In June 2021, it was JBS Foods, the world’s largest meat producer, and in July, it was Swedish retailer Coop — both victims of ransomware attacks attributed to the REvil organization.
Although the nature of the attacks were different, the impact — loss of access to data, downtime and supply chain disruption — was equally damaging.
In the case of JBS, it was a direct hit on systems, causing facilities in the US, Canada and Australia to cease operating. For Coop, it was the infiltration of one of their trusted IT managed service providers, Kaseya, that closed the tills in over 800 supermarkets.
The immediate question for companies like JBS Foods and Coop was whether business continuity plans could be relied upon, or was the ransom a price worth paying to recover data and systems quickly? The case for paying can feel compelling, especially if predicted losses are more than the attacker is demanding, but this is problematic, both ethically and commercially. Cyber-criminals will continue to launch these attacks for as long as they are profitable.
As demonstrated by the attack on Coop, being confident in your own security protocols is not enough since ransomware attacks can come through supply chains and other organizations you work with, are connected to, or rely on. Both downstream and upstream in the supply chain, consider whom you share data with, where materials are sourced and who has access to processing control systems, product formulations, packaging and brand assets.
Not Doing the Basics Significantly Increases the Risk of a Ransomware Infection
When it comes to cybersecurity threats, there are three essential questions to ask to determine how prepared you are for a ransomware attack.
- 1: Are we confident in protection from basic attacks?
Not doing the basics significantly increases the risk of a ransomware infection, but this doesn’t mean adopting every cutting-edge solution available. Even basic controls can be difficult to implement, and many organizations believe they’re getting them right. But without independent assurance, it’s criminals who will identify weaknesses rather than cybersecurity professionals.
- 2: If we were hit by ransomware tomorrow, could we recover?
A ransomware attack isn’t inevitable, but plan as if it were. Can data be recovered quickly when required, and has this capability been tested? Backup data is often a target, so there’s a genuine risk of irreparable loss unless it’s isolated from live systems. Consider continuity alongside recovery — how will the business function if systems are unavailable for a period of time? Having plans is important, but so too is testing that they work. Fire drills happen for a reason: test plans regularly and ensures teams are well rehearsed in enacting them. If you don’t know when plans were last tested, be concerned.
- 3: Do you understand your third-party vendors and suppliers?
Every organization will rely on third parties to some degree. Are they documented, and have the risks they pose been properly assessed? In most organizations, the answer is no — at least not comprehensively. Consider suppliers who provide physical goods, cloud providers, developers who provide core software and any organization you share data with. If a supplier has any level of access to your environment, they’re a potential attack vector. Don’t forget shadow IT, those crucial but undocumented and uncontrolled solutions that inevitably exist somewhere. Understand the risks associated with third parties and look for assurance that they too are appropriately protected.
As our global supply networks grow ever more complex, vulnerability to cyber threats can only increase. Across all industries, now more than ever, we need to ask who will be the next target? And if it is our organization, are we protected?
Kimberley Coffin Global Technical Director , Lloyds Register