components of a successful disaster recovery plan
Before you start developing your plan, it’s important to do a complete inventory of your organization’s entire IT infrastructure. You can divide systems into three tiers to make recovery smoother:
Mission-critical (think logistics or industrial control systems), which need to be backed up immediately, ideally with replication or high availability technology to avoid massive data loss or severe business disruption;
Essential systems like email, which have less of a negative business impact if they downtime of up to 24 hours; and
Non-essential IT items such as the server that stores your company’s marketing assets, which the business can operate without for a few days.
You’ll want to involve all business units, not just your IT team, in defining these tiers, since everyone is impacted in some way by IT availability.
It’s also essential to consider where backups fit into your strategy. A key component of a successful business continuity and disaster recovery plan is a good backup system. The ability to recover systems and data to a point before a cyberattack occurs can save time and effort in recovery and eliminate the need to pay a ransom. But, as cybercrime has evolved in tandem with data protection innovation, cybercriminals have begun targeting backups to further coerce their victims into paying a ransom.
Treating your backups as mission-critical IT infrastructure, and protecting them with industry-best cybersecurity and the most stringent security processes you have is a good place to start to ensure they’re clean and recoverable. Following the 3-2-1 strategy with your backups by creating three copies of your data, storing them in two different locations, with one being off-site (or in the cloud) will also almost guarantee that at least one copy will remain accessible in the event of an attack.
No plan is complete without testing to make sure it works. Ideally, testing should involve three things – your backups, your disaster recovery processes, and your crisis team. If you only test the technical parts of your plan, you’re underestimating the importance of the human element of disaster recovery; if disaster strikes, your people will need to work quickly to restore uptime. Throughout the entire testing process, you’ll want to make sure you’re documenting the results so your team can review and update the plan in line with how the test went.
While it might seem overly pessimistic to plan for a disaster that may or may not happen, that’s no longer the case with cyberattacks. For most businesses, it’s not an “if,” but a “when” they’ll face an attack. Having a thorough plan in place and updating it regularly can help businesses avoid the tough conversations that come with a ransomware attack and ensure a smooth recovery of systems, applications and data – no ransom required, and no sanctions to worry about.