Ransomware – three questions to ask your cybersecurity teams

Although the nature of the attacks were different, the impact - loss of access to data, downtime and supply chain disruption - were equally damaging.

In the case of JBS it was a direct hit on systems, causing facilities in the US, Canada and Australia to cease operating. For Coop, it was the infiltration of one of their trusted IT managed service providers, Kaseya, that closed the tills in over 800 supermarkets.

The immediate question for companies like JBS Foods and Coop was whether business continuity plans could be relied on, or was the ransom a price worth paying to quickly recover data and systems? The case for paying can feel compelling, especially if predicted losses are more than the attacker is demanding, but this is problematic, both ethically and commercially. Criminals will continue to launch these attacks for as long as they are profitable.

As demonstrated by the attack on Coop, being confident in your own security protocols is not enough, ransomware attacks can come through supply chains and other organisations you work with, are connected to, or rely upon. Both downstream and upstream in the supply chain, consider who data is shared data with, where materials are sourced and who has access to processing control systems, product formulations, packaging and brand assets?

Working with LRQA’s experts in cybersecurity threats, we’ve formulated three essential questions to ask, to determine how prepared you are for a ransomware attack.

1. Are we confident in protection from basic attacks?
   Not doing the basics significantly increases the risk of a ransomware infection, but this doesn’t mean adopting every cutting-edge solution available. Even basic controls can be difficult to implement, and many organisations believe they’re getting them right, but without independent assurance, it’s criminals who will identify weaknesses rather than cybersecurity professionals.
2. If we were hit by ransomware tomorrow, could we recover?
   A ransomware attack isn’t inevitable, but plan as if it were. Can data be recovered quickly when required and has this capability been tested? Backup data is often a target, so unless it’s isolated from live systems, there’s a very real risk of irreparable loss. Consider continuity alongside recovery - how will the business function if systems are unavailable for a period of time? Having plans is important, but so too is testing that they work. Fire drills happen for a reason: test plans regularly and ensures teams are well-rehearsed in enacting them. If you don’t know when plans were last tested, be concerned.
3. Do you understand your third-party vendors and suppliers?
   Every organisation will rely on third parties to some degree. Are they documented and have the risks they pose been properly assessed? In most organisations, the answer is no - at least not comprehensively. Consider suppliers who provide physical goods, cloud providers, developers that provide core software, and any organisation with whom you share data. If a supplier has any level of access to your environment, they’re a potential attack vector. And don’t forget shadow IT, those crucial but undocumented and uncontrolled solutions that inevitably exist somewhere. Understand the risks associated with third parties and look for assurance that they too are appropriately protected.

As our global food and beverage supply networks grow ever more complex, vulnerability to cyber threats can only increase. Across the industry, now more than ever, we need to ask who will the target be next? And if it is our organisation, are we protected?