To pay, or not to pay? It isn’t really a question

Our Business Continuity series continues—this month with a real-life cautionary tale close to home.

Over the ditch, in mid-May, the Waikato District Health Board (DHB) was the victim of a ransomware attack. This ransomware attack crippled the hospital, multiple healthcare sites, their systems, medical equipment and phone services for weeks. They were back to pen and paper. Critical patient services, such as x-ray and chemotherapy, couldn’t be performed.

Let’s take a step back and remind you what ransomware is. Ransomware is a form of malware that essentially locks all your devices and demands you pay a ‘ransom’, generally an amount in bitcoin, to unlock your devices and data.

The question asked by the media to the Waikato DHB was, why don’t you simply the ransom to get everything working again. Unfortunately, it’s not that simple.

Sophos recently conducted a study around those who did pay up, with some surprising results.

The Waikato DHB was still trying to get its inpatient management tool back online nearly four weeks after the attack. What would your business look like without access to critical tools for four weeks?

What lessons can be learnt here? Disclaimer, we don’t know the ins and outs of all the attack details, as they’re not being released. But these are our top tips that (in our experience) can prevent these types of attacks from having such an impact or any impact at all.

We’ve spoken about this before, and we’ll keep talking about it because everyone isn’t doing it. Multi-factor authentication is more common than you realise. Those codes that your bank texts you when you want to make a payment? That’s MFA. When Apple texts you a code to make a change on your account? That’s MFA.

Given these large businesses are doing their best to protect you, shouldn’t you be doing the same for your data, your company’s reputation?

MFA means that when a user tries to login to a system from a different location or make some kind of foundational system change, they need to prove that they are who they say they are. You can customise your MFA levels to your business and security requirements.

With data collection, storage and privacy mandated by government laws, it’s always good to look at the data you’re collecting and storing and whether you need that data. The more information you have, the more responsible you have to be.

When you’re asking a new client to sign up, keep the data collection to what’s required. A great favourite of businesses is to send their customers a discount voucher on their birthday. Do you need the year of their birth to be able to do that? You can pull that data collection back to day and month.

Every industry has different regulations on how data is stored and for how long it needs to be stored. Most businesses don’t realise that if you are storing data on individuals, they have the right to request to see what you are keeping and that you delete this data. The onus is on you to provide this data and prove that it’s been deleted.

If you’re securing highly sensitive data, it could be worth discussing with your IT provider whether encryption needs to be part of your technology strategy.

We’re not going to say that all cybersecurity systems are infallible. Because they’re not. They’re as good as the humans that are using and managing them.

Having a robust backup strategy and regularly testing that it works is critical to your business continuity plan. We’ve seen businesses caught out by not having tested their backups, only to discover that when they really do need them, they don’t work.

As part of your business continuity plan, you should identify which systems are a priority in terms of recovery and how long you can’t survive without them. This will then define your recovery strategy.

The tale of caution continues in the real world. We briefly touched on why you shouldn’t pay the ransom.  However, the Waikato DHB story doesn’t end with systems being recovered. A month on, it’s still not yet business as usual.

Scarily, the cyber-crooks don’t always stop when you don’t pay the ransom. In the case of the Waikato DHB attack, they dumped a selection of individuals’ healthcare records online. The premise is that if the ransom wasn’t paid, they could dump more.

Your cyber-security strategy needs to align with the level of personally identifiable information you keep.

By having a good security posture, regular maintenance and audits, plus educating your users on the best cyber-security practice, you can mitigate your risks. By having a backup and recovery plan that is regularly tested, you know that your business can be back up and running as expected if the worst was to happen.

Editors note: We know that you shouldn’t trust everything you read online. What we know about the Waikato DHB attack is from what we’ve read online. We don’t know anything about their cyber-security strategy and what they had in place. We’ve made our recommendations on our real-world experiences here in Orange, and when we’ve been called in to ‘cleanup’. The Waikato DHB story just happens to be in the public domain for us to use as a cautionary tale of, when things go wrong, they can go very wrong.