Live on the Infosecurity Magazine stand (#4222) at RSA 2017 at the Moscone Center in San Francisco, Infosecurity Magazine interviewed Andrew Hay, CISO at Data Gravity.
Infosecurity Magazine: You joined Infosecurity on a webinar a few weeks ago where we were talking about the impact of ransomware and how to defend against it, and one of the themes that came up was the importance of having a ransomware plan in place before you are hit. Could you share a few thoughts on why having a plan is so vital?
Andrew Hay: You never want to be caught flatfooted. We’ve been saying for years, or decades, that backups are extremely important, but it’s not enough just to take a backup. You have to test the restoration of that backup, and the last thing you want is to be doing that test in the midst of an outbreak or in a recovery incident, so you need to make sure you’re constantly backing up your data, restoring your data, and ensuring that whole lifecycle works over and over again so you know what’s going to happen if something does go horribly wrong. With ransomware, you can do everything you want to prepare for the greatest APT in the world, or some motivated attacker – but if you still can’t recover from getting that initial infection then you’re going to be in a whole world of hurt. Mike Tyson said it best: Everyone has a plan until they get punched in the mouth!
Infosecurity Magazine: So is it safe to say that you really can’t expect your data to survive a ransomware attack without having that pre-made plan in the first place?
Andrew Hay: I think that’s the case with any type of incident, whether it’s insider threat, motivated attackers, or even someone who just deleted something by mistake. Having a plan is definitely a requirement for doing business.
Infosecurity Magazine: What are the key things that make a good ransomware plan?
Andrew Hay: It’s a combination of things. The main thing you need to do is draft a plan and then solicit feedback from the people who are actually doing the recovery. You never want to sit in an ivory tower and say ‘this is how I deem we are going to recover’, you need to make sure that the people who have their boots on the ground dealing and responding to ransomware are involved in the planning, so they can say ‘yes that makes sense or no we can never do that'. Also Legal, because there may be a time when you get to a certain threshold of pain and you have to pay the ransom or risk the loss of your business.
Infosecurity Magazine: You mention paying the ransom, we hear a lot of advice telling us not to pay if we can, but it obviously happens, what do you think goes through the minds of companies when they are hit with regards to making the decision of whether to pay or not?
Andrew Hay: I think they really go through the seven stages of grief. There’s that initial questioning of why the attack happened, and then they get very angry and start saying ‘we should have been protected against this’; they’re spending all of this time trying to understand how it happened whilst still balancing how to fix it. There are a lot of people who, when hit by a ransomware attack, spend a lot of time looking in the rear-view mirror the entire time, for weeks or months to come – it’s akin to burning your hand on the stove. You do it once, and you do your best to avoid having it happen again. Unfortunately, a lot of organizations sit back and say ‘it’s never happened to us so we don’t need to worry about it’, until it does.
Infosecurity Magazine: Lastly, what’s your gut feeling about what we are going to see next with regards to ransomware as we head into the future?
Andrew Hay: I don’t know if this will happen in 2017, but I think it’s going to happen at some point. If you look at historical kidnap and ransom schemes and the progression of how they escalate, it’s not just about money, sometimes it’s ‘you go do something for me and I’ll make sure you get your loved ones back’, and we’ve seen that already with people saying if you share this ransomware with two people and they pay we’ll make sure you get your files back. It’s a small step towards saying ‘go get me your company’s highly-sensitive data’ because I want that and I want to sell it – and if you do that we’ll make sure you get all of your information back. So I think we’re definitely going to get into that and see an escalation of the consequences of not paying in 2017, and I can also see that physical harm could also become an element of regaining your data.