There are two types of companies – those who’ve been hit by ransomware, and those who haven’t…
It might sound melodramatic, but it’s true. Last year alone, we saw ransomware take a slew of high-profile Australian companies offline. No sector is spared with supply chain and logistics, manufacturing, media and marketing, hospitals and healthcare, legal firms, retailers, and tourism providers all finding themselves in the crosshairs.
The threat is compounded by a classic Australian “she’ll-be-right” mindset that prevents many organisations from prioritising investments into new data protection measures prior to an attack.
But with recent research finding the average cyber ransom paid by Australian enterprises was $1.25 million, and that almost one-third of local businesses had no choice but to pay attackers following a ransomware attack, is “she’ll be right” enough?
While a ransom demand’s price tag is daunting in itself, the cost of lost productivity is frequently overlooked when trying to calculate the true cost of recovering from a ransomware attack.
In one example from last year, a local firm took six weeks to restore operations and recent research found the average downtime following an attack was 16 days – think about how much revenue, how much trust, and how much morale your organisation would lose if it were taken offline and unable to operate for weeks?
In a way, it is similar to car insurance. You never know if you’ve got a good insurance policy or a bad one until you have an accident.
For many businesses, their “insurance policy” is their perimeter defences – their firewalls, end-point protection, and sandbox solutions.
But what happens when these are bypassed? Perimeter solutions might stop most attacks, but they won’t stop all attacks.
This underscores just how critical it is to view cyber risk as corporate risk. Whether it is ransomware attackers encrypting your data and taking operations offline for weeks or exfiltrating sensitive business and customer information then threatening to share it with the world, cyber-attacks are not just an IT issue – they’re a business issue.
Even the Australian Cyber Security Centre, in its latest threat report, labelled ransomware as “one of the most significant threats” facing Australian businesses and governments while highlighting that recovering from ransomware was almost impossible without comprehensive backups.
Backups are the last line of defence. In the same way you don’t just lock the door to the office – you also keep valuables locked away in a safe – protecting your backups ensures that when perimeter defences fail, you have an additional, immutable ‘insurance policy’ protecting your data.
Immutability is a relatively new idea, but it is critically important to protecting your business from ransomware attacks. By definition, it means something that cannot be changed – ever.
With a comprehensive, immutable backup strategy, your business can be back-up-and running in just minutes – rather than weeks – after a ransomware attack by simply restoring data and operations from a ‘save point’ prior to the infection.
As ransomware strains become more sophisticated, immutability is a must-have feature of any business continuity and resilience strategy. Attackers know that if they can corrupt your backups, remediation becomes extremely difficult, making it more likely you’d negotiate with them, engage with them, and pay their ransom.
But this act in itself poses significant risk – not just to the business, but directly to the board.
For one, there’s no guarantee the attackers will make good on their promise to return your data. For two, the board will be making the decision whether to pay or not – I guarantee you it will not be the IT team. For three, there’s also the risk that paying certain attackers could run afoul of the Anti-Money Laundering and Counter-Terrorism Financing Act.
So before your business finds itself in the denial, confusion, panic, and anarchy that follows in the wake of a ransomware attack, ask yourself whether or not your business is having these conversations at the executive and the board level.
Because if not, I hope for your business’ sake that ‘she’ll be right’.
Jamie Humphrey is managing director at Rubrik Australia and New Zealand, a cloud data management company, which aims to help enterprises achieve data control to drive business resiliency, cloud mobility, and regulatory compliance.