The Ransomware Dilemma
Why is cyber failing at preventing all these recent ransomware attacks? This caption in a post today caught my attention. First, let's address the concept of ransomware attacks briefly. Ransomware, as you will find through a quick web search, is an attack methodology wherein the attacker discovers a means of encrypting a targets data with the use of a private key that only the attacker possesses. The attacker then holds the data for ransom, pay to get the required decryption key or your data is lost forever. It is unfortunate, that in our digital age, too many entities are still susceptible to this attack methodology. But what is truly unfortunate, is that too many senior level people in these organizations make complaints about how Cyber is too hard, or too expensive, or too difficult to implement. In this case, these companies are victims of their own laziness and incompetence more than being victims of the attackers. Ransomware has one, very simple, fairly inexpensive solution. Backups. If your data is encrypted, and you have a backup of that data, then losing the data is no big deal. You have a copy. But, isn't it so hard to back up your data? No. Not really. Depending on your platform, a simple web search and a little bit of time is all that's needed to find and implement a solution for backing up your data. Now, in major commercial enterprise systems, does this become more challenging? Yes. Obviously. However, in those environments, it becomes all the more important. It will take a quality systems engineer some time spent working with the members of your team to identify what needs to be backed up, how often, and where. But, in the end, the pittance spent on those man-hours and the hardware needed to do large, iterative backups will pale in comparison to the cost of either paying the ransom (which never gets you the decrypt key by the way) or the cost of losing all that data permanently (suffering a loss in reputation, loss in customer revenue, and potentially the death of the business).
Unfortunately, this is often the case with many things in the Cyber Security field. We hear complaints about how hard it will be, or how much it will cost, or how long it will take, etc. But in reality, many of the security measures that need to be implemented are simple, cheap, expedient, and effective ways of stopping attackers in their tracks. Have a backup solution implemented and use it. Even if you feel it is obnoxious to back up your data daily, perform a weekly backup, fortnightly, or monthly. When that terrible day hits that you lose all your data (and it could be a simple system failure that takes it from you), you'll breathe a sigh of relief knowing that you have a copy of everything important, and you won't lose too much time getting back to a place of productivity and profitability.
So, while we have the solution, and you may say, "Yeah, sounds great, but how do I convince my boss to implement this?!" Our industry has been selling FUD (Fear, Uncertainty, and Doubt) for far too long. Instead, do your homework. Take a good long hard look at what would happen to your organization if they lost all their critical data tomorrow. What could it cost the company? What would recovery cost? Could you even recover? Find a way to put a monetary cost behind it. As Cyber professionals, we don't think this way, but all of our business-minded team members do. It's time for us to bridge the gap. Show them what they stand to lose, and then present them with the tiny amount you'd like them to spend to mitigate. Overestimate your costs. Not by a whole lot, but pad your estimate with 10-20%. This will allow you to implement your complete solution, but still show them that you're able to make sacrifices by letting them trim your budget by 10-15%. You will both win. Trust me, even with the extra padding, your cost to implement backups will still be eclipsed by the cost of doing nothing.