The harsh reality of the coronavirus has forced many businesses to consider what comprises their minimum viable company and data audits are the first key step in assessing where risk lies
Half of British workers are now regularly working from home, with similar patterns seen across the world: just one business legacy of the coronavirus. But this leaves managers and companies’ IT departments with a headache. With many firms only just recognising the importance of business continuity and disaster recovery, how do you decide what’s worth saving in the event of a cyber-attack or systems failure and what can be left to lose?
“Companies are thinking about resilience in a very different way,” explains John Beattie, principal consultant at Sungard, a cybersecurity company. Rather than recovery, people are thinking of resilience. “They’re thinking about it on many fronts: revenue resilience, data security and how can I continue my minimum viable company?”
Threats to the minimum viable company
For many, that minimum viable company has been put more at risk by the shift to home working. “Businesses large and small have virtualised at an unprecedented rate and in response to an unforeseen emergency,” explains Dr Victoria Baines, a cybersecurity researcher and visiting research fellow at Oxford University.
This means more people accessing work networks and key data from personal devices. That’s a boon for cybercriminals and a problem for corporate IT departments fearful of the rise of ransomware.
Think about the minimum amount of data you’d need. How much business would you lose if you’re hit by ransomware?
“Now that we have overcome the initial panicked reaction to lockdown, organisations of all sizes should seize the opportunity to map their IT assets and access, draw up security policies for home working and ensure all their employees are compliant,” says Baines.
Data audits are an important first step. Businesses big and small rely on the cloud for data storage, which is a benefit as it’s comparatively easy to recover from. But several sections of a business’s data are often seen as too business critical to be stored remotely; customer information and accounts, for instance.
This attitude needs to shift, according to Alan Woodward, professor of cybersecurity at the University of Surrey. Likewise, make sure your software is up to date, and you’re backing up data to the cloud.
“Think about the minimum amount of data you’d need to run your business,” he says. “How much business would you lose if you’re hit by ransomware?”
How often should you back up data?
If your company computers, including those home laptops co-opted during the dash to leave the office during COVID-19, are running Windows 10, backups are made continuously, but otherwise Woodward advises backing up data twice daily, at lunchtime and after office hours, to the cloud. “It doesn’t stop the files potentially being encrypted if you’re hit by ransomware, but it puts a break on it,” he says. “You only lose half a day’s work.”
Siloing sections of the business can also slow the spread of ransomware, but it’s important to remember that more digital collaboration tools are being used in these unusual times, which means susceptible files are more likely to be passed around from one employee to another.
“Security is always breached by people, process and technology,” says Woodward. “People are always the weak link, and when you introduce new processes in working remotely, people might not be used to it.”
Extra caution is important at all levels of a business. “Getting an email from the boss might not be unusual when working from home, but would be in the office when they’re sitting three desks behind you,” says Woodward. Baines adds: “Cybercriminals will seek to exploit this decentralisation and any points of vulnerability in these chains.”
Planning for the worst-case scenario
Companies often seek collaboration and the drive to working from home has pushed that even higher up the to-do list for many people. Employers have also accepted lax attitudes to data security as people acclimatise to the new normal. “A lot of organisations have had to relax some of their data protection controls to facilitate people working remotely,” explains Beattie.
But separating silos, stacks and functions is of vital importance for basic business continuity, and having a clear plan and programme to recover any lost data in the aftermath of the event is vital.
The minimum viable company requires plenty of planning and an acceptance of worst-case “what if” scenarios. But alongside introducing technical measures, virtual private networks, firewalls between departments and multi-factor authentication for logins, ensuring the minimum viable company remains viable is as much about employee education as anything.
“Using the same password for access to your work emails, your Facebook account and your online shopping just won’t fly anymore, especially if you’re using the same device for all three,” says Baines at Oxford University. “It’s time to remind all home workers of their responsibility to protect themselves and the corporate assets to which they have access.”
Bosses may also need to have frank conversations with workers about digital rights. She adds: “Employees may have to get used to the idea of employers imposing security requirements on their personal devices, including enforced antivirus installations and operating system updates.”
What went wrong at Honda?
Ransomware attacks account for one in five cyber-attacks launched in 2019, according to Trustwave. One recent victim was motor manufacturer Honda, which was hit in June by what’s believed to be the Ekans ransomware strain, affecting production, email access and the ability to look at server data.
An internal server was attacked by a third party. Though the company has not disclosed much information about the attack, it disclosed that the virus had spread across its network, probably because of a lack of siloing within the company. It seems likely, though isn’t known for certain, that whichever entry point the hackers used was connected by the internet to the company’s wider servers, allowing the ransomware to permeate throughout the organisation.
The result was significant. As well as being locked out of email accounts and company servers, production was temporarily halted in Turkey, Italy, Japan, United States and UK, with cybersecurity researchers believing data may have been held to ransom.
Honda said in a statement released when announcing the attack that no data was breached and there was “minimal business impact”. The company returned to production soon after, but provided a model for just how devastating such attacks can be.