An Overview

Whether it’s on international headlines or in local Australian news, headlines of data related business outages, and associated credibility damage are on the rise.

From the DP World hack that stranded tens of thousands of shipping containers, to increasingly audacious ransomware attacks on all levels of public and private organisations – data management has become a mainstream topic and highly visible. In a risk survey we conducted this year, three quarters in Australia (75%) said that in the past 24 months, their organisations had been hit by at least one successful ransomware attack.

The Current State of Reputational Risk

Today data security, accessibility and management are the most significant aspects of reputational risk to any organisation. For government bodies, healthcare providers, or any business with responsibility for secure stewardship of personal, identifiable data, it is even more critical.

Consideration of reputational risk is however, only one factor in the wider business imperative to ensure ‘operational resilience’.

Operational resilience refers to the ability of businesses to prevent and recover from disruptions to their critical business operations. Strong operational resilience is essential for the stability and reliability of any business, as it ensures that organisations can continue providing essential services to their clients, even in the face of major disruptions.

A Changing Environment

With increasingly prevalent combinations of on-premise and multi-cloud hybrid business critical operational data environments, comes increased risk of disruption.  Only a relatively small portion of workloads running critical workloads in public cloud today are designed this way. Many are simply legacy applications that have been “lifted and shifted” to the cloud meaning very few applications have built-in tolerance for a major outage, such as the loss of a complete availability zone.

This topic is now the top priority for all our customers during my conversations with them. To achieve operational resiliency, companies must ask themselves two questions: First, how do we protect our data? And second, how do we detect preventable elements, like ransomware attacks, more completely?

While human error will always be a risk factor, all companies must also face the simple truth: a ransomware attack will happen. As cloud adoption continues to accelerate, the risk of this increases, and the modern IT organisation needs an elastic, scalable, multi-cloud optimised platform to automatically manage and protect its data efficiently and transparently.

A Calculated Approach

Early detection of ransomware will further secure an organisation, but only when combined with a comprehensive response plan that is regularly tested, rehearsed and continually communicated to all stakeholders.

In terms of the potential stress testing of the plan, far too many companies have a combination of tools, solutions and plans in place which don’t get tested. These then fail at the point of a breach. The Australian Prudential Regulation Authority (APRA) found in 2021, for example, that  22% of entities had not tested their cyber incident responses in a year.

Of even greater concern was the finding that more than one third had not tested their backups for critical systems in the same period.

The key strategy is to invest in being able to test the plan on an ongoing basis. This isn’t a case of a ‘one-off’ – it should be a living process, capable of adapting to react to the rapidly shifting shape of the new cyber threats.

To ensure successful operational resilience in the face of ransomware attacks, businesses should:

1. Implement robust risk-management processes to identify and assess potential ransomware attacks, and develop strategies to prevent or mitigate them.
2. Develop and regularly test contingency plans to ensure their business can continue providing essential services should an attack take place.
3. Invest in redundant and resilient IT systems to reduce the likelihood of disruptions following an attack, and improve the business’s ability to recover from it.
4. Regularly train and re-train staff and all service-providing third parties on operational-resilience procedures in the face of an attack.  Too often, key outsourcing partners do not receive updates in critical communication procedures, in this regard.
5. Regularly rehearse the plan with drills and exercises to test IT operational resilience processes and identify areas for improvement.  These must be done with employees and service providers.  Ensuring everyone knows the plan and their roles and responsibilities during an attack is the most regularly overlooked factor in operational resiliency creation.
6. Work closely with regulators and industry organisations to stay up to date on best practices and emerging threats.

Who’s Fault Is It When Ransomware Succeeds?

Within organisations impacted by a ransomware attack, often there is a rush to attribute blame. Who’s responsible for this breach? Often blame is apportioned to the CIO, or the CTO, and even CEOs are potentially accountable. Too often the root cause of operational resiliency breakdown is actually a failure of communication.  Either internally between business units or functional groups, or more often where planned processes have not been sufficiently tested or updated with key IT outsourcers or service providers.

With increasing reliance on public cloud services for business-critical operations, executives also need to be clear on which security capabilities are provided as part of their Cloud Service Agreements and which remain their own responsibility.

In reality, all parties are somewhat to blame. So, in the face of cyber breach whether malicious or accidental, organisations need to act together as a team.  Only by coming together, and everyone implementing a well-rehearsed recovery plan, can operational resiliency truly be maintained, and business risk minimised.

Technology disruption and cyber-attack already sit among the top three serious disruptions for organisations in Australia, in a PwC survey this year. As we look towards 2024, new technologies will come more into play. Artificial Intelligence can already help the process via anomaly detection and malware screening.  AI can also take on some operations and make them autonomous, in some cases relieving skills gaps within over stretched IT departments. But AI isn’t the silver bullet: as businesses use it more, so do the criminals. It’s a never-ending battle.