The indiscriminate and potentially destructive nature of the growing human-operated ransomware threat requires a step change in disaster recovery planning and business continuity management. In essence, the critical question that now needs to be asked is: how would your organisation survive without any IT for a month or more?
Traditionally, organisations configure their disaster recovery plans against a couple of key types of failure mode, such as the failure of a single IT application or a data centre outage caused by a fire or flood. This is used to inform key metrics of recovery time objective (RTO) - how quickly the organisation needs that IT application back up before it affects business continuity, usually a few hours - and the recovery point objective (RPO) of how fast you can get back the supporting data.
How ransomware changes disaster recovery
But ransomware is a game-changer and can render those recovery metrics meaningless in an instant. Ransomware can encrypt data, shut down IT systems and bring an organisation to its knees. Even if the ransom is paid there is no guarantee of recovery.
Take the example of the ransomware attack that hit the Irish Health Services Executive (HSE) in May 2021. Even with a recovery tool eventually provided by the attacker, it took three months to fully recover, and this is typical of what we see with ransomware attacks against other organisations.
Ransomware attackers are opportunistic and indiscriminate. Everyone is a target, from the smallest shop or a large family-run business to multinational corporations and critical infrastructure, regardless of where you are or what sector you are in. That’s why nearly half of UK CEOs say cyber risk is the biggest threat to their business and 61% of UK organisations expect to see a rise in ransomware incidents.
Nearly half of UK CEOs say cyber risk is the biggest threat to their business and 61% of UK organisations expect to see a rise in ransomware incidents.
A new approach to business continuity - how do you plan for no IT?
For business continuity planning in the face of this kind of impact, the critical starting point is to identify your strategically important services, the dependencies that underpin them and then what the risk exposure of these is. Once you have identified these strategically important services, the next step is to determine what your maximum tolerable period of disruption to those services is before the viability and survivability of the business is threatened.
At a disaster recovery level, organisations should think beyond traditional failure modes such as floods and fires to determine what they can and can’t recover from if ransomware rendered IT systems and data inaccessible. This means prioritising the applications and systems to recover if the technology base of the organisation needs to be rebuilt or recovered, and having offline backups available for all critical systems, data and infrastructure.
Crisis management planning is key too. If your business continuity plan starts with ‘send an email’, then it will fall at the first hurdle if your communications platform is down after a ransomware attack. What’s your back up or workaround in this scenario?
Ultimately, the fundamentals of business continuity management remain the same as they always have - identify your critical services and the dependencies that underpin them. But one of the key lessons for all organisations from the post incident report into the Irish HSE ransomware attack is that business continuity and disaster recovery planning needs to ensure provision for continuity of critical operations and the ability to recover in the face of a ransomware attack that results in total loss of IT and associated data for several weeks.
Get in touch to discuss any of these issues and find out more about how to prepare for and manage the response to a ransomware attack.