The coronavirus crisis forced organisations around the world to rethink how they do business. For many, this meant establishing a new remote workforce. While the migration to a remote workforce was accelerated by the pandemic, remote working may well be here to stay.

This new way of working has created a host of new challenges for organisations, caught at different stages of preparedness for the changes. Some firms had already embraced the benefits of a modern, distributed workforce, with their systems designed and refined over a long period to gain the right balance of security, business continuity and flexibility.

But there are many others that were only semi-prepared, or not prepared at all, for a wholescale move to remote working.

This has prompted panic buying and building of systems that have inadvertently left users vulnerable to cyber-attack as the urgency to enable remote working has seen organisations either relaxing security or making misconfigurations with their new set-up.

The move to remote working is a perfect storm of adapting to new ways of working, overwhelmed IT departments and increasingly sophisticated cybercriminals

Alongside this, businesses face the challenge of managing a remote IT team and securing the data now stored in disparate locations. Both traffic patterns and application usages have changed, and systems are being used in ways for which they were not designed.

The problem is exacerbated by the employees themselves and the exceptional nature of remote working during a pandemic. Not only is security likely to be far down the list of workers’ priorities in these testing times, but cybercriminals are further preying on peoples’ concerns over the crisis by launching “fearware" attacks, such as phishing scams.

It may come as no surprise then that almost a quarter of security professionals say cybersecurity incidents at their organisation have increased since transitioning to remote work, with some tracking as many as double the number of incidents. Despite this, 47 per cent say they have been taken off some or all their typical security duties to assist with other IT-related tasks, such as equipping a mobile workforce, also leaving their organisation more susceptible to attack.

Ransomware on the rise 

Remote working also increases the attack vectors for ransomware, which is a type of malicious attack where a criminal encrypts sensitive files, then threatens to publish them, unless the victim pays a ransom. Some reports show ransomware attacks have soared by 25 percent during COVID-19 crisis, with financial services, healthcare and manufacturing the hardest hit sectors.

Moreover, the sum being demanded by attackers reportedly increased by 140 per cent in 2019, compared to 2018, with 57 percent of victimised organisations deciding to pay the ransom. Out of these, only 66 per cent were able to get their data back.

The financial and reputational damage associated with cyber-attack, data loss or IT downtime can be disastrous for any business. Even without the ransomware payout, it is estimated that cyberattacks now cost businesses of all sizes an average of $200,000 (£160,000), not a sum most organisations can easily afford to pay and certainly not at the current time.

We talk a lot about not paying the bad guys, because you should never be in a position where you should have to. Your data should be protected on a platform which can’t be compromised and can deliver it back to you whenever you need it. This makes it more vital than ever to have watertight disaster recovery in place.

New risk profile

Most organisations’ operations should be under review for the “new normal”. The environment has changed dramatically and a fresh, all-encompassing risk profile needs to be measured and remediated.

Firms need to assess their current set-up and assess which elements are critical. They may look at using off-site resources, including cloud-based services, that are geographically separated and thus immune to a localised disaster.

However, no matter how well conceived a disaster recovery plan might be on paper, it needs to be tested. Firms are likely to attempt to find a balance between testing and the business disruption this can entail, and maintaining everyday operations. Regardless, they should be reviewing the efficiency and resiliency of their organisation, asking “Is my technology in the right location?” “Do I have enough workloads in the cloud?” “Do I have too many?” And crucially “How long will it take to get my data and do something with it?”

Minimising the amount of time it takes to get back to work is vital and no business can afford the complex and time-consuming method of recovery associated with legacy back-up solutions. This includes relying on tape back-ups; not only is tape too slow for today’s speed of business, but such back-ups are also of little use when located in datacentres that are inaccessible with lockdown in place.

Organisations need a technology which can provide all the benefits of tape, but allows you to recover your data in minutes rather than hours and days. Your data needs to sit on a system which is easily accessible, but can never be compromised. Whatever your data is stored on must be immutable.

The move to remote working is a perfect storm of adapting to new ways of working, overwhelmed IT departments and increasingly sophisticated cybercriminals. It has, therefore, never been more important to have a holistic disaster recovery strategy in place to ensure business as normal, even in extraordinary times.

Data recovery is a challenge that can be traced to the advent of modern computing, when Ada Lovelace and Charles Babbage attempted to repair a damaged punch card for their Analytical Engine, the first attempt at computed data recovery. Lovelace and Babbage's attempt failed, but the principles behind it hold strong: with practically every business depending on data, the ability to back up, recover and restore are absolutely essential to ensure operating at all. 

Failure to do so is disastrous. Days before Christmas last year, American telemarketing business The Heritage Company was forced to shut shop following a ransomware attack. Its chief executive confessed to employees that they paid a ransom, but the overall costs ran into the hundreds of thousands and the business could no longer stay afloat.

This small Arkansas firm was in good company.  According to a Malwarebytes State of Ransomware report, a fifth of SMEs that suffered the attacks closed down completely.  

Large enterprises might feel better placed to weather the storm, but hubris leads to downfall and sheer heft offers only minimal protection. Take Danish shipping conglomerate Maersk, which was upended by the devastating NotPetya ransomware that slithered through systems globally in 2017. The attack cost Maersk hundreds of millions of dollars and it had to reinstall 4,000 servers, no small task.

Categorising ransomware as an existential risk for businesses is no hyperbole, but suffering an attack needn't be a death knell. 

Peace of mind

For hackers, who automate their carefully crafted and often-convincing email attacks, ransomware is a no-brainer: it's low effort and high reward. They prefer exploiting human psychology over gaps in technical systems; a single employee clicking a fraudulent message is all that's required for an attack to take hold. This was almost the case for the Australia-based manufacturer Langs Building Supplies, when one member of staff clicked an email that subsequently infected a production file server with CryptoLocker. However, within ten minutes of the incident, IT staff were alerted and only 15,000, compared to potentially millions, of files had been encrypted. 

Matthew Day, ICT and support manager at the Queensland firm, was able to use Rubrik to isolate the affected virtual desktop infrastructure, or VDI, preventing the spread from moving laterally through the company. "We were able to write a script to restore files back to the VM [virtual machine] from the latest version of the file because of our back-up,” says Day. "We had all our files back to the file server in approximately one hour, no damage done."

Turning over the cash might as well paint a target on your back

The added benefit was in securing serious peace of mind, not complacency, knowing that should the worst happen, the organisation is able to move swiftly and ultimately is protected. 

Having a back-up is essential. WellData consultant James Newton-Brady worked with a company this year that did get back up and running, but without off-site back-ups, data segregation and isolation policies in effect, it returned to business in a week and a half, which is serious downtime in today's world.

"A simple thing to put in place cost them quite a lot," says Newton-Brady, adding that the incident led to the loss of invoices, with the company having spent tens of thousands of pounds they could no longer invoice customers for. "They got through it, but it was a big lesson learnt and a real shot across the bow: the risk that can pose,” he says.

Blackmail at scale

Secondary effects can have even wider repercussions. The intertwined nature of the digital economy means it's not just your organisation's data that's at risk, but your customers' data too. Professor Alan Woodward of the University of Surrey likens complacency to deciding to self-insure your car: you may be prepared to accept the risks to your person, but an accident on the road often involves others.

Despite the threats posed, the potentially disastrous effects can be difficult to communicate at board level and must be translated into terms that resonate, says Newton-Brady. 

This is crucial because attackers are getting smarter, moving on from simply encrypting files into data theft, adding another prong to the blackmail.

Paying is not an option, Woodward says, as there's no guarantee files will be retrieved and turning over the cash might as well paint a target on your back, flagging an organisation as one worth putting on lists of payers that are circulated in the digital underworld. 

Cybersecurity has a tendency to be overlooked until it is too late. It is important to have a plan in place in the event of an attack and outline the necessary steps to reduce the risks such as data loss or downtime.

"I'm sure corporate executives do take it seriously, but in the pandemonium of running a business, it's not always upper most in their mind," says Woodward. "It's vital that somehow, culturally, the board owns the problem and it's not just seen as an IT issue. 

"Too much of security is sold on fear and uncertainty and doubt, but you do have to say to chief executives and board members: ‘Look, if this were to happen to us, there's a very real risk that we wouldn't be in business in 18 months' time, unless we make the appropriate preparations, unless we get the advice and unless we make sure we're properly protected’."

Business continuity and disaster recovery has come under the spotlight with the current health crisis. It has underlined that organisations need to have plans in place that can cater for a wide range of disruption. Although IT systems and data are often the most critical component of many businesses, the process needs to be holistic and consider employees and partners within any plan. Here are five key steps…

Step 1

The first step should be an audit of the business to simply catalogue all parts of an organisation – the physical, digital, processes and people – and how they are connected. This might sound simple, but one of the reasons business continuity fails is that a critical component is overlooked and not included in a seemingly well-thought-out recovery strategy.

Step 2

The audit will feed into a risk assessment. This includes evaluating the exposure to certain types of event such as loss of a datacentre, office location or distribution point through fire, flood or power outage. Increasingly, cyber-attacks must be included in the assessment for their ability to compromise data or take entire systems offline. Risk assessment is critical and should be done on a regular basis as an organisation evolves.

Step 3

Risk assessment is the fuel that powers a business impact analysis (BIA). According to Gartner: “A BIA is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption.” In this phase, organisations can start to define recovery time objectives (RTOs) and recovery point objectives (RPOs), which are then used across both IT systems such as critical applications and physical processes, like access to a location or even staff availability.

Step 4

Armed with a risk assessment and BIA, organisations can now start building a business continuity plan. Looking at the IT side, this means working out how software applications, data and communication, including voice and data, are protected against disruption. And in the event of a failure, from what point can these systems be restored (RPO) and how quickly it can take place (RTO). For many organisations, this means taking digital back-ups of data sets, and even entire applications servers, and placing these in a separate location geographically away from their datacentres. The cloud is increasingly the most common way of ensuring this separation, with the benefit of allowing applications to be restored and run from public clouds if needed. Every element from the risk assessment and BIA will need to be checked off the list and this should include loss of local and wide-area networking, closure of some or all physical locations due to health reasons, loss of power and various failure scenarios. It is worth bringing in department heads at this stage as they will often spot missing areas of coverage and also as a sanity check.

Step 5

Enacting a business continuity plan is different for each company and can range from simply backing up critical files and applications each night to fully active or active datacentres that can take over all tasks in the event of a failure at either location. However, all plans are for nought until you test the reality. Testing should be conducted at both a people and process level and for a technical enablement on a regular basis. This phase will highlight where there are weaknesses and allow for refinements to be made to the plan. Testing and maintenance should be carried out on a regular basis, with yearly tests and adjustments being the minimum, but also after any major IT change or business shift such as an acquisition or merger.