Accenture, Ransomware, and Ambulance Chasers
The Lockbit 2.0 ransomware gang have been stepping up their game over the last year, and yesterday they claimed a big scalp: Accenture. With a haul of 6TB of data, and clearly wanting to pile on the pressure for a pay-out, the Lockbit crew went public and gave Accenture only 7 hours to pay up, instead of the usual couple of days.
Accenture quickly responded with a PR release playing down the breach and impact, and playing up their quick response to get back to normal. The data was released last night, but the Lockbit portal quickly crumbled under the load: it was closed again and will be re-opened this evening. Bad luck to all those Atos, DXC, and Cap Gemini consultants hoping to learn how to construct a readable client deck.
Everyone’s LinkedIn feed and social media is now going to be packed with the ambulance chasers. The weaselly salespeople, the ‘experts’ who are just sales mouthpieces, the conference circuit keynote speakers who talk a good game but have never actually done the job. I’m sure there will be lots of pictures of “Hackers in Hoodies”, with Guy Fawkes masks and backgrounds from The Matrix, to complement these breathless cries for attention.
Here’s a top tip for your security programme: anyone saying that Accenture would have avoided this sorry saga, if only they’d used their company’s super-awesome software/product/consultancy, is a charlatan. A purveyor of fertiliser. You can remove their company from any future supplier shortlists with a clear conscience and the happy smile of a job well done.
Businesses are about people, and people need access to business information to do their jobs. We can put all sorts of security controls in place to manage and limit access, but at the end of the day, our people remain our biggest security threat — as well as our biggest security asset.
We can deploy endpoint protection, and you can bet every end point protection (EPP) and data loss prevention (DLP) vendor will spend the next month banging on about how if only Accenture had used their particular, magical, special software, this would never have happened. Of course, that’s utter nonsense — good EPP and DLP solutions do have a role to play; but as one small part of a considered, multi-layered, defence in depth approach to security.
Backups — known, good, restorable backups — and a working disaster recovery (DR) process, are the best ways to recover from ransomware. As Accenture’s PR announcement has said, they immediately restored from their backups and were up and running straight away. Accenture have good, multiple DR processes, they test them, they know they work, and they’ve demonstrated this clearly to their clients: it’s a smart PR move. The vast majority of companies out there, though, have no idea if their most recent backups work, let alone if the data can be restored. When was the last time you saw a company do a proper DR exercise? Do you even know where yours is documented?
The best DR policies in the world mean nothing if you’re not actually communicating and testing them.
But let’s look at our biggest risk — and our biggest asset: our people. Having learnt from the masters of manipulation at spy agencies like MI6 and GCHQ, Lockbit are actively recruiting disgruntled insiders to spread their malware for them. Every exec team leader, manager, and HR professional should be waking up in a cold sweat over this.
Just off the top of my head, a quick list of ways companies have undermined employee goodwill over the last year includes:
demanding people return to the office, when remote working clearly …… well, works.
reducing salaries for remote workers, while maintaining executive bonuses.
reducing bonuses and placing restrictive covenants for employee equity pay-outs.
forcing employees to sign new, unfavourable contracts, under threat of losing their jobs.
reducing rates and salaries for new hires because “they should be glad to have a job with COVID going on”.
Well done, everyone involved. You’ve just ensured that you will be at the top of the list on Lockbit’s ransom website. Probably not the press coverage you were hoping for your business — but all PR is good PR, right?
Instead, there are a couple of quick ways to ensure that anyone trying to co-opt your team is going to have a hard time.
Firstly, put your money where your mouth is, and actually prove you value your employees, rather than just limply repeating that phrase on endless press releases. Pay them what they’re worth, reward their hard work, support them with flexible working, and give them a proper share of your business’ success. Stop try to squeeze every last possible bit of productivity out of your people at the cheapest price, and instead start treating them like the valuable assets they are.
Secondly, deal with bad apples properly. If someone is underperforming and needs to be let go, stop dragging it out: do it. Lock their accounts, take back all their devices, and shut them out of the company systems. Enforce gardening leave and cut them off from your data. The opportunity cost for paying someone to sit at home, doing nothing, for the notice period, is far, far less than having to pay off a ransomware gang and then deal with the PR fallout.
Don’t get me wrong — yes, there are security tools that can help reduce the ransomware risk. But ultimately, this is purely a people problem — and treating employees as assets rather than capital is going to be the best way to managing this increasing threat.
#cybersecurity #ransomware #securitytransformation