Staying secure, vigilant, and resilient in the face of todays heightened threats means acknowledging this is not just a technology problem.
CIOs are no strangers to cyber risk, but todays ransomware attacks can present an entirely new set of challenges. Although many threats have tended to target specific companies, ransomware mega-attacks like WannaCry and Petya have simultaneously hit companies of all sizes across industries and around the globe. These new ransomware attacks dont discriminate: The more digitally connected the company, the greater its exposure.
With these ransomware variants, if they find you, they will attack you, says John Gelinne, a managing director with Deloitte & Touche LLP. Technical resilience must be a strategic imperative in the new digital business era.
Ransomware is big business. After infecting hundreds of thousands of machines in more than 150 countries, WannaCry alone cost companies roughly $10 million in ransom, according to cyber risk modeling firm Cyence, which pegs the cost of cyber business disruptions to the global economy as high as $8 billion. Organizations pay because recovery is often impossible, says Pete Renneker, a senior manager with Deloitte & Touche LLP. There is a false sense of security that existing disaster recovery programs have prepared for this.
On the contrary, standard models for backup and recovery usually arent enough to mitigate the threat. Traditionally, recovery programs have been designed with physical disruptions in mind: Redundant backup systems are set up in separate locations to protect against a physical event, says Jeremy Shubert, a specialist leader with Deloitte & Touche LLP. However, ransomware attacks the integrity of a companys computer system, not its physical presence. Because such assaults infect backup systems along with production environments, all that planning and investment can be rendered useless.
Making matters worse, the degree of redundancy in a companys systems is often directly proportional to their importance. The more critical the application or system, the more aggressive the backup strategy, says Renneker. This means cyber incidents disproportionately affect the most critical business processes. Mission-critical applications that are replicated across sites will see ransomware disrupt production and recovery environments simultaneously.
The challenges cannot be solved by technology alone. Disaster recovery has been around for more than 30 years, and industry-leading practices are well established. These practices have been formalized into regulations, standards, and frameworks that have, in turn, driven CIO policies and architectures. The established practices have driven a culture of after-the-fact contingency planning, says Gelinne. That needs to be changed. When facing a cyber adversary, organizations need to bake resilience into their environments, so they can not only withstand the attack, but respond and recover with minimal impact on business.
Some regulatory bodies are beginning to act as well. The Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency have provided an Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards that will require organizations to substantially mitigate the risk of a disruption or failure due to a cyber event. Once this rule goes into effect, CIOs can likely expect regulatory bodies across industries to follow suit.
As digital transformation efforts progress in businesses around the world, and as technologies such as the internet of things further expand organizations online reach, the magnitude of the ransomware challenge is expanding. The growing risk, combined with pending regulations intended to manage it and increasing expectations from customers, means ransomware is clearly not just the CIOs problem anymore.
While born out of technology, ransomware results in business disruptions, Shubert says. Everyone is now a stakeholder, and everyone has to understand the risks of their decisions.
Next up: The second article in this series covers steps CIOs can take to combat ransomware.