According to the SANS Institute, “Since the beginning of this calendar year, 49 US school districts, colleges, and universities have reported ransomware infections. The education sector is second in number of reported ransomware attacks only to municipalities, of which there have been 70 so far this year. Healthcare is third with 27 reported incidents.  The data are from cloud security company Armor” (SANS NewsBites Vol. 21 Num. 075)

There are many cyber risks. Ransomware is one of the risks that has been around for a while, but has been receiving increased media coverage this year as the number of local governments hit by ransomware increases. For anyone not familiar with ransomware, it’s a malware that will encrypt the information on your machine (and likely any network drives that machine has access to) and you have to pay a hacker some amount of money to have the hacker send you the digital key to unlock the computer (and likely any network drives). The ransom may be as low as a few thousand dollars, but one Florida city agreed to pay $600,000 to unlock its system.

So, if you can’t afford to pay out significant amounts of money, and live with the risk that hackers may be able to lock your system again when they need more cash, what do you do? While this is often an IT issue, there are certain accounting system principles that will help prepare an organization for the day it’s attacked.

Have you made certain you have solid general computer controls for your accounting system? These are generally broken down into: Logical Access, Change Management, Physical Access, Disaster Recovery, and Compliance. All have some level of applicability, but the one I’d like to touch on specifically is disaster recover.

Within disaster recovery, there are two main items to consider, Backups and Incident Response. Each of these are discussion topics on their own, but here are a couple of questions to consider and discuss with your IT department.

Backups: Do you know what information is being recorded in your backups? How often are the backups being run? How hard would it be to pull a portion of the recovery information from one set of backups and the remaining information from one or more other backups? How often is the information restored, to make certain the proper information is being recorded in the backups, and that the backups are good and information can be pulled when needed? Historically, backups have been used when machines die or files are accidentally deleted. If an organization is hit with ransomware, though, it may need to completely wipe its digital system and restore from backups. On top of that, the most recent backups may have the infection too, so the information may need to be pulled from older backups.

Disaster Recovery: Does the organization have a disaster recovery plan? How often is it reviewed? Are there tabletop walkthroughs, or simulations of incidents, allowing the people to respond as they’ll need to when a real attack or disaster occurs?  Disaster recovery is similar to driving a car.  If the first time you get behind the wheel and actually drive is to try and make it down the interstate during rush hour traffic, it will be a horrific experience at best, and is likely to lead to another disaster. It’s important to have some experience and a feel for what to do when an organization needs to call on its disaster recovery plan(s).

Ransomware can be a devastating experience, and there’s no way to make sure it will never happen.  However, proper controls and backups can help mitigate the risk and give a better chance of a quicker recovery.