In June 2017, the ransomware wave reached a remarkable peak at that time: Starting with an update of the Ukrainian control software “MeDoc”, a new type of encryption Trojan spread. This software was used by every company that had to pay taxes in Ukraine. An estimated 1 million computers were affected, including multinational corporations such as the logistics companies Maersk, Fedex and Mondelez.
The novel distribution via an actually trustworthy software update was remarkable. Previous campaigns have mostly used external channels such as phishing mails or exploit kits. The effects of NotPetya were devastating; the damage is estimated at around 1 billion dollars. Maersk, for example, suffered a large-scale IT outage and had to work completely analogously for ten days.
NotPetya illustrates the potential dangers of such attacks in the future. The optimisation of the following five areas helps to minimise the risk.
1) Strong networking with external ecosystems increases the risk
The holistic view of cybersecurity does not include only one’s own company, but all suppliers, partnerships, authorities, administrative institutions and regulators.
Even if the security precautions and processes in one’s own company are mature and under control, attackers can gain access via other channels. It is important to plan additional separations, controls and also possible perimeters in advance in order to make internal, lateral propagation more difficult from the outset. Since this and other incidents, IT security in the entire “supply chain” has become significantly more important.
2) Complete inventory and complete patch management needed
Shortly before NotPetya, WannaCry caused trouble by exploiting known operating system vulnerabilities. Despite warnings, vulnerable systems were insufficiently secured or not equipped with the available updates.
A complete overview of existing systems and software is essential for good risk and patch management. Recurring tasks such as regular security updates should be automated as far as possible. There is still potential for improvement, especially for non-standard systems. Even at the procurement stage, both suppliers and manufacturers need to be screened before isolated systems in the midst of a clean IT environment increase the risk for the entire company. Attackers specifically select the weakest link in the chain.
3) Improvement of incident and recovery plans
Working out different scenarios – also with worst-case assumptions – is an important homework in order to be able to act well at all levels in case of an emergency. Although often considered unnecessary or postponed, a ready-made action plan is invaluable for quick reactions in technical and organizational areas in the case of damage.
Quick counter-reactions can often prevent the worst from happening and are now also necessary to comply with the GDPR. Well-prepared customer communication also helps to avert long-term corporate damage.
4) High availability is good, backup is much more important
The much-noted high availability of IT systems is actually only the freestyle. A functioning backup of IT systems is the more important duty. Although many IT systems now shine with high availability facilities in case of a fundamental compromise, the only thing that helps is a more integral, trustworthy external backup of data and systems that is not affected by the current incident.
Just as important is a regular test to ensure that this backup data can be used for a complete system and data recovery within the planned time frame. Subsequent extensions and changes can become dangerous show stoppers. As with fire and evacuation drills, regular test runs should be part of the program in order to detect and correct errors early on.
5) Cyber security insurance does not always help
Anyone wishing to insure against the dangers of external risk transfer, i.e. by taking out insurance, should read the small print. The Swiss food company Mondelez was badly hit by the ransomware NotPetya and had to complain about 100 million euros in damages. However, the insurance company refused to pay the full amount, referring to the exclusion of benefits in case of “hostile or warlike actions of a government”. The legal proceedings are still ongoing – at least the fact that not every incident may be covered by a police policy should give food for thought.
Do not put off your comprehensive IT preparations lightly. Take the plans step by step, with realistic improvements to the overall situation. Because the question is no longer whether an incident occurs, but when.