ITP Techblog

You'd be forgiven for being a bit grumpy if, after signing up for a managed service to provide all your updates and to make sure your systems are all secure and tucked up, you got hit by the Kaseya attack.

The attack hit home via that most nefarious of vectors - the provider of security updates - meaning those companies that were hit had done everything right: well, everything up to the point of clicking on the "accept" button.

Today it would appear more than 1000 businesses around the world have been infected with a ransomware attack delivered through the very service they'd signed on with to ensure this kind of thing never happened. In total more than US$70 million in demands have been made so far.

If ever there was a way to demonstrate that you can't outsource ultimate responsibility for your own security, this must surely be it.

While Kaseya and its managed partners rush around trying to stuff the latest cyber-security genie back into its bottle, the smart CIO (and CISO and, if you're very lucky, board risk committee) are turning their attention to the next thing that will sideswipe their business and try to shunt it into the bushes.

What is it?

I have no idea, and neither do they. But somehow they've got to be ready for it.

That means preparing for the unthinkable where possible and (take a deep breath now, finance folks) spending money on something that might never be needed.

That's right, the only thing standing between you and a flashing desktop saying "buy bitcoin and deposit it into this account" is planning and preparation and there's no two ways around it: that's going to cost money.

The solution starts at the top, with the board. This can't be treated as a technology issue because it's not. The mechanism is tech-centric but then they all are these days. Everything we do is either created, developed, delivered or supported by a digital platform so calling this a tech problem is not terribly helpful.

This is a reputation problem. It's a problem that could derail your business, not your IT system, so it's important to treat it as such. Just as COVID is a health problem, not an economic one (sure, it might cause economic problems but that's a side effect and treating that symptom won't cure the literal disease) so too, ransomware and cyber-crime is a business problem, not a tech one.

So you need to spend money on it. You'll need the latest tech, of course, but you also need to understand that will fail, the tech you deploy will be compromised. So what are you going to do if you can't access your core systems?

There are two answers really - three if you count "pay the ransom". First, you can fall back on the old manual system and hope that works well. This often has problems because by now you've probably refined your tech solution to the point where a manual workaround not only won't deliver in a timely fashion, but won't deliver at all. My manual fall back for my phone being compromised is an out of date collection of business cards and let me tell you, that's not going to cut the mustard any time soon.

The second response is a duplicate system complete with data backed up as close to the incursion as possible. That way you can fire up the second system, trash the first and rebuild it from scratch and carry on with your life.

No tech budget can withstand that kind of duplication which is why I say this isn't a tech problem. It's a business problem and while that may seem expensive, consider the alternative.

In a world where even doing the right thing can cost you your business, can you do any less?