How to Plan for Ransomware in 2018

Heart monitors go off simultaneously. Doctors get error messages when trying to access patient records. Then all the computers in the facility go black. The following message appears in scrolling green text:

Currently, we control your hospital. We own your servers.”

The message demands 4,932 bitcoin — about $20 million in the show but over $71 million as of January 2, 2018 — for an encryption key to unlock the medical records. The records will be destroyed if the ransom isn’t paid in a timely manner.

Ransomware concept
If you’re a “Grey’s Anatomy” fan, you’ll recognize this scenario as the plot of the series’ dramatic winter finale. While the writers take some artistic license with the technical details of the attack, the show clearly portrays the ethical dilemma businesses often face during a ransomware attack: Do they risk extended downtime and/or data loss while they try to recover their data? Or do they give in and pay the ransom, encouraging future attacks?

How will you respond when ransomware targets your business? We say “when” because 71 percent of cybersecurity experts believe there’s a moderate to extreme possibility their organizations will experience ransomware attacks in the next 12 months.

Here are our top recommendations for protecting your data against ransomware in 2018.

Prepare for Ransomware in the Cloud

Ransomware in the cloud concept
Nearly 44 percent of the malware found in the cloud is carrying ransomware, and in 2017, attacks against cloud storage increased. This threat is exacerbated by the fact that cloud applications are available on demand. Any employee can go online, sign up for a free service and download infected software. If they share a service with other employees, the infection can rapidly spread to other systems, thanks to the sync-and-share functionality that’s common to many cloud applications.

Your risk increases if employees access data stored in the cloud using personal devices that aren’t properly maintained, patched and updated. To reduce ransomware threats from shadow IT, make sure you have a bring-your-own-device (BYOD) policy in place, look for unusual activity on the network and follow the rest of our tips below.

Patch Everything

"Many of 2017's ransomware attacks could have been mitigated simply by patching systems."
The WannaCry attack infected more than 200,000 computers in 150 countries — all by exploiting
vulnerabilities in older Microsoft operating systems. In fact, as Webroot’s VP of cybersecurity and engineering points out, many of 2017’s ransomware attacks could have been mitigated simply by patching systems. It’s worth noting that the colossal Equifax breach — although not a ransomware attack — was reportedly caused by an employee’s failure to apply a software patch.

To thwart criminals exploiting known vulnerabilities in trusted applications, the solution is simple (though admittedly easier said than done): Patch everything. Patch your applications, software, hardware and connected devices as soon as updates are available.

Train Employees to Look for the Latest Phishing Scams

Phishing concept
Timely employee training is one of the most effective ways to combat ransomware, as it typically enters the organization through an employee opening a compromised email attachment, falling for a phishing email or visiting a compromised website.

It’s getting harder to spot scams because scammers are skilled at harvesting data from social networks and other online researchers to spoof an email from a well-known brand or impersonate trusted content. In fact, spoofing and impersonation comprise 67 percent of successful phishing attacks. Spammers are also hijacking legitimate domains, which they use to create phishing pages. The sites’ good reputations allow the newly created phishing pages to slip past anti-phishing filters.

However, these are only two examples of a growing list of phishing tactics. That’s why it’s important to regularly train employees how to look for the telltale signs of phishing attacks. Training should be mandatory, but to fully engage employees, communicate the message that they’ll learn valuable cybersecurity skills to apply in their personal lives. After all, phishing and ransomware target individuals too.

Maintain Backups and Test Your Restore Process

If all else fails and your data is encrypted, having current backups is the best defense against ransomware. By restoring from backups, you can avoid paying the ransom. That’s why, unfortunately, some strains of ransomware are now going after backups, especially if they’re stored in the same environment as your production systems.

WannaCry, for example, deleted volume shadow copies, which Microsoft Windows automatically creates to allow users to easily recover their data. Network-attached backups are also at risk. After having its data encrypted by ransomware, one police station refused to pay the ransom, knowing that its data was backed up. Unfortunately, the backups were attached to the network and had also been encrypted.

To protect yourself, back up your data frequently and segregate it from your production environment. Be sure to monitor backups for completeness and accuracy as well.

Of course, a backup is only as good as the restore, so it’s important to routinely test your restore process. Include any disaster recovery vendors you work with in your tests to make sure they can restore your company’s data within your recovery time objectives (RTOs).

Know How You’ll Respond to a Ransomware Attack

While you’re working on restoring your systems after a ransomware attack, a comprehensive business continuity plan with a strong focus on cybersecurity can minimize the impact of downtime. For example, will you need to temporarily revert to paper-based processes? Will workflows need to be diverted? If so, know in advance when, how and where you’ll carry out the recovery. Finally, employees should be trained on any systems and procedures to be used during downtime.

"Just because we've lost our computers, we don't have to lose our minds." -- Miranda Bailey, "Grey's Anatomy"
While “Grey’s Anatomy” viewers will have to wait until the series returns on January 18 to see how Grey-Sloan Memorial resolves its ransomware attack, you might not have that long to prepare for an attack. Don’t waste any time creating a response plan. Get started now. For more tips, read “Five Ways to Thwart a Cybersecurity Nightmare.”

Three 2018 Business Continuity Predictions

From hurricanes Harvey, Irma and Maria to the WannaCry ransomware attack, business continuity planners around the nation had several opportunities to put their plans to the test in 2017. In 2018, three words will influence business continuity planning: community, reputation and collaboration. Here are three of our predictions for the upcoming year.

The Increase in Billion-Dollar Weather Events Will Require Businesses to Focus on Community

WildfireThe 2017 hurricane season proved to be the costliest one to date. Total property losses and economic impact from Harvey and Irma alone are expected to climb as high as $200 billion. The impact of California’s wildfire season isn’t much less — $180 billion — and even before December’s wildfires, 2017 has already made a record as the costliest and deadliest wildfire season in California’s history. According to predictions by Allianz, these billion-dollar disasters will be the new normal.

This new reality will force businesses to consider the impact of disasters on their communities and, in turn, the success of their organizations. If a disaster devastates a region, businesses will have to respond to the needs of the people living in that community — in some cases, both customers and noncustomers alike.

After Hurricane Harvey, for example, First Community Bank in Rockport, TX deployed a Mobile Banking Center, out of which it provided critical services like check cashing and internet access. The bank also met some more basic needs by providing water and meals. By contrast, other financial institutions in the same city remained abandoned, sending the message that they were not able to be there for their customers. Many of these customers, in fact, ended up at First Community Bank instead of driving to an alternate branch location.

In the long term, more businesses will need to look outside their own business continuity strategies and invest in community resilience. Jeff Schlegelmilch, the deputy director of the National Center for Disaster Preparedness at Columbia University’s Earth Institute (NCDP), says investing in community resilience "is not just a moral necessity. Spending on community resilience is also a sound business decision.”

Flooded town

In the wake of large-scale disasters, government agencies will not have the resources to facilitate recovery on their own. After 2017’s barrage of disasters, FEMA’s chief announced that staff were engaged in the longest activation in the agency’s history and were “tapped out.” FEMA’s administrator commented that FEMA was not designed to be the first or only agency responding to a disaster scenario — but it often is. In Canada, British Columbia’s public safety minister described a similar challenge. The government’s emergency systems worked well, but the “‘sheer scale’ of the spring floods and then forest fires overwhelmed the provincial government.”

As billion-dollar weather events increase, businesses will be forced to consider how they can contribute to the community’s resilience. By focusing on serving the community, businesses will in turn protect the long-term success of their organizations.

Customers Will Judge a Business’s Values by How It Responds to a Crisis

A business’s reputation has always mattered, but it matters now more than ever before. Customers expect businesses to take a stand for their values, and customers are scrutinizing them to make sure their actions are consistent with their messages. If there’s any discrepancy, social media will highlight that gap. Social media’s role in the rapid dissemination of information — both good and bad — is a key factor in shaping a business’s reputation.

Going forward, the odds of facing large-scale, highly publicized incidents, like hurricanes or data breaches, are increasing. In many cases, this means that executives and business continuity planners will be faced with an ethical dilemma when developing and evolving their business continuity strategies. They’ll have to ask themselves:

1. Do we do what’s best for the community, stakeholders and greater good?
2. Do we do what’s best for the bottom line?

Case in point: First Community Bank prioritized option 1, using its resources to help residents jumpstart the recovery process. The neighboring businesses chose option 2. They closed their doors, which left many residents without services they needed and ultimately negatively impacted the businesses' reputations and ROI.

"Values play a bigger role than ever before in corporate reputation. "When a business responds to a crisis like a devastating disaster or data breach, it reveals its core values — and that could make or break its reputation.

It’s not just the business reputation as a whole that matters, however. In a global survey of executives, respondents estimated that nearly half of a company’s value was attributed to the CEO’s reputation, and they expected this link to strengthen over the next few years.

When a business experiences a crisis such as a data breach, how the CEO responds will have a huge impact on consumers’ perception of the business. Plus, more executives will be held personally responsible for breaches. In fact, a bill has been proposed that could send executives to jail for up to five years for not reporting a breach in a timely manner — which certainly won't do any favors for a business’s reputation.

In the upcoming year, we’ll see businesses renewing their focus on communicating their values through reputation management and corporate social responsibility, though many will treat these as separate endeavors from business continuity. Forward-thinking businesses will bolster their reputations by treating business continuity and crisis management as strategies for building the business and protecting its future.

The Public and Private Sectors Will Collaborate More

Public-Private Sector CollaborationAs threats of all sorts — from the aforementioned billion-dollar weather events to cyber threats such
as ransomware and phishing attacks — target both private and public organizations, the two sectors will share resources and collaborate to mitigate threats affecting the nation. As the Department of Homeland Security says, “Neither government nor the private sector alone has the knowledge, authority, or resources to do it alone.”

Both sectors, in fact, have more in common than it might seem. Consider these words from Ron Ross, National Institute of Standards and Technology (NIST) fellow: “All of us are kind of in this shared space. We all use the same commercial products, whether they’re operating systems, database management systems, cloud services….” While Ross was speaking of IT infrastructure, the same concept applies to how organizations respond to events happening in the physical world, such as acts of terror or severe weather events. These events often affect a private-sector business (or businesses) but require public-sector resources, usually law enforcement and first responders.

NIST Special Publication 800-181 recommends the following:

“Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals).”

This advice is useful for both cyber and traditional business continuity interruptions. Earlier this year, we wrote about one practical way to engage the public sector in your business continuity and crisis management efforts. To improve cybersecurity across industries and sectors, the Department of Homeland Security has established public-private partnership councils and offers information on cybersecurity training and exercises.

In speaking about the aftermath of the 2017 hurricane season, Schlegelmilch (mentioned above), also called for public-private partnership, though he acknowledged that there are still some hurdles to be cleared. Cross-sector collaboration will be a years-long journey, but dialogue about forming
relationships across industry and public-private boundaries will continue into 2018.

To hear more predictions, tune in to our Disaster Recovery Journal (DRJ) webinar on January 24.

Webinar: How Cybersecurity Trends Will Affect BC/DR in 2018

Celebrating National Computer Security Day

It’s the holiday season, and we’re ready to celebrate. We’re not talking about turkey or reindeer, but something more critical to your business: National Computer Security Day. Since 1988, businesses worldwide have spent November 30 celebrating effective security measures and practices. While it’s a less recognized holiday, it’s one worth observing if you value cybersecurity.

In honor of National Computer Security Day, we’ve put together these tips and graphics for you to share throughout your organization.

Identify Phishing Emails

Over 75 percent of organizations reported becoming a victim of a phishing attack in 2016. There are some things you can do to help your business avoid joining this growing percentage. Pay close attention to emails that have any or all of the following:

  • Urgent or demanding calls to action
  • Vague greeting (e.g., “Dear Customer”)
  • Fake website links
  • Improper grammar
  • Unprofessional graphics

Use Strong Passwords

Almost all the passwords users create (90 percent) are vulnerable to hacking. Take the time to come up with unique passwords that aren’t easily guessed for each individual account. Use a combination of words, symbols and numbers, and change your password frequently.

Apply Patches

Seventy percent of successful cyber attacks exploited known vulnerabilities with available patches. Cyber attacks can happen in seconds, so update your systems and always be prepared for the worst.

Lock Your Computer

At least 1 in 3 employees says they leave their computer unlocked when away from their desk. Considering that 71 percent of employees have access to sensitive information, that’s a data breach waiting to happen. One of the easiest ways to reduce the risk of a breach is to simply lock your computer screen when you leave your desk.

Speak Up

If you notice any suspicious activity, report it to your management immediately. When it comes to cyber attacks, time is of the essence, especially if systems have been encrypted by ransomware or if you need to notify customers that their data has been breached.

We hope this holiday reiterates the importance of following security best practices within your organization. Please share our graphics as a way to wish everyone a happy National Computer Security Day!

Tip for avoiding phishing
Tip for creating secure passwords
Tip for avoiding cyber attack that exploits known vulnerabilities 

Tip for avoiding unauthorized access to sensitive data on computer

Need Business Continuity Buy-in? Present It As a Tool for Business Growth

Would you agree that in your organization, management views business continuity planning as a necessary hassle, much like filing taxes? It’s not going to build the business, but you need to do it. That’s one of the reasons business continuity owners constantly struggle to get management buy-in.

The key to getting management’s enthusiastic support for business continuity is to challenge a certain entrenched belief they have about business continuity. It’s mentioned in the previous paragraph, but you might have skimmed over it because it’s usually accepted as fact: Business continuity isn’t going to build the business.

In fact, your business continuity strategy can be used as a tool to build your company’s reputation and visibility in the marketplace. Most people won’t believe this statement at first, so share with them these insights about the connection between business continuity, disaster response and reputation.

Your Response to Disasters Affects Your Reputation

As you know, reputation is a key element of an organization’s success. According to the Reputation Institute, reputation is an emotional bond that ensures:

  • Customers buy your services
  • Policymakers and regulators give you a license to operate
  • The financial community invests in you
  • The media reports favorably on your company
  • Employees align with your corporate strategy

In conversations we’ve had with the Reputation Institute, they’ve revealed that there’s a big gap between what institutions say and what they do. Social media is bringing this gap to light. With the tendency for misinformation and adverse attention to spread rapidly on social media, consumers’ perception of an organization can change in an instant. That’s one of the reasons the Business Continuity Institute’s Horizon Scan 2017 ranked social media second in the top 10 trending issues affecting business continuity.

On the other hand, if your actions support your mission during a crisis situation, people will commend you for it. For example, after Hurricane Harvey devastated Houston, TX, local business owner Jim "Mattress Mack" McIngvale’s response went viral. While most other businesses in the area were closed, he opened up two of his mattress stores to flood victims, demonstrating the values he proclaims on his business website: God, country, family and hard work.

Business operating as a shelter in the middle of flooding

Talk is cheap — listing your values and mission on your website isn’t enough. Your stakeholders expect you to follow through.

Gaining the Benefit of the Doubt Requires a Good Reputation

54 percent of stakeholders would give reputable companies the benefit of the doubt in a crisis.
While a positive response to a disaster will positively impact your reputation, it’s important to create opportunities for reputation building prior to an event. According to Reputation Institute data, as many as 41 to 60 percent of consumers are crucial fence-sitters who can swing to a positive or negative perception of a company because they don’t have a clear understanding of what that company is doing to impact the environment and society. This reputation currency will be critical if a disaster ever impacts your business, as 54 percent of stakeholders would give reputable companies the benefit of the doubt in a crisis.

Prior to experiencing a business interruption, you need to demonstrate your involvement in the community to allow for maximum marketing exposure and help you build trust with your stakeholders. What if you could leverage your business continuity resources to meet that goal?

Here’s a practical example: In 2016, FEMA declared 103 disasters. That's 103 opportunities to make an impact. Imagine deploying a mobile workspace with your company’s branding to the affected area. You could offer needed support, whether it’s providing a free service or distributing food, water and other essential items to members of the community. Even routine business continuity tests can be opportunities for reputation building if you involve the community in crisis response exercises.

When business continuity becomes a way to build the business rather than just another box to check off, management will find a way to get the resources you need to enhance your business continuity program. In fact, we’ve even seen businesses tap into budgets from other departments to make it work.

By demonstrating that you can deliver on your mission in good times and bad, you'll strengthen relationships with your stakeholders and even increase your market share.

Banks: What If You Made These Common Cybersecurity Mistakes With Cash?

“Data is the new currency” is one of the new slogans of the digital transformation. Modern consumers recognize the value of their data, and 67 percent are willing to share more data with banks in exchange for new benefits. Surprisingly, banks don’t always afford sensitive data the same protections they do for physical currency. While PwC’s 2017 Risk in Review report reveals that the financial services industry has strong cyber risk maturity overall, there are a few common mistakes that could be leaving your institution vulnerable. To give you an idea of the gravity of these errors, think of your cybersecurity practices in terms of cash management and physical security.

Transmitting Unencrypted Data Is Like Sending Unsecured Bulk Cash Shipments

Easily Hackable Encryption Methods
Would you ever transfer a bulk cash shipment to a major customer without using their armored carrier service? Not a chance. You know that that decision would not only be a liability for your institution, but it would also put your customer’s assets at risk and breach their trust.

Unfortunately, banks don’t always provide the necessary protection for sensitive data that customers expect. Data must be securely encrypted in transit and at rest, but 30 percent of FIs say they struggle to protect personally identifiable customer information. Many banks use easily hackable encryption methods such as Blowfish, 3DES, SHA1 and MD5. Instead, use an advanced encryption algorithm such as AES.

Giving Unvetted Vendors Access to Data Is Like Handing Cash Over to an Unverified Armored Carrier

Going back to the bulk cash shipment scenario, imagine handing over currency to an armored carrier guard without first verifying their identity. This is an egregious security violation, wouldn’t you agree? Yet when it comes to sensitive data, many banks fail to vet third-party vendors they allow to access the sensitive data in their care. In fact, 41 percent of financial services respondents ranked assessment of security protocols and standards of third-party vendors as the top challenge to information security efforts.

The FFIEC’s guidelines for outsourcing technology services recommend a “comprehensive outsourcing risk management process to govern technology service provider (TSP) relationships.” Make sure you work with vendors whose operations are regularly examined by a third party. This ensures the vendor’s risk management and information protection practices adequately address data confidentiality and regulatory compliance.

Disregarding Network Alerts Is Like Ignoring Your Vault Alarm

What if you only investigated burglar alarms 56 percent of the time?
Would you be appalled if your vault alarm went off and your staff members ignored it? In a way, that’s what is happening with cybersecurity alerts. Institutions are only able to investigate 56 percent of security alerts they receive on a given day. Of those, only 46 percent of legitimate alerts are remediated. Granted, security operations managers see more than 5,000 security alerts per day — exponentially more than you’ll ever receive from your burglar alarm. However, the lack of resources for monitoring alerts is concerning.

With there being a security talent shortage, outsourcing can help your institution meet its overall strategic plan and corporate objectives. The FFIEC has specific guidelines for using a managed security service provider (MSSP). You might also consider using a fully managed cloud vaulting solution to move critical data off-site to protect yourself against ransomware.

Assuming Employees Know Cybersecurity Best Practices Is Like Expecting Them to Know Your Physical Security Policies Without Training

When hiring a new employee, what if you assumed they knew the proper cash handling guidelines, how to handle a holdup situation or how to respond to an active shooter event? That’s a disaster waiting to happen. Chances are, you invest countless hours on training employees in these areas. Even if someone has experience in the financial services industry, it’s imperative to make sure they understand your institution’s specific policies and procedures.

Three Cybersecurity Scenarios You Need to ExerciseUnfortunately, training is one of the top five cybersecurity challenges in banking. In fact, less than half of financial services organizations polled even have a formal information security policy. To reduce the risk of cybersecurity threats, it’s critical to create a security culture. The FFIEC recommends annual security training to reinforce guidelines for endpoint security, login requirements and password administration. The training should include the following three increasingly common scenarios:

• Phishing and social engineering
• Data theft through email or removable media
• Unintentional posting of confidential or proprietary information on social media

Improving your cybersecurity practices is not only the right thing to do, but the FFIEC, Gramm-Leach-Bliley Act and other regulatory agencies and regulations require it. If you’re unsure where to start, the FFIEC Cybersecurity Assessment Tool is a helpful resource for assessing your bank’s cybersecurity maturity.

[Webinar] Outsourcing Cloud Data Services

Is Outsourcing Cloud Data Services Right for You?

The IT landscape is being transformed by increasing regulatory burdens, consumer expectations of data security and reliance on data availability for service delivery. In our recent webinar with the Disaster Recovery Journal, Brandon Tanner, Rentsys senior manager, discussed how IT challenges are affecting highly regulated organizations.

With these challenges, is outsourcing cloud data services a good move for regulated businesses? For some, it is. In the webinar, Paul Arguinchona, CIO for Frontier Behavioral Health (FBH), a nonprofit provider of behavioral health services, explains how his organization has leveraged outsourced cloud data services to fulfill FBH’s mission and values.

To see what Brandon and Paul had to say, view the webinar on demand.

[INFOGRAPHIC] Is Your Data Secure?

In 2016, 77 percent of all breaches were caused by insiders. As more employees use their own devices for handling sensitive data, that risk will only go up. To see how bring your own device (BYOD) is contributing to data security risks, check out this infographic by Commvault (download the full version here):

"Is Your Data Secure?" Infographic

To learn more about creating a secure BYOD policy, read this post.

What You Can Do to Help Wildfire Victims

Map showing large fires in Washington, Oregon and California
ArcGIS Northwest Large Fire Interactive Map (Current As of 9.18.17)
While Texas and Florida have been dealing with catastrophic flooding from Hurricane Harvey and Hurricane Irma, the West Coast has been dealing with the worst wildfire seasons in the U.S. So far, over 8 million acres have been burned, with 2 million currently in flames. In some areas, including Portland, OR, public health authorities are recommending that people stay inside because the air quality is so poor.

To see how you can help some of the affected states, visit the links below :

Do you know of more ways to help? Let us know in the comments. 

Why FIs Need Resilient Call Centers in a Self-Service World

Call center employee with money
In a survey, 71 percent of consumers said they would use entirely computer-generated support for financial services. With the majority of consumers preferring self-service options, should your financial institution (FI) still prioritize traditional service delivery methods, including calls, in your business continuity program? In short, the answer is yes.

Here are two reasons you should.

Customers Prefer Phone Calls for Certain Situations

Self-service solutions work for everyday transactions, but customers still pick up the phone when they’re in the research phase of a major financial decision. For example, 65 percent of people are more likely to take out a loan from an institution they had spoken on the phone with. That number jumps to 73 percent for loans of $100,000 or more. In other cases, customers prefer to pick up the phone to get a quick answer without having to fill out a web form or to discuss a complex situation.

Paying attention to the wants and needs of consumers is crucial as customer loyalty drops. If your call center experiences an extended outage and you’re not available by phone when a customer needs you, they won’t hesitate to do business with a different organization.

There Are Compliance Requirements for Call Center Availability

In many cases, the accessibility of phone service is tied to compliance. The FFIEC, for example, requires FIs to perform vulnerability assessments for critical support areas and interdependencies such as telecommunications. It also stipulates that the backup site should mirror operational functionality, including call centers. To ensure the business continuity plan works in practice and not just on paper, the FFIEC recommends stress testing critical functions that might experience increased customer volume during a crisis. These functions include online banking, phone-based banking, ATMs and, of course, call centers.

If phone calls precede large transactions, that’s all the more reason to ensure you have agents ready to assist customers.  

A Quick List of Hurricane Irma Resources

In August, Texas was faced with the wrath of Hurricane Harvey, and now Florida is feeling the sting of Hurricane Irma. Already we’ve seen the community rally together to help those impacted by Harvey. We’re optimistic that we’ll see a similar response to Irma.

Google Crisis Response map of Florida
Google Crisis Response Map
 Whether you’ve been affected by Irma or looking for ways to help, here are some useful resources:

  • Airbnb — Locate a place to stay or open your home up to someone in need.
  • Federal Trade Commission — Get tips for avoiding scams when donating to relief efforts.
  • FEMA — Find a list of surrounding shelters that haven’t reached capacity by downloading the FEMA app or texting SHELTER + your ZIP code to 43362 (4FEMA). Avoid falling victim to misinformation and scams by visiting the Rumor Control page.
  • Google Crisis Response — Locate shelters, gas stations, evacuation routes and traffic patterns.
  • LifeSouth or American Red Cross — Find a blood drive near you.
  • Waze — Check for closed roads and accidents.
To get a peek at how communities and businesses are working toward recovery in the wake of Harvey and Irma, check out our ongoing storm coverage.  

Popular Posts