The technology landscape has changed dramatically in the last year, making it a constantly shifting and evolving environment. This has tested enterprise risk management (ERM), governance structures and business continuity management strategies like never before. No one could have predicted the impact COVID-19 has had on business, technology and cyber security. What remains evident is that multiple industries lack robust risk management and incident recovery plans, which makes them vulnerable to cyber attacks.

One form of attack is ransomware. These attacks, where criminals install tools that freeze or lock computers until a ransom is paid, are actually quite common. Ransomware attacks usually involve ransom payments being made in bitcoin or another cryptocurrency. A former CIA case officer, now a partner with the US-based law firm, Hogan Lovells, said recently: “We are in the middle of a ransomware epidemic right now.”

A perfect example of a successful ransomware attack was the Colonial Pipeline incident on May 7, 2021. The company, which purports to transport 45 percent of the fuel consumed on the US east cvoast through its 5,500-mile pipeline network, was held for ransom by a group called DarkSide.

In a previous article, entitled What is in your fraud incident response plan, I wrote: “An organisation’s approach to adverse events, such as fraud, is called contingency planning. During this process both, the information technology (IT) and information security community’s interests are aligned to prepare for, detect, react to and recover from events that threaten the security of information resources and assets.”

It is against the aforementioned circumstances and facts that I seek to add to the conversation surrounding lessons that boards, chief executives and risk management professionals should gather from the Colonial pipeline hack.

Be clear on incident and disaster recovery

ZAG chief executive, Greg Gatzke, recently wrote on LinkedIn: “Too many people confuse back-ups with disaster recovery. If the company is experiencing an attack, the goal must be to get systems restored quickly and cleanly.

“Relying on back-ups can cause significant delays that can dramatically hurt the organisation. Snapshots are often the best solution to recover promptly. Remember, it takes time to ensure the environment is clean of criminal activity … often more time than just falling back to a snapshot. Ensure your organisation is ready for this.”

For companies to be resilient, they must identify and assess risks; implement risk controls and respond to risk. A comprehensive incident response plan enables companies to respond to threats efficiently and effectively, thus avoiding them escalating to disaster.

Clear communication plans are an asset

You must customise your plans to various target audiences, including internal customers, external customers, the media, suppliers, family members and others. Colonial Pipeline, within 24 hours, released statements to the media regarding the cyber breach. Throughout your risk assessments and impact analyses, you should use pre-defined information to construct clear and concise messages. This proactive approach sends a signal to stakeholders that you are prepared to handle a crisis.

Assess supply chain vulnerabilities

VRIO, which stands for value, rarity, imitability and organisation, provides companies with an opportunity to identify and protect the resources and capacities that enable them to sustain their competitive advantage. Failure to test on a systematic basis the supply chain (valuable asset) can lead to inefficient approaches to incidents or disasters. Companies must continually seek to transform their supply chains and further integrate new channels to enhance their agility.

Conclusion

Do not expect cyber attacks to slow any time soon. A study by Deep Instinct found that malware usage increased by 358 percent through 2020, and ransomware usage increased by 435 percent. The key is being prepared.

NB: Derek Smith Jr is a compliance officer at a leading law firm in The Bahamas, and a former assistant vice-president, compliance and money laundering reporting officer (MLRO), at a local private bank. His professional career started at a ‘Big Four’ accounting firm and has spanned more than 15 years, including business risk management, compliance, internal audit, external audit and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS).