For this week’s “In the News”, research a recent article that relates how an organization was benefitted by their business continuity program, or suffered due to the lack of an adequate program? What are the key lessons learned from the article?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Mei X Wang says
According to a new study by the Neustar International Security Council (NISC), 60% of organizations would consider paying the extortion demand from ransomware attacks. Recently JBS, confirmed they paid their extorters $11bn to bring their systems back online. Colonial Pipeline paid $4.4 billion to bring their pipeline back online, thankfully the US Department of Justice was able to recover the majority of the funds paid.
The debate about whether or not a ransomware demand is paid is still in the air. About 80% of respondents wish to defend against these ransomware attacks and 69% see ransomware as a growing concern. However, 26% of respondents view their own technology and planning as somewhat or very insufficient. These organizations need a deployable, maintainable, disaster recovery and business continuity plan. If they use the funds they paid the extorters to set up the process, they could’ve avoided the attacks or mitigate them internally.
Rodney Joffe, NISC Chairman, SVP, and fellow at Neustar, commented: “Companies must unite in not paying ransoms. Attackers will continue to increase their demands for ever-larger ransom amounts especially if they see that companies are willing to pay. The alternative of paying the ransom is having organizations proactively invest in solutions to these attacks, to be “always-on” monitoring, filtering traffic, and using layered security approaches.
https://www.infosecurity-magazine.com/news/businesses-consider-paying-ransom/
Vincent Piacentino says
Hi Mei!
Great post and link pertaining to Ransomware!
Hackers leverage the fact that companies find it easier to pay the ransom instead sometimes. Most argue that this just fuels the attacks and doesn’t guarantee that victims get their data back. Considering a company like JBS, the millions were small change. They could not afford to be down at all. Funny thing is, they only halted the pipeline because they couldn’t bill customers because of the breach. Greed is evil!
Mei X Wang says
Thanks, Vincent! I didn’t know that was the reasoning for the Colonial pipeline, It’s insane how capitalism works in the United States.
Many organizations refuse to pay for business continuity and disaster recovery planning. However, If they can afford to pay $11 billion to bring a system online, they could’ve used the funds to establish a whole framework that can be repeatedly used. BCDRP is similar to insurance, we hope we don’t need it, but when we do, it’s a lifesaver!
Jerry Butler says
wow!
This is interesting to know that 60% of organizations would consider paying the extortion demand from ransomware attacks. Broadly speaking, It costs much less to invest in a resilient IT infrastructure.
Vanessa Marin says
Never have organizations had to pivot their business models and reconsider their business strategy from the bottom up more than since the Covid-19 pandemic. Even the 9/11 terrorist attacks didn’t cause as much technological disruption!
One company has taken the bull by the horns and really come out resilient on the other side. They experienced growth due to their pivoting abilities and quick response to assessing their business, their risks, their gaps and updating AND enforcing their policies. Particularly their Business Continuity Policy.
Abris Capital Partners, a private equity investor in Central Europe has thrived during the pandemic where they “designed and implemented sophisticated health protection procedures for all employees, polished and developed existing Business Continuity Plans, and trained portfolio companies in crisis communication”.
The 2019 ESG Report published by Abris prioritized “sustainability, ethical stewardship and ESG disclosure, corporate governance”. Prior to the pandemic hit, Abris’ portfolio companies were tasked to develop BCP plans for which the key focus was to secure adequate crisis managements, liquidity and supply chain contingency planning. When the crisis hit in 2020, Abris management was prepared to respond overnight. Crisis teams were formed and decision makers were able to react immediately. With measures to protect human capital financially and medically in place, liquidity protected by pre-emptive agreements with bank facilities and an pre-emptive guaranteed increase of raw materials stock or alternative suppliers identified, Abris surpassed the challenges of 2020 with minimal negative impact to its workforce and market share. during the pandemic, Abris even launched projects supporting the community and healthcare infrastructure. They provided hygiene products and medical equipment to the community.
An excellent closing statement in their report says ” The Abris team regards this current crisis as an opportunity to stress test all portfolio business models, proactively looking for new opportunities to modify and strengthen our investments. Learning from each experience is an essential element of
the firm’s philosophy and approach to business. Therefore, a comprehensive review process has been conducted and transformed into strategy enhancements for several portfolio companies.”
This makes this company an example of a successful execution of business continuity plans. Key take aways include: planning and preparation, forward thinking and quick reaction, maintain an updated governance and constantly be searching your threat landscape for new threats, ways to be prepared and train your staff to expect the unexpected.
FYI – ESG = Environmental, social and governance investing is a form of sustainable investing that considers an investment’s financial returns and its overall impact. An investment’s ESG score measures the sustainability of an investment in three specific categories: environmental, social and corporate governance. –nerdwallet.com
I strongly recommend that you read the nerdwallet article prior to delving into the Abris ESG report. It helps set the foundation for the reason Abris adopted the strategy and explains a lot of the terminology in all the articles.
Resources:
https://www.privateequitywire.co.uk/2021/06/28/302494/abris-capital-sets-out-new-approach-delivering-sustainable-returns
https://www.nerdwallet.com/article/investing/esg-investing
https://abris-capital.com/wp-content/uploads/2020/08/ABRIS-ESG-Report-2019.pdf
Vincent Piacentino says
Hi Vanessa!
Great post and links!
ESG is something I have never heard of and it is a cool and interesting concept. I hope in the near future, organizations will consider adopting this philosophy. I am reading the Nerd Wallet article now…
Jerry Butler says
Vanessa, this is a very insightful post,
I would like to add that during the pandemic, first moving companies reviewed and tightened their remote access setup because many employees turned to working from home. Attacks via remote access increased and breaches affected companies that were not ready or had poorly implemented remote access technology.
Krish Damany says
In the Philippines, an end-to-end digital solution, ePLDT, has empowered BCP and DRP solutions in the Visayas region. They use the most up-to-date technologies to serve all sorts of businesses with colocation, cloud hosting, disaster recovery, managed servers. and security and network services. While they are used to help smaller organizations create robust BCPs. their location can also serve as an alternative physical location that they can allow the organization to use while the BCP and DRP go into effect. This effort was helped and driven by the pandemic, as most workers were using remote solutions. The recovery facility is also built in a way that would mitigate risk of failure, with a capacity of 100 seats, 20 meters above sea level, and seismic zone compliance level 4, while also allowing any telephone company to temporarily install network connections based on the company’s needs. Hopefully, this type of effort can expand to other areas around the world to help lower the strain on an organization that use their services and facilities.
https://ph.news.yahoo.com/epldt-empowers-disaster-resiliency-enterprises-120600306.html
Vincent Piacentino says
Great post and story, Krish!
That is a really cool solution and definitely should be implemented around the world. This would be a valuable asset to standardize around the world.
Amelia Safirstein says
This is a great solution. Smaller organizations that would struggle to set up a BCP and DRP on their own are definitely more likely to set up these plans with this available.
Vincent Piacentino says
FireEye Breach and Response
Last December, cybersecurity company FireEye was breached. Scary, right? This shows the skeptics that ANYONE can be hacked! Who was responsible? Russia’s SVR foreign intelligence service, aka APT29 or Cozy Bear, stole FireEye’s “Red Team Toolkit” and also sought information related to FireEye’s government customers.
Without skipping a beat, FireEye quickly responded with transparency to deal with what could have been devastating consequences for clients and their own reputation. In response to the theft and not knowing if they would be used or publicly exposed, FireEye released hundreds of countermeasures to combat their tools if used in the wild. Also, most of these tools were already available via tools like Metasploit. FireEye tweaks existing tools to evade detection. FireEye should be commended for their disclosure and collaboration with the security community after this breach
Key lessons learned: Assume breach! – Never think you are “unhackable” – is that a word? Supply chain attacks and Ransomware are the latest thing. Organizations must be vigilant and employ a comprehensive evaluation and “lockdown” of third-party vendors and hold them financially accountable.
https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
Mei X Wang says
Hi Vincent, great summary about the FireEye breach. Haha, how do you protect the protectors! They did a great save on their reputation by being completely transparent. By doing so, they were able to still retain customer confidence and can also spin off existing tools to potentially increase their market share! Bad publicity CAN become good publicity when the cards are played right.
Krish Damany says
FireEye certainly did a great job bouncing back and regaining trust, to the point where their negative news is fairly quiet. On the flip-side, SolarWinds has become a dirty word in the world of security, due to their inability to problem solve efficiently.
Amelia Safirstein says
A trucking company was hit with a ransomware attack. Fortunately, they had backups of all of their data and a business continuity plan in place so that very little operational time was lost due to the attack. Instead of having to worry about how to get their business up and running again, they could focus on forensics and any confidentiality issues that could arise.
https://www.freightwaves.com/news/why-a-trucking-company-called-a-lawyer-minutes-after-a-ransomware-attack
Jerry Butler says
AMelia,
This is a great example of a company that has prepared for system failure. They were able to get operations after being hacked. However, some companies don’t recover and end up paying a ransom to hackers like the case of the power plant in Texas
Amelia Safirstein says
This is a great point, Jerry. Many organizations (especially smaller ones) have an “it won’t happen to us” or “we’re too small for hackers to target us” mentality. They don’t prepare for attacks like ransomware attacks and they find themselves in a position where they either shut down and close their doors or pay the ransome.
Jerry Butler says
Top 5 Business Continuity Planning Failures:
We’ve all heard stories of businesses that have lost thousands of dollars due to a disaster. Although we hear the horror stories, most of us are guilty of thinking that it can’t happen to us. Each year, over 75 percent of companies experience an outage and only 13 percent of those outages were the result of natural disasters[1] , meaning 87 percent of incidents are caused by something other than a natural disaster. With more than $26.5 billion in revenue lost each year from IT downtime – that is $150,000 per business[2] – still, 56% of enterprises in North America don’t have a good disaster recovery plan.
Disasters – human or natural – cause more businesses to lose money, each and every year, and in some cases, not ever re-open. It’s alarming that 25 percent of businesses do not re-open after a major disaster.
You want to make sure that your business continuity planning approach is rock-solid and covers all aspects of your business. Check out the five common business continuity planning misses and how you can avoid these common mistakes in your disaster recovery planning.
https://www.appliedi.net/blog/business-continuity-planning-failures/