What lessons can we learn from the Colonial Pipeline ransomware event?
If your business falls victim to a ransomware attack or some other type of breach, how would your company handle recovery? In talks with business owners over the past couple of years, no one thinks too much about what recovering from an event looks like for them. At RealTime we hear “I’ll call you guys!” or “our insurance will handle it”, “our IT guy will deal with it.” Are these courses of action something to stake your business on? Let’s use a real world example happening now with Colonial Pipeline.
Blog: Todd Swartzman, RealTime Chief Information Security Officer
LET’S BEGIN AT THE END
Let’s go a bit out of order and focus on the end of these types of events, the recovery. After all, if your business falls victim to a ransomware attack or some other type of breach, eventually you will get to the recovery phase. In talks with business owners over the past couple of years, no one thinks too much about what recovering from an event looks like for them. At RealTime we hear “I’ll call you guys!” or “our insurance will handle it”, “our IT guy will deal with it.” Are these courses of action something to stake your business on? Let’s use a real world example happening now:
COLONIAL PIPELINE EVENT/RECOVERY FACTS
Event May 5, 2021
Took five days and there are still intermittent service interruptions happening.
Budget? Unlimited. This was a recover at all costs exercise.
Government help – there for the asking
Temporary lifting of regulations to help deliver product.
Colonial Pipeline paid $4.4 million in ransom within hours of the attack. They opted to pay the ransom because it was unsure of the extent of the breach. The hackers provided the company access to a decryption program following the payment, but Colonial Pipeline was not able to immediately restore operations with the tool.
HOW WOULD THIS COMPARE TO YOUR BUSINESS RECOVERY?
Do you have unlimited funding and is FedGov offering every assistance available to you?
Can you go 24x7 until it’s recovered? What about your primary business serving customers, who’s going to do that while all hands are on deck dealing with the current fire? If you have one IT guy, this isn’t realistic, even if they did have the requisite skills, and they probably don’t.
Do you assume you’ll only be down for a few days? Average time to recover a small business is about two weeks, but that can vary wildly.
CLOSING
CYBERSECURITY IS NOT JUST A TECHNICAL PROBLEM. IT’S A BUSINESS PROBLEM.
Use this as a lesson you can learn at someone else’s expense. Review your own controls, backups, response plans, insurance policy, and your budget to make sure that your plan is documented, understood, and most importantly is realistic.
CISA (Cybersecurity & Critical Infrastructure Agency) put out an alert on Best Practices for Preventing Business Disruption from Ransomware Attacks. And if you are curious, yes, Colonial Pipeline would be subject to adhering to CISA requirements as they are critical infrastructure.
Article link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a