By Derek Smith Jr
The technology landscape has changed dramatically in the last year, making it a constantly shifting and evolving environment. This shifting environment has tested enterprise risk management (ERM), governance structures and business continuity management strategies. Simply, no one could have precisely predicted the impact of COVID-19 on business, technology and cybersecurity. However, what remains evident is the lack of robust risk management frameworks and incident recovery plans across multiple industries, which makes them vulnerable to cyberattacks. One such attack is ransomware. It is commonly known that ransomware attacks — where criminals install tools that freeze or lock computers until a ransom is paid — are actually quite common. Ransomware attacks usually involve bitcoin or another cryptocurrency.
A former CIA case officer, now partner with the law firm Hogan Lovells, noted recently: “We are in the middle of a ransomware epidemic right now.”
A shining example of a successful ransomware attack was the Colonial Pipeline attack of May 7, 2021. The company, which claims to transport 45 percent of the fuel consumed on the East Coast of the USA through its 5,500-mile pipeline network, was held for ransom by, reportedly, DarkSide.
In my article entitled “What is in your fraud incident response plan?” I wrote: “An organization’s approach to adverse events, such as fraud, is called contingency planning (CP). During this process, both the information technology (IT) and information security (InfoSec) community’s interests are aligned to prepare for, detect, react to and recover from events that threaten the security of information resources and assets.”
It is against the aforementioned circumstances and facts that I seek to add to the conversation surrounding lessons that boards, C-suite leaders and risk management professionals should gather from the unfortunate events of the Colonial Pipeline hack.
Be clear on incident and disaster recovery
ZAG CEO Greg Gatzke recently wrote on LinkedIn: “Too many people confuse backups with disaster recovery (DR). If the company is experiencing an attack, the goal must be to get systems restored quickly and cleanly. Relying on backups can cause significant delays that can dramatically hurt the organization. Snapshots are often the best solution to recover promptly. Remember, it takes time to ensure the environment is clean of criminal activity…often more time than just failing back to a snapshot! Ensure your organization is ready for this.”
For enterprises to be resilient, they must identify and assess risks, implement risk controls and respond to risk. A comprehensive incident response plan enables organizations to respond to threats efficiently and effectively, subsequently avoiding escalation to disasters.
Clear communication plans are an asset
You must customize your plans to various target audiences, including internal customers, external customers, the media, suppliers, family members and others. Colonial Pipeline had 24-hour released statements to the media regarding the cyber breach. Throughout your risk assessments and impact analyses, you should use predefined information to construct clear and concise messages. This proactive approach sends a signal to stakeholders that you are prepared to handle a crisis.
Assess supply chain vulnerabilities
VRIO provides organizations an opportunity to identify and protect the resources and capacities that enable them to sustain their competitive advantage. Failure to test on a systematic basis the supply chain (valuable asset) can lead to inefficient approaches to incidents or disasters. Organizations must continually seek to transform their supply chains and further integrate new channels to enhance their organizational agility.
In short, do not expect cyberattacks to slow anytime soon. A study by Deep Instinct found that malware usage increased by 358 percent through 2020, and ransomware usage increased by 435 percent. The key is being prepared.
Derek Smith Jr is a Top 40 Under 40 leader; the compliance officer at Higgs & Johnson, a leading law firm in The Bahamas; and the former assistant vice president, Compliance & Money Laundering Reporting Officer (MLRO), at an international private bank. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and an executive member of the Bahamas Association of Compliance Officers.