The Cyber-Attack Aftermath - Who You Gonna Call?

As a reminder, the plot follows the new business start-up ‘Ghostbusters,' a ghost removal service. After struggling to get on their feet, they investigate the strange happenings in a New York apartment, and discover that entire city is besieged by ghosts and otherworldly demons through a portal in the Central Park building.

In the week of Halloween, it got me thinking about how this film is a great analogy to the current threat from cyberattacks, particularly ransomware.

Replace the Ghost and Ghouls with Criminal Gangs who manifest themselves as hackers. The portal where they enter the apartment being points of compromise in an organisation’s information security, or just individual failure. The subsequent catastrophic events that lead to a city-wide meltdown, fuelling a multi-film franchise, is easy to relate to a serious data breach or cyber-attack.

Only in the case of the present and immediate danger posed by serious and organised crime, surfacing as malicious hacking for most organisations, there genuinely is not an equivalent to a speed-dial to Ghostbusters.  

‘Remediation’ or ‘fixing stuff’ post-event is challenging, costly and in the extreme can totally debilitate an organisation. Planning pre and post cyber-attack is crucial. 

Whilst a recent survey of Chief Information Security Officers (CISOs) found more than two thirds of organisations expected to be challenged by a ransomware attack, my observation is that most of the emphasis and effort is still directed at prevention, with much less focus on the immediate aftermath of an attack.  While investing in Technology or Education and Controls are key to preventing an attack, there is no silver bullet and many are still failing to prepare for an increasingly common scenario.

In recent weeks, Government Communications Headquarters (GCHQ) reported that Ransomware attacks in the UK have doubled, with attacks being described as “largely uncontested” and “highly profitable”, according to GCHQ’s director Sir Jeremy Fleming.

Closer to home in Scotland, in the last week we saw the widespread coverage of the report into the Scottish Environmental Protection Agency’s (SEPA) well-publicised ransomware attack, which crippled the organisation last Christmas. This was a cyber-attack displaying significant stealth and malicious sophistication, according to Police Scotland.

To his credit, the CEO of SEPA has been very open in his comments and organisational learnings under tremendous scrutiny.  ‘Be Ready’ was his sentiment – even large public bodies and corporations who have adequate security in place are being compromised.

Ransomware, in its simplest form, is a targeted virus that employs encryption (clever code that locks up access to data) to hold a victim’s information to ransom. An organisation’s critical data is rendered inaccessible so that they cannot access files, databases, or even 3rd party applications such as Payroll Systems or Manufacturing systems. What then follows is the ‘Ransom’ demand, which is typically a request for untraceable crypto currency, to provide access.

With the increasingly available access to cyber hacking tools and cryptocurrency payment mechanisms, facilitated by the adoption of digital banking, industry analysts and law enforcement specialists all point to a continuing rise in the frequency, intensity and sophistication of ransomware attacks.

When it comes to ransomware, your company size or industry is not a factor.  The bad guys - cyber criminals - don’t discriminate, so no sector is immune.

I predict 2022 will be the year Cyber Remediation becomes much more of a key topic of discussion and focus.

As part of your business continuity strategy (you have one, right?), consider some scenarios and play them out.  This should include who’s in your network of advisors and experts, as there is no substitute to experience with this emerging and growing problem.  Experienced cyber-attack incident response is key.

Would your team know what their first steps should be upon discovering that your network has been compromised?  What should you prioritise to limit the amount of damage caused by the breach?  How do you alert key staff?  Who do you turn to for immediate support? 

Who are YOU gonna call?