Retail banks have long had backups in place to deal with any event – physical or cyber – that threatens to disrupt their smooth-running operations. These days, however, the increasing menace of ransomware attacks is exposing the holes in such contingency plans.
If your organisation’s data was held to ransom, what would you do? That is a question many bankers are now asking themselves in the face of the growing threat of ransomware.
Cybercriminals are increasingly using malware to lock down systems and encrypt data, wreaking havoc until a ransom is paid so they can get up and running again. It can take days, weeks even, to get back to normal, and IBM estimates that an infrastructure failure can cost as much as $100,000 per hour. And a failure in a critical application could cost up to $1 million per hour. With figures such as these, it’s no wonder that bankers are questioning what their organisations should be doing.
Financial institutions: targeted by 1 in 4 malware attacks
There has been a dramatic increase in ransomware attacks, according to a January 2021 report from Gartner, and by one estimate there was a 50% increase in the number of daily attacks in the third quarter of 2020 alone. And in 2019, according to RSA, financial services institutions were the target of a quarter of all malware attacks.
David McKnight, a principal in the consulting group at Crowe who specialises in cybersecurity, comments that ransomware is highly prevalent, and for banking executives, “It is top of mind because they are seeing it and they might be affected by it,” he says.
One way to avoid paying the ransom in such an attack is to have an effective backup plan in place. McKnight comments that typically when bankers are asked what would happen in the event of a ransomware attack, the answer is ‘We have backups’. However, often that isn’t good enough. It all sounds great, and looks good on paper, McKnight says, but often, “The integrity of the backups is not there.” A backup may not capture all the data, or it may not recover soon enough – it could be backing up only two days, not one day, prior to the attack, for example – and there could be a gap that still needs to be reconciled.
McKnight comments that he sees pockets in the US banking system – particularly the community banks i.e. those with assets of $5bn and under – where there is a lack of testing and validation of the backups.
Essential need for banks to perform ‘fire drills’ of backup recovery systems
This is similar to what Yuen Pin Yeap, CEO of NeuShield, a company that specialises in data protection as a defence against ransomware, is seeing. “Although bigger banks tend to invest heavily in cyber protection and robust backup systems, the smaller regional banks and credit unions may not have the resources and expertise to be as prepared from a ransomware attack,” he says.
Yeap says that at a minimum, a bank needs to regularly perform successful ‘fire drills’ of its backup recovery systems. “In order to be well prepared for a ransomware attack, the bank also needs to evaluate what is the maximum down time it can endure, and have a system that can fully recover from a simulated attack within that period,” he adds.
Although organisations may think they have backups in place, many may not be doing it properly. McKnight points to the questions that should be asked: Do the backups work? Have they been validated? Has that system been brought online and checked? Has there been a practice recovery to see if it reconciles?
These issues can be a point of failure for retail banks. Also, McKnight comments, in the face of a malware attack, “There is widespread panic when that happens.” It’s not just about having a robust backup in place, but also a step-by-step plan that articulates a process of who does what when, especially when they are gripped by blind panic.
Another more recent development that has highlighted failings in the backup plans is hybrid working and working from home. Staff who are now working on laptops away from the office may be reminded by their IT teams that they need to back up their data beyond their local machine, but McKnight questions, is anyone checking they are actually doing it?
Recovery systems: must bring systems back online in hours
These issues are not just related to ransomware, as Yeap at NeuShield points out. “A solid physical backup system with zero chance of failure is a must have for any bank, even before the proliferation of the ransomware attacks. However, ransomware attacks mean there is a pressing need for a recovery system that can bring the system back online in hours, not days. That means physical backups alone may not be sufficient to protect the bank from ransomware attacks.”
There are a number of things that banks could be doing better, Yeap points out: “Cyber protection has to be looked at from the holistic point of view. A bank, or any potential victim of cyberattack needs to have multi-layer security solutions as the basic defence. If the organisation has complex hybrid infrastructure in the cloud and on-premise, as most banks do due to the rise of online and mobile banking, then they also need to look at network security technologies such as micro-segmentation and zero trust model [where every user and device has to have its identity verified] to contain the ransomware once it has infiltrated one of the subsystems,” he says.
Multi-layer security solutions as the basic defence
In the case of ransomware, or any kind of malware attacks, McKnight says “If something has caused the system to go down and we believe it is the work of a malicious actor, the big thing is how far back do you go to what is a safe state? The malware could be on a system and dormant for a long time,” says McKnight. “How do you prove that it was a safe state?” A lot of effort is spent on forensics and assessing when it entered the system. If, for example, it was seven days ago, then the bank would need to return to the backup from eight days ago.
The advice from the UK’s National Cyber Security Centre is for there to be an offline – or ‘cold’ – backup so that if there was an attack the offline one would be unaffected. The agency advises to only connect the backup to live systems when absolutely necessary and to never have all the backups connected or ‘hot’ at the same time. This avoids the scenario that some organisations have found themselves in; that when they are attacked they realise their backup was also online and also gets encrypted by the malware.
Colonial Pipeline lessons
In the event of a systems failure, however, it might not be as catastrophic as it sounds; customers’ money is still safe – it’s just they can’t access it, points out McKnight. If there is a situation where an older backup has to be used, it is unlikely that the core ledger of a bank would be affected. Malware attacks typically target Windows-based systems, which the core ledger is not based on, comments McKnight.
McKnight draws the comparison with the Colonial Pipeline ransomware attack in May this year, which shut down the company’s systems and caused disruption to anyone wanting fuel. It wasn’t the company’s physical operations and movement of the oil that was at issue, however, but rather the billing system that was affected. This was enough, however, for the company to suspend its business transactions and pay the ransom.
Protocol, Script, checklist
It is not just ransomware that requires the need for a robust backup plan to be in place; there are numerous other reasons for systems failures or other kinds of outages. As part of the audit process, McKnight points to the typical redundancies that should be checked. For example, if the internet goes down, there should be a backup plan. For hardware failures, or issues such as a loss of power – and having diesel generators on hand – banks are typically well prepared, comments McKnight. What they need is a protocol, and a script, that can be used as a checklist that can be ticked off, item by item, rather than having to think of what to do in the moment, when panic is likely to strike.
Diesel generators, and the need for offline and physical alternatives harks back to an older way of doing things. And in some corners of the financial infrastructure, there are some relics that are still relied upon. In the case of card payments, for example, ‘click clack’ imprinter machines can still be used as a physical backup in the event of a payment systems failure.
Imprinter machines: relics of another age
These imprinter machines can be a test of one’s age, and millennials typically don’t know what they are. The card is laid in the base of the machine, carbon paper slips over the top, and the ‘zip zap’ of the imprinter runs along the embossed details on the card, thus printing the card details on the paper slips. One is torn off for the customer, another for the merchant.
A spokesperson for Barclaycard, a major acquirer in the UK explains that merchants can still buy these machines. “We recommend that merchants have an imprinter, just in case their communication link or card terminal can’t be used as, if neither can be used, they won’t be able to take card payments until these are back up and running.” They added, however, that if there’s a hardware issue a replacement can be ordered quickly, and outages that aren’t related to terminals are rare.
A spokesperson for Visa Europe explains there is no scheme rule that requires merchants to have these imprinters and said it “would not expect merchants to have access to such devices – particularly as many cards today are not embossed, and many consumers make payments without a physical card (such as with their mobile phones, or with wearables).”
As payments are increasingly digital, as well as all other aspects of retail banking, the need for appropriate backups is critical. Ransomware doesn’t make this a new issue – there have always been the need for effective backups – but its rising prevalence is causing bankers to ask questions about all of their backups.