Podcast: Ransomware, data protection and compliance

In this podcast, we look at ransomware, the threat it poses in terms of an organisation’s reputation and operational capability, as well as legal and regulatory compliance, with Mathieu Gorge, CEO of Vigitrust.

We talk about ransomware’s potential effect on an organisation’s service-level agreements (SLAs) to customers, the laws and regulations an attack may fall foul of, and the right technical measures and training that can help avoid or mitigate its effects.

Gorge talks about the need for effective backup copies – ie, with recent recovery objectives – but also about protecting systems in the first place from ransomware attack. He also talks of the need to test backups, to have ransomware as something that is planned for in disaster recovery provision, and the vital need to review security and analyse attacks should they occur.

Antony Adshead: What threats to legal and regulatory compliance does ransomware pose?

Mathieu Gorge: It’s a good question that’s often overlooked. One of the major threats is that if you provide clients with an SLA for your services and, suddenly, because of ransomware, your systems are down – you obviously have a contractual issue from a legal perspective.

The next one is potentially a privacy regulation challenge, in that when you take data from clients, especially if it’s personal data protected under GDPR [General Data Protection Regulation], you essentially commit to taking the right, appropriate technical and procedural measures to protect that data and make sure it is kept accurate at all times, and so on.

The very fact that you’ve been victim of a ransomware attack, a successful attack, probably means you did not take the appropriate technical measures, and that you don’t necessarily have the right process to keep the data protected.

From a compliance perspective, if you look at HIPAA, or PCI, or other standards, they all require you to have a proper antivirus. Some of them mention anti-ransomware solutions, so you’d be out of compliance after the attack.

A clear message from the industry is that, at all costs, you need to try to find a solution that does not require you to pay, because even if you pay, you may not get the key, the key may not work, and you’re just advertising yourself as a company or person that’s going to pay again, and you need to avoid doing that.

Adshead: What are the implications of these threats from ransomware for storage and backup in particular?

Gorge: One of the answers to ransomware is to say, “Well, it doesn’t matter because we’ve got a good storage and compliance policy and framework, and therefore the most we’re going to lose is the data between the time of the attack and the last backup”.

That’s where it becomes really interesting, because how long is that delta of data that you have between your last backup and the attack? If it’s one day, you can probably “eat it”, so to speak. If it’s a week, it’s going to have a considerable impact. If it’s any more than a week or month, it’s definitely going to impact your ability to do business and potentially to stay alive as a company.

So, you need to make sure all critical systems are backed up on a regular basis, with the right delta. That delta might be a few seconds, for the banking industry or other industries where it’s real-time stuff. Or it could be a day, or a week. If it’s any more than a week, then it’s really not fully backed up. Very few companies can sustain losing more than a week’s worth of data.

The other thing is to monitor the integrity of your systems after the attack. The ransomware attack could be one of several attacks that has been successful. You might be distracted by the ransomware attack while there’s another attack on other systems and you’re busy trying to get all the backups.

The advice would be to make sure you have all of your backups ready, that you test the backup plan, and that from the compliance perspective you have listed the ransomware attack as a potential incident, along with potential solutions.

Some of those solutions might require involving a forensics company to come in to check the integrity of the data that’s still there, and also to check the integrity of the backups when they are back up and running.

One thing that you can’t really do is back up the systems and leave security as it was, because then you are essentially recreating the framework that was vulnerable.

You also need to understand how the ransomware attack played out, and unfortunately that’s often a user issue that comes from phishing and lack of training around it.

So, when you do training around phishing, you need to explain to users the importance of that impact, and explain to them why backups are important and why they need to stay in compliance with regards to storage.