Lessons Learned from the IFA Hack

Technology

No organization, regardless of its size or industry sector, is safe from a malicious cyber attack.

 
By Dan Caprio
 
When the International Franchise Association was hit by a ransomware attack known as the Crypto-Locker virus in February 2016, the association called The Providence Group to help it navigate through the crisis. The company helped IFA understand the necessary actions and assisted in the development of a recovery plan with the support of a forensic firm and the FBI.   
 
This attack took IFA hard drives hostage while demanding payment. It shut down IFA’s systems resulting in hundreds of lost hours and productivity. The attack was random and demanded a large ransom to decrypt the data drive that contained key information representing months of work as well as business addresses and contact information for clients and associates.
 
One of the lessons learned from the IFA attack is that cyber risk is different from all other risks because it touches on all types of risk including operational, reputational, and regulatory risks — each with their own potential financial impact to the business. Cybersecurity is no longer simply an IT problem that can be managed by a checklist. Doing the minimum to protect your company from a cyber attack is not enough.  
It is because cyber is such a complex and multifaceted risk that it needs to be addressed through a proactive enterprise risk management approach. Every franchisor and franchisee must pro-actively take strategic steps to manage cyber risk. 
 

Managing risk requires total involvement

The National Institute of Standards and Technology special publication 800-39, Managing Information Security Risk, states managing risk is a complex, multifaceted activity that requires the involvement of the entire organization — from senior leaders and executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization’s missions and business functions. 
Risk management is a comprehensive process that requires organizations to: frame risk), assess risk, respond to risk once determined, and monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations. Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision-making is integrated into every aspect of the organization. 
Risk framing is perhaps the most important step in the enterprise risk management process and is more effective for an organization when objective third party support is brought in to help the organization understand its threats and challenge its assumptions. It establishes a risk context in which risk-based decisions will be made across all aspects of the enterprise. The output of risk framing is a risk management strategy detailing how the organization intends to assess, respond to, and monitor risk. When framing risk, companies should consider the following types of questions:
 
  • What is the impact to my business operations if my systems are not available?
  • What is the impact to my business operations if my website is taken down and not available for any periodof time?
  •  What would happen to my business if my business information is made public?
  • What would happen to my business if my publicly available information is not correct?

 

No organization is safe

Many franchisees may think they are too small to be victims of a cyber attack, yet the attack on IFA clearly demonstrates this is not the case. No organization, regardless of size or industry, is safe from a malicious attack. In fact, many times smaller businesses are targets of attack to gain access to bigger businesses through supply chain or payment portals. Small businesses tend to view cybersecurity as too difficult and costly, yet they have more to lose than larger business due to the cost of responding to and recovering from a cyber attack. The National Cyber Security Alliance reported that 60 percent of small companies closed down within six months of an attack.
 
Small businesses and franchisees view the NIST Cyber Security Framework released in 2014 as too complex to implement. CSF is predicated upon the following five concurrent and continuous functions:
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover
 
To assist small businesses, NIST recently distilled the CSF into a helpful new small business cyber publication titled Small Business Information Security: The Fundamentals. This concise document uses a simplified risk assessment written in simple language to help small business better understand how to identify, frame and manage cybersecurity risks.
 
Once a company completes the risk management process and develops a risk management plan, it should review and update its risk management plan at least annually and whenever considering any changes to the business (e.g. beginning a new project, a change in procedure, or purchasing a new IT system). Also, if any business partners, suppliers (including makers of any computer equipment or software used), customers, or employees, are hacked, internal plans should be reviewed and exercised to ensure adequate protection is maintained.  
 
Another lesson learned from the IFA attack is that staying secure against ransomware is not just about having the latest security solutions. According to a recent Barkly survey of companies that suffered successful ransomware attacks during the past 12 months, 100 percent reported they were running antivirus at the time of the attack.
 
Antivirus software is not the only security solution that came up short. Victims reported that 95 percent of the attacks bypassed the victim’s firewall(s), 77 percent of the attacks bypassed email filtering, 52 percent of the attacks bypassed anti-malware, and 33 percent of the attacks were successful even though the victim had conducted security awareness training.
 
What’s astounding, according to the survey, is that most companies do not change their approach to security after a ransomware attack. In fact, according to the survey, 26 percent reinvested in email filtering, 25 percent reinvested in security awareness training services, 20 percent reinvested in antivirus, and 17 percent reinvested in firewall(s). That’s in addition to the 43 percent that didn't invest in any additional solutions. Less than half of those who had experienced an attack were able to fully recover their data with backup.
 

Best practices to follow

While there is no such thing as perfect security to protect against ransomware, there are some best practices that can be followed:
 
  • Backup regularly and keep a recent backup copy off-line and off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup to lessen the worry about the backup device falling into the wrong hands.
  • Move your data out of the closet and into the cloud.
  • Be cautious about unsolicited attachments in emails. Criminals are relying on the dilemma of whether you should open a document or not unless you are sure of its contents. If in doubt, do not open it.
  • Don’t give yourself more login authority than you need to do your job. Don’t stay logged in as an administrator any longer than is strictly necessary and avoid browsing, opening documents or other regular work activities while using administrator rights.
  • Patch early and often. Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, your browser, Flash and more. The sooner you patch, the fewer holes there are to be exploited.
  • Stay up-to-date with new security features in your business applications. 
 
Understanding and framing risk is essential and needs to be done by every company regardless of company size. Securing independent third party assistance with risk framing ensures all threats are identified and more importantly, assumptions are challenged, thereby creating a more comprehensive understanding of the risk landscape. 
When considered together with specific best practices for ransomware and the more general NIST cyber recommendations, these helpful resources will assist franchisors and franchisees in managing cybersecurity risk and preparing for potential attacks. 
 
 
Dan Caprio is Co-Founder and Chairman of The Providence Group based in Washington D.C.
 

Advertisement

We excel in Excellence

We represent excellence in franchising education and advocacy. We’re here to support your growth, connect our community, and protect our business model.  Advancing every aspect of franchising since 1960, IFA is the collective power of our membership.

About IFA

Knowledge is Power

© Copyright. All rights reserved.