The true cost of downtime
While your security defences may be tight, it is easier to infect a business today than it was several years ago. Ransomware attackers are using more creative, stealth-like techniques and traditional antivirus simply doesn’t cut it anymore. Industry experts warn it’s only a matter of time before a company suffers a data breach. So, it’s a case of when, not if.
Let’s face it, in today’s ‘always-on’ world, not having access to your business data for even a few hours can cause irreparable damage. You could lose business, face fines, damage your company’s standing, and have to deal with an extremely frustrated digital workforce.
Gartner reports the cost of downtime is more than £4,300 per minute, and this is growing.2 The reality is most companies put the actual figure higher than this as they struggle to quantify transactions lost to competitors and the impact to stakeholders.
WannaCry and NotPetya brought large and small companies to their knees (including the UK’s National Health Service) and cost billions to remediate – but it’s not just the next BIG ransomware attack we need to worry about.3 Every day, businesses of all sizes are falling prey to criminal groups, particularly in 2020:
- ITProPortal reports that during the Covid-19 pandemic, more than half of businesses in the UK have suffered a phishing attack, while over a third have suffered a ransomware attack.4
- Emotive Covid- themed lures are prevalent. For example, fake financial scams offering government assistance or fast-track routes for test and vaccines in exchange for payment.
- KPMG reports there is evidence that remote working increases the risk of a successful ransomware attack significantly. This is due to a combination of weaker controls on home IT, and a higher likelihood of clicking on a virus-themed email.5
Ransomware is a type of malware (malicious software) that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or encrypted.6 It can spread in many ways. Some rely on human error; others are effective with no user input. The most common 5 infection methods include:
- Email attachments – the more credible and legitimate the email looks, the more likely the recipient is to open the attachment. Once opened the ransomware is immediately deployed.
- Compromised webpage – users are encouraged to click on a URL link (often with wording that evokes a sense of urgency) that then triggers the download of ransomware.
- Malvertising – users click on an online ad believing it to be legitimate – for example an offer for free software - when in fact attackers have linked the ad to an exploit kit.
- Pirated software – software, which is unlicensed and doesn’t receive official developer updates, may come bundled with adware. As it downloads it releases the hidden ransomware.
- Infected removable hardware – connecting an infected USB drive or portable computer can lead to ransomware encrypting the local machine, and then spreading across the network.
Each week brings a new wave of cybercrime headlines including attacks on businesses like yours:
- cyber criminals held the firm to ransom on New Year’s Eve 2019, forcing staff to resort to pen and paper and halting travel money sales. While the systems recovered after several weeks, the firm’s reputation took a bigger knock as it has been harshly judged on its response to the breach.
- in 2019 the graphic design platform suffered a data breach affecting more than 140 million users. While the company detected and stopped the attack as it was occurring, critical data including usernames, real names, email addresses, encrypted passwords and partial payment data was stolen.
- the GPS and wearable fitness gadgets giant, fell victim to a cyber-attack in 2020 that brought down numerous systems. While it reported that customer data wasn’t compromised, the company had to fork out high costs for security expertise and remediation – as well as face a backlash at the company’s earnings call.
Making security a top priority
The 5 conversations you need to have
To fully protect your business, you will need to take a ‘recovery-first’ approach. But making data security a top priority is a big job, and it’s one your whole business needs to take seriously. To get this right, there are 5 conversations you need to have:
1) CEO: ”Ransomware isn’t
a top business priority.“
Your response: ”Are you willing to take that risk?”
When it comes to making data security a top priority, CEOs think they already have. But dig a little deeper, and it’s likely your IT leadership has different ideas. So how do you get data security to the top of your CEO’s agenda and create a unified culture of security from the top down?
What do CEOs really care about most? According to Workday8 there are six leading priorities: finding growth, taking on risk, managing regulatory change, leveraging technology, pursuing innovation, people and culture. When making the case for cyber security it’s not just about network accessibility, you need to clearly outline how it will impact business performance and these priorities:
1. Prepare ransomware incident playbooks and take your CEO through these. Look at this from a security protection versus security prevention perspective. Help them understand that knowing the risk now is far better than trying to contain it later.
2. Include real-life examples of companies like your own and show recovery options and fallout. Focus on the speed of response and the impact this has on the business.
3. Create a strong argument around these key points:
- How valuable is your company’s data – what would it mean to lose it?
- When an attack comes, how quickly and effortlessly can your business recover from it? Will it be minutes, days, weeks?
- What is the impact on business users if they cannot access critical data?
- What does it mean for loss of earnings?
- What does it mean for the company’s reputation?
2) FD: ”We can’t afford the investment.“ Your
response: ”We can’t afford not to.”
Data breaches are more than a headache – they’re costly too. You don’t have to look very far to find headlines of eye-watering amounts companies have paid to recover their data. In addition to the actual ransom, they’ve also been hit with fines and loss of earnings from downtime. Yet making the case for cyber security in the boardroom still remains hard. The view may be that the business has already invested in security measures and sees no ROI.
The truth is, it’s like an insurance policy. When the event takes place, the premium becomes a tiny pittance for the extensive cover provided. But until the pain is felt, it’s hard to justify the investment. CIO Review reports that cyber security is still looked upon as an added cost by the senior management9 – so how do you reframe this?
You want to be able to communicate the benefits, so it’s not seen as an expensive line item. Forget the scary analyst stats, your business case to the FD must include clear, simple and practical information that is hyper-relevant to your business:
- Quantified examples of the cost of downtime and the impact of damage to business teams. This includes scenarios where critical business users can no longer operate for a period of time.
- The cost of recovering lost assets – the actual pay-out (establish a policy on ransom pay-outs with your legal team) as well as the additional security expertise and effort required to recover operations.
- Cost / benefit analysis and options for various security measures – with a focus on ROI. You want to move away from scaremongering and look at a range of real-life examples and thoughtfully consider the risks.
3) Business users: ”What’s this got to do with me?“ Your response: ”Everything – can you afford not to
have access to your data
for a few hours, few days?"
Cyber-attacks are not an IT problem; they affect the whole business. And ironically, when it comes to breach of data, innocent workers can cause as much damage as malicious hackers. Several years ago, Gartner predicted that the internal threat (employee ignorance) is just as big as the external threat.10
The expectation from nearly all business users is that they have access to the data they need, when they need it. While users understand that cyber-attacks happen and that data loss could impact their team, they still expect their data to be ‘on demand’ and that they’re up and running on systems within minutes.
Not being able to access files, make payments, talk to customers for any length of time could be catastrophic. So how do you get business users onside?
1. Help staff spot attachments and links that could contain ransomware – show examples and provide tips on recognising lures. Reinforce a no-blame culture.
2. Work closely with business teams in ‘worse-case’ scenario planning. Look at the realistic impact of what it will mean if users can’t access systems or data for a period of time.
3. Offer education and training company wide to familiarise all staff with security policies, especially as more and more employees continue to work from home. Better still, involve staff in the creation of practical guides and policies.
4) Wider IT Team: ”We’re
too stretched to address this.“ Your response: ”Modern cloud-based backup buys us time and frees us up.”
Data management today is complicated and time-consuming. While many IT teams will have rehearsed for a major incident, there’s nothing quite like the real thing to test systems, and nerves. Especially if your security team is having to manage incidents in unfamiliar conditions, such as lockdown. It’s highly likely you already have a stretched IT team and there is no bandwidth to deal with the fallout of recovery.
If a ransomware attack cannot be prevented, recovering from it remains the only option. Without an isolated, up-to-date backup of data, your IT systems will have no previous working state to revert to and your organisation will have no choice but to pay up in the hope of access being restored or accept that the data is lost forever.
Where you can help your wider IT team is by showcasing cloud-based backup tools that enable instant data recovery and guarantee ransomware recovery. Help your teams realise that:
1. Offsite, isolated (air-gapped) backup is a top priority and managing manual, time-consuming backups is a thing of the past (the NCSC in particular advocates having a backup plan for backups).11
2. Regardless of where the data is stored, it is possible to get instant data recovery. Even when structured and unstructured data is spread across fragmented silos.
3. Modern solutions now instantly restore individual files or whole systems, using user-driven recovery methods. Users and customers can access and work on priority data while the rest recovers in the background.
4. You don’t need additional on-prem infrastructure. Software-only solutions (especially pertinent in this Covid-19 era) with military-grade encryption and full automation are available.
5) Breaches don’t have to crush your team. Cloud-based backup platforms enable them to eliminate downtime, rebound quickly, and to focus on strategic work – rather than tactical recovery.
5) Customers: ”Why should
I trust you with my data?“ Your response: ”Because
we can guarantee instant, real-time access to all
your vital data.“
Customers, quite rightly, are hugely concerned about who they share their data with (you’re not the only one reading the cyber headlines). Giving assurance to prospects and customers that you can provide the data protection they need is critical. Don’t wait until the breach, have proactive conversations with your customers to reinforce your approach:
1. Be open and transparent about how you handle their data: how you use it, where it’s stored, who you share it with. Keep your communications straight and to the point rather than long-winded statements nobody reads.
2. Evidence how customer security is a comprehensive programme that everyone in your company knows and follows. For example, talk about the steps you’ve put in place to safeguard customer data in the light of extended home working.
3. Share your ‘recovery-first’ approach to data management, walk them through your playbooks and involve them in your incident planning. Make it clear how you will communicate a breach and what they can expect from you during the incident.
4. Explain why you’ve chosen cloud-based backup as the only option to reliably back up and restore data and guarantee zero downtime. Highlight the enterprise-grade security protection as well as real-time streaming for critical data.
5. Talk about the continued investment you make in your data protection and recovery platform. Show them security isn’t a tick-box item and that you stay on top of encryption practices.
Cloud-based backup - the best last defence
Ransomware attacks exploded in 2020 targeting organisations hit hardest by the Covid-19 pandemic. The malware is here to stay and leading researcher, Cybersecurity Ventures, predicts by 2021 an organisation will fall victim every 11 seconds. So, it’s not a case of if there’s an attack, but when there’s an attack. And the number one question then is how fast can your business recover?
Protecting against ransomware is your first line of defence, however this is not always effective. And when disaster strikes, you need to be up and running as quickly as possible, restoring operational data (wherever it is) to users (wherever they are) in seconds, not days. Fortunately, with cloud-based backup tools, data can be recovered in a few clicks.
Make data security a priority and start talking today to the five main stakeholder groups in your business. With a joined-up approach to data recovery, and investment in cloud-based backup tools, ransomware attacks do not need to cripple your business. Whether it’s a Zoom-bomber, or hacker demanding money, you can get your business back on its feet without the fine, or fallout.
1 .Checkpoint – 2020 Cyber Security Report
2. Gartner – The Cost of Downtime
3. CSO Online – Is The World Ready For The Next Big Ransomware Attack
4. ITProPortal – Cyberattacks Escalated During Covid-19
5. KPMG – Rise of Ransomware During Covid-19
6 .NCSC – Mitigating Malware and Ransomware Attacks
7 .Spice Works – Study Reveals 1 in 4 Companies Never Test DR8 Workday - 6 Top CEO Priorities and How to Address Them