Preparing for Ransomware Attacks Through Business Continuity Planning

That’ll never happen.

That’s extremely unlikely.

Planning for that is a waste of time. I’ve got more pressing projects to work on.

Have you ever said anything like that when it came to business continuity planning? Have you ever thought those phrases but never said them out loud? At some point or another, we probably all have, but take a moment and think back to December 2019. To provide a little context, we had just learned about a virus that was circulating in China causing people to become severely ill. Rumors were swirling about how these people became infected, and China began shutting down operations. Now that you’re thinking back, did you think that it would make its way to the United States? Maybe you did, but did you think it would result in: stay at home orders, the closing of businesses, mask mandates, tragedies and complete shutdowns all across the globe? Probably not.

Although we’ve been tracking the Avian flu and the H1N1, previously known as “Swine Flu” and how they spread, it’s been over one hundred years since the last global pandemic of this proportion happened. The fact of the matter is we didn’t see this one coming because it didn’t seem likely. In fact, it seemed extremely unlikely. It seemed like it would never happen. If you had those same thoughts about another global pandemic occurring, that’s understandable, but from a business standpoint, did you at least have a section in your business continuity plan for pandemics? If you didn’t, your credit union and your staff may have found yourselves in quite the conundrum in March of 2020 when everything began to shut down and only businesses deemed “essential” were allowed to operate with its staff there, in-person.

While we hope that another pandemic or anything of the sort might not be on the horizon anytime soon, there is another issue continuing to grow in prevalence that your credit union should be planning for because it could have a damaging impact on your credit union and your operations if you don’t. This growing issue is ransomware.

Ransomware

Ransomware is when an attacker targets information or data critical to your business’ daily operations. They encrypt that data and sometimes exfiltrate it and then contact your credit union demanding a ransom, or payment, be made within a short time-frame. If your credit union obliges, they promise to provide you with the encryption key to regain access to your data and information and state that they’ll delete the data that they exfiltrated and not expose it. Without the key, your credit union will be unable to access any of your files and/or your data. The attacker may also threaten to release the critical data to the public if you refuse to pay the ransom. Since their main goal is to target the information and data your credit union needs to do daily operations, your immediate response is critical.

Now, I know what you may be thinking: we’re a small credit union, so we don’t need to worry about ransomware attacks. However, did you know that small businesses make up over half of ransomware attacks? In fact, they make up 75 percent of ransomware attacks, according to the secretary for the Department of Homeland Security. And if you’re a larger credit union thinking that you’re safe because the smaller credit unions tend to be the targets, you would also be incorrect. Acer, Cisco, school districts and even municipalities have been hit with ransomware attacks.

So, how do these ransomware attacks occur? Well, typically, it begins as a phishing email. Once your employees receive the email and click on a link within the email, the attacker can gain access to the device and either download malware or gain access to the employee’s passwords, if the link they clicked on required them to type in their login credentials. That’s why one of the best ways to prevent a ransomware attack is to train your staff on cybersecurity and security best practices. Human error is the weakest link when it comes to your defenses. You should train your staff, at the very least, on an annual basis regarding best practices when it comes to analyzing emails for legitimacy and creating strong passwords.

After ensuring your staff is properly trained, your credit union should also perform risk assessments to find your vulnerabilities so that you can create a plan on how to strengthen them. If you know your weaknesses, you can use that to your advantage by creating strategies specifically targeting those areas to make them strong enough to where they’re no longer considered vulnerabilities. You should also ensure that your credit union has backups for your data because, like I’ve mentioned, these attackers are targeting the data your credit union needs to operate.

Backups

There is a possibility that even if your credit union decides to pay the ransom, that you may not recover everything that was encrypted. Likewise, if your credit union doesn’t pay the ransom, then you also won’t recover your data unless you’ve previously backed it up. It’s also worth mentioning that your credit union should frequently back up your data. How often you back up your data should be driven by how much data you can lose before it becomes detrimental to your operations. This can range from minutes for critical transactions to more stagnate data, which may not change for months. You can employ various types of backups based on your needs. Where you back up and store your data is equally as important as how often you back it up. Does your credit union back up data on-site, on a cloud storage or a hybrid?

It's becoming more common to use some form of a cloud service as a secondary back up for your data because it provides a secondary level of recovery, should your on-site backups not be usable. Testing your backups periodically is also crucial. This will enable you to not only verify that the backup process is functioning properly, but that you are able to restore the data should it be necessary. It will also allow you to identify restoration times, which can be a critical piece of information when making your decision on whether to pay the ransom or not. Whichever backup form your credit union utilizes, it’s imperative to make sure it is secure. A ransomware attacker’s main goal is to stop you from being able to conduct business, so if the attacker is able to access and encrypt your secured backups, then the likelihood of them doing so is high. After training your staff and ensuring your data is backed up, you need to make sure that a ransomware attack is included in your business continuity plans.

Business Continuity Plan/Disaster Recovery Plan/Incident Response Plan

Ransomware attacks are a growing issue for businesses of all sizes, which is why it needs to be in your business continuity/disaster recovery/incident response plans.

When, not if, when, one of these attacks occurs, your credit union needs to be able to respond immediately. You need to know the answers to questions like:

  • Will we pay the ransom? If so, what form of currency do we have available to pay it?
  • Who should we report this to? The local authorities? The FBI?
  • How will we inform our members?
  • Who will inform our members?
  • How will we respond to the press?
  • Who will respond to questions from the press?
  • What’s our downtime going to be?

Your credit union needs to know whether or not you’re prepared to pay the ransom. Some of the demands may require your credit union to pay in bitcoin. If you’re planning to pay the ransom, you need to plan to be able to pay it in different forms of currency. If you’re not going to pay the ransom, which is the recommended path by the FBI because there is no guarantee that you’ll recover all your data and you could be setting your credit union up to be attacked again, then you need to ensure that you have access to your backups and that you can resume operations as soon as possible. You also need to include in the plan those parties that need to be made aware of the attack and who will contact those that need to be made aware. You should plan on informing both local authorities as well as the FBI, not to mention the regulators and the insurance company.

Your credit union needs to be well-equipped to inform your members of the attack. You should already have a blanket statement prepared, as well as a dedicated person and platform to share the statement. The last thing you want to try and do is craft a statement, pick a platform (email, text, social media, etc.) and choose a person to release the statement all while trying to deal with the attack. It’s recommended that you also include a few possible responses to questions that could arise from your members.

Additionally, you have to consider what your future reputation will be. It’s highly likely that local news organizations are going to learn about the attack, and they’ll report on it. Your credit union should decide who will talk to the press and what they’ll say, as well as a few responses to questions that could be asked so that you’re able to control the narrative about the attack in the best possible way for your credit union.

After a ransomware attack, the average downtime is nearly a month. Just take a second to imagine not being able to serve your members for an entire month? The likelihood of them finding another financial institution within that time frame is high. It’s vital to estimate how long your credit union will be down before you can begin to serve your members again. Does your staff need to access a backup system in order to serve members? If so, include that information, along with how staff needs to log in, in your plan. Is your credit union utilizing continuous data protection (CDP) that continuously backs up your data? If so, this could mean that your downtime is mere minutes compared to hours. Keep in mind that depending on the attack, this backup method could also be rendered useless, requiring you to rely on backups that are stored off-site.

Also, take into consideration how often your data is backed up and where it’s backed up to estimate the downtime. You need to ensure that your backup data was not affected in the attack too, so include backup testing time in your estimate of how long it’ll take you to recover. Some other things that might need to be taken into consideration are any compliance or regulatory requirements that may need to be addressed before you can utilize your backup data, as well as how long it will take your IT department to thoroughly ensure that there are no traces of malware or the attacker left in your systems. The better your backup data is protected and the frequency at which you back up the data could result in a shorter downtime, but all of this should be included in your plans.

These are all topics and questions that should be addressed thoroughly in your plans to make sure you’re as prepared as possible for an attack.

Testing Your Business Continuity Plan

Once you’ve written your plan, you need to train your staff on it. They need to know what their role is, if any, and how to perform it, as well as where the plan is located and how to carry out the plan. After your staff is trained on it, you need to test it. Your plan should include the staff members who have dedicated roles in the event that a ransomware attack occurs, as well as a succession plan for these members. Gather those staff members and run through a test scenario.

While you’re testing it, make sure:

  • Your process to back up your files works the way it should.
  • The correct files were backed up, depending on when the backup was conducted.
  • You can retrieve the backed-up files within a certain time frame, as this will relate back to your downtime estimate.
  • You meet the estimate that you set for your downtime.
  • Your staff fully understands their role and how to carry it out.
  • To identify any hiccups that you maybe didn’t plan for.
  • To identify any missing information that needs to be included in the plans.

If any of the above items aren’t correct or something didn’t work right, update your plans and test it again. Continue to test it and your staff because you can never be sure when a ransomware attack will occur. By doing so, you are making sure your credit union is prepared for an attack when it happens. Your staff, members and community are counting on you to be ready.


Mark Clarke works as the business continuity administrator for Vizo Financial Corporate Credit Union. In this role, Mr. Clarke supports the performance of business continuity planning, business impact analysis and business continuity training for the Corporate and the credit union industry. Mr. Clarke also delivers tailored consulting services for credit unions, assisting them with their specific business continuity needs.