There was no shortage of challenges for business continuity professionals in 2016. As we move into a new year, we wanted to highlight some of the themes from last year, as we fully expect to see more of the same this year. Here are our top six observations.
Ransomware Was the Most Talked-About Cyber Threat
It’s responsible for shutting down transit systems. It’s cut off communications among hospital staff. It’s extorted millions of dollars from banks. “It” is ransomware — a type of malware that hackers deploy to encrypt data. The hacker then demands a ransom in exchange for a decryption key.
Back in March, the Los Angeles Times declared that 2016 was “shaping up as the year of ransomware.” The prediction rang true — Kaspersky Lab confirmed that ransomware attacks against businesses increased threefold in 2016. Healthcare is by far the most targeted industry, with telecom and transportation trailing behind.
Ransoms can reach into the range of thousands of dollars. Hollywood Presbyterian Medical Center, for example, paid $17,000 worth of bitcoin to quickly regain access to its data. The FBI, however, has recommended against this strategy, saying that giving in to criminals’ demands only encourages further criminal activity and there’s no guarantee businesses will receive the decryption key after paying the ransom.
The best defense is the one the U.S. Department of Health and Human Services recommends: regularly back up data (so you can restore it in case primary copies are encrypted by ransomware), use security software and educate employees on cybersecurity best practices.
Data Breaches Continued Unabated
Data breaches have spent plenty of time in the spotlight during the past few years. Whether they involved a hacker exploiting a vulnerability while a client moves from one online services vendor to another; a healthcare vendor losing hard drives containing patient data; an employee falling for a phishing attempt and exposing employee W-2s; or a hospital employee accessing files without authorization over a period of several years, data breaches put countless Americans’ data at risk this year.
The exact cost is debatable, but the risks are clear: Businesses risk not only data loss but also intellectual property theft, exposure of company secrets, source code sabotage, investigations by regulatory authorities, reputation damage and costly litigation. The list of consequences goes on and on.
The top three sectors targeted in 2016 were government, healthcare and business. Businesses in the healthcare industry are a prime target, because unlike credit card numbers, personal data like Social Security numbers and medical records can’t be easily changed, so they fetch a premium on the black market.
Some businesses take out data breach insurance policies as protection, but this strategy is no substitute for business continuity planning.
Businesses Lack the Resources for a Well-Rounded Business Continuity Program
Companies aren’t always well equipped to deal with the business continuity threats they’re facing, especially when it comes to disaster recovery (DR) and cybersecurity.
Cybersecurity technology might be top of mind for the global C-suite, but finding the security talent to accompany it is another story. A combination of rapidly evolving cyber threats and inadequate education programs has led to a shortage in security talent. The security professionals that do exist command such high salaries that they’re inaccessible to SMBs and industries that don’t pay as much for cybersecurity talent as others (the financial services industry pays more than healthcare, for example).
Disaster recovery, on the other hand, simply isn’t a top priority for half of C-level execs. Perhaps this is because 65 percent of execs are already confident in their organizations’ DR plans. Problematically, only 31 percent of IT managers agree with this assessment.
Considering these shortcomings, it’s not surprising that only 51 percent of businesses report having a comprehensive business continuity plan.
Vendor Due Diligence Became a Larger Part of Compliance
As always, compliance plays a prominent role in business continuity. In 2016, businesses that are subject to guidelines set by the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA) saw their regulatory burden increase. Now, these businesses are being held responsible for performing due diligence on any outsourced service providers that provide essential technology services and/or handle protected health information (PHI) or personally identifiable information (PII). What’s more, they must also perform due diligence on any third parties and their subcontractors used to provide the contracted services.
HIPAA is especially strict — it holds business associates (i.e., subcontractors handling PHI and PII) directly responsible for observing HIPAA requirements. In fall 2016, the Office of Civil Rights (OCR) launched phase 2 of a round of audits, which resulted in the first penalty against a business associate.
The emphasis on vendor management is largely driven in part by the increasing number of cyber threats. The OCR issued an alert on the importance of cyber awareness, and the FFIEC issued a warning about cyber attacks.
The DRaaS Market Continued to Expand
The cloud market — particularly the disaster recovery as a service (DRaaS) market has continued to expand. In 2016, the DRaaS market was worth $1.68 billion and is expected to be worth $11.1 billion by 2021, growing at an estimated CAGR of 45.9 percent.
Data breaches are hastening the move to the cloud, and MSPs are realizing the vast revenue potential of offering DRaaS to their customers. It’s especially appealing to SMBs that lack the resources and expertise to manage a cloud solution, large enterprises that want their dedicated IT staff to spend more time on revenue-generating projects, and organizations that want to leverage multiple clouds (e.g., private and public).
New Weather Challenges Emerged
Data security garnered plenty of attention in the media during 2016, but unique weather threats and natural disasters put business continuity plans to the test as well.
For instance, this year’s hurricane season was a significant one on many levels. It boasted the most hurricane activity since 2012 (there were 15 named storms) and had the most major hurricanes (three) since 2011. Additionally, the Atlantic saw its first Category 5 hurricane in nine years. While hurricane season officially begins in June and ends in November, this season was extra long. Hurricane Alex made an early appearance in the Atlantic in mid-January, and Hurricane Otto showed up in the Caribbean on Thanksgiving. We can expect more of the same in years to come, as some say hurricane season could be extended by as much as a day every year.
NASA reports that fire seasons are getting longer and more frequent as well, with dry landscapes and hotter temps creating prime conditions for fires. To make matters worse, the Forest Service is underfunded and struggling to accommodate fire suppression efforts. The 2016 season included deadly fires such as the Clayton fire in California, which consumed 300,000 acres and destroyed 175 structures. In August, the National Interagency Fire Center reported that California ranked highest for the number, size and severity of wildfires in the West.
The Southeast also experienced significant wildfire activity, which is uncharacteristic of the region. As of November 20, forest fires had burned 119,000 acres across eight states. These numbers don’t include the deadly fires in Gatlinburg, TN — the worst the state has experienced in 100 years. Those blazes alone destroyed more than 2,400 structures and scorched 20,000 acres, killing 14 and injuring 175.
Outlook for 2017
Considering the threats we faced in 2016, our advice for 2017 is to be vigilant, as threats exist on all fronts, from natural disasters to cyber breaches. When planning for cyber threats, be sure you don’t neglect your physical infrastructure. With severe weather threats and natural disasters always on the horizon, you need to consider the impact of not having access to your primary facility. Train your employees well and invest in third-party help if your internal resources aren’t adequate for ensuring you’re protected.