We were interviewed on the heals of Wannacry, and the WMUR folks, recognizing that NH is made up primarily of small companies, wanted to do the piece.
During the morning of Wannacry, I'd been at three small local companies —all who'd been directly effected by the ransomware. In one, a florist, I'd spent 45 minutes waiting for an arrangement to be made up for my mothers 'celebration of life'. While I waited and watched the floral designer piece the arrangement together, I chatted with the owner, who when she found out what I did, immediately told me that she'd lost her entire accounting, inventory, and customer list because the one computer used to run the business had been hit. She had an IT consultant who was managing the systems, but the backups used to attempt the restore didn't work and they were forced to either pay, or reconsitute the drive through piecemeal backups and manual reentry, or, pay the ransom.
Here's the math…
- Pay $300 in ransom and get the key to simply unlock the system (and then go fire the IT consultant).
- Or spend days (more?) rebuilding the companies administrative operations.
The company probably does $2 million per year in revenue; I'm guessing —it's a nice place and they're always hopping. At $2 mil per year, they generate approximately $5495 per day, and my bet is they make about 20% profit on that day — $1100 — after they pay their inventory (flowers come in daily), labor, etc.
As the business owner, what would you do?
As a security pro, what would you recommend?
I recommended paying the ransom, then firing the IT consultant (I recommended a good one —a partner we've used in the past —Ezentria in Nashua), instructing the new IT consultant to build the system new and up to date, and getting back to business.
DHS recommended (publicly, and spread by every news outlet out there) to NOT pay the ransom. Why? Because they take their outside council from larger companies who had full, clean backups and disaster recovery plans. Guess what? They don't need to pay the ransom. They were prepared and had a plan.
In 2012, according to U.S. Census Bureau data, there were 5.73 million employer firms in the US. 99.7% of them had fewer than 500 employees. 89.6% had less than 20 workers. Add in the number of nonemployer businesses (solo practitioners) – there were 23.0 million in 2013 – and the number of US businesses with less than 20 workers increases to 97.9 percent.
97.9% of companies are small businesses with less than 20 employees! How many of them were consulted when DHS recommended that they not pay the ransom? Out of those, how many were prepared for a business critical ransomware attack? Not the ones we talked to that day. This florist could resort back to catalogs and the internet —and she did, but what about others who were stopped dead in their tracks?
Look, there're a million ways to skin this cat, but common sense tells me that the DHS guidance doesn't apply to every company, and when a florist tells me that the government recommends she not pay the ransom (and take the $1100 per day hit to her bottom line), my stomach hurts and my face contorts. I can't help it. It's my natural reaction to stupidity.
My point is, government paints with a very wide brush — from taxes to gun control to health care to cyber guidance. And for those companies who had strong Information Security teams who had kept the systems up to date, and had a good disaster recovery process, well, they weren't affected. For this who didn't, they were. And if that company didn't have backups, or a way to reconstitute data, and the system were business critical, what would be the right answer? What happens in this case, where Wannacry stopped business?
That day, the morning of Wannacry, we put up a website where we allowed users to contact us for help —for free. Some told us they were fine but wanted to know what to do for next time. Others had questions on their current state. We answered what we could and sent others a referral to Ezentria.
We thought WMUR did a terrific job on this. And thank you to Ezentria for handling any calls that we pushed their way.
Until next time,
Have a great weekend!
Jeff