The Romantik Seehotel Jägerwirt in Turracher Höhe, Austria, has survived and thrived since the days of the Austro-Hungarian Empire, welcoming guests who enjoy skiing in luxury. But nothing in its 111-year history prepared it for the magnitude of the attack that crippled its computers in January 2017.
The ransomware attack targeted operational systems, and almost every aspect of the hotel was affected: The computerized key system was disabled. Reservations could not be located. Payments could not be processed. Packed to capacity and faced with paralysis during peak season, the hotel’s management had few alternatives. With every passing minute compounding the damage, the hotel paid the ransom.
The episode offers an unwelcome lesson: ransomware attacks increasingly target critical operations, rather than just back-office systems. And while an attack on the hospitality industry could pose a “Hotel California” scenario, locking guests into their rooms, one on a critical system at a hospital, for example, could have life-or-death consequences.
How does an organization handle this frightening new reality—a world with the risk of ransomware? Technical professionals know the advantages of best practices such as encryption, backups, redundancy, monitoring, and similar measures. However, as the CIA and NSA could testify, even the most robust technical defenses can be insufficient. Three simple practices can help.
Limit Electronic Integration
In an age of enterprise software, integration is often seen as the sine qua non of IT systems. However, organizations will want to consciously decide whether full electronic integration is desirable—and it’s not an easy judgment call. Too, the burgeoning Internet of Things offers an irresistible allure: even more data, from even more devices.
All an organization’s data can be analyzed and put to work as a tool to support client service and sales, in detecting and remedying potential problems, and in identifying, cultivating, and converting prospects. Moreover, data has direct monetary value: it can be “monetized” by being sold to others. Third-party brokers and other data vendors provide a ready market and are ever eager for every last byte.
Integrated systems greatly facilitate data collection, of course, so questioning the need for connectivity may seem counter-intuitive. But does a toaster really need to be connected to the Internet? It may make better toast. But it is also vulnerable to a ransomware attack: A low-grade attack could deny your customers toast until you pay up.
Just a toaster, you think? But what if a hotel’s refrigerators and ovens all shut down at once? What if a pharmacy’s drug compounding equipment can be hacked? Malicious attacks can present unforeseen risks—and an actual physical threat to customers and employees.
Certainly, remote connectivity can offer advantages. The Seattle Police Department recently recovered a stolen BMW by disabling it. The hapless thief was remotely locked inside the vehicle until officers arrested him. However, the same technology that enables police to apprehend a suspect may allow hackers to physically detain your customers or employees.
Such scenarios were speculative as recently as three years ago. But today businesses must weigh the vulnerabilities inherent in such connectivity against the potential gains. While the disabling of keys in the ransomware attack on the Romantik Seehotel Jägerwirt did not imprison guests, it did stop the front desk from coding new keys, and guests could not re-enter their rooms.
The hotel’s management found the decision to disconnect its key system easy: it is reverting to physical keys. Indeed, organizations ranging from the United States Navy, which has reintroduced celestial navigation, to the Kremlin, which has brought back typewriters, have recognized the advantages of limiting electronic integration.
Enable Manual Override
If limiting connectivity is not feasible, a second option is to ensure that critical systems include physical switches that can override ransomware locks. High-end systems, such as aircraft controls, already incorporate manual redundancy to handle emergency situations. In assessing their cyber vulnerabilities, businesses should map their critical-path systems—a regulatory mandate in the state of New York and in the European Union. If systems are entirely computer-controlled, manual overrides should be added at critical points.
Manual intervention gives organizations a potentially significant safeguard. Its effectiveness is compounded if, as is often the case, multiple computer systems are connected.
In regular operations, connected systems are a useful tool, providing more accurate assessments and enabling organizations to offset problems in one area with measures in another. But in a ransomware scenario, inter-system connectivity is a threat multiplier that can escalate a significant problem into a potentially catastrophic one. Ransomware injected into one system can cascade throughout the enterprise, shutting down work and leaving every system it touches at the mercy of the attackers.
The introduction of a manual “kill switch” significantly alleviates this problem. The manual workaround enables enterprise operations to proceed while buying management valuable time. Virtually all cars, for example, now incorporate a brake pedal specifically designed to override alternative commands.
Moreover, grafting a “one switch to kill them all” mechanism on top of existing systems is more economical than a systemic redesign.
Limit Internet Access
Third, an organization should consider limiting outside Internet access. Many companies devote considerable resources to protecting technology systems, yet the very computers employees use to control those systems are often connected to the Internet. When employees use them to check personal email or social media accounts, it represents a largely unguarded backdoor access point to the organization’s critical systems.
In my experience, many ransomware incidents are traced to an apparently innocuous email. While business email systems are not immune, their defenses are generally more robust than those of personal accounts. Organizations should consider limiting access to personal email and social media accounts on official computers. Many industries, including law firms and hospitals, already impose such restrictions.
The practices described above are not silver bullets: in today’s world, there are no guarantees of cyber safety. However, implementing these measures will strengthen cyber defenses. Simply by taking steps that others have not yet taken means an organization is no longer the lowest hanging fruit for hackers; that alone may divert ransomware efforts elsewhere.
At a minimum, these practices are low-cost methods for either avoiding a ransomware situation or improving your hand. As the Romantik Seehotel Jägerwirt learned, an improved hand is worth something.