South Africa’s risk managers – in fact, risk managers worldwide – are missing a trick in the wake of recent ransomware attacks such as wannacry, Petya and NotPetya.
The trick, as elegant as it is inexpensive to implement, is escrow; more specifically active software escrow.
This is the message to risk managers everywhere from the director of a Cape Town-based firm that has been working with a network of specialist IT service providers in the Netherlands, Israel, Scandinavia, New Zealand and the Americas to mitigate the risk associated with information technology systems and ensure the business continuity of the companies that use them.
According to Escrow Europe’s Guy Krige, software escrow was referred to by Gartner just over five years ago as “a smart and effective component of a business continuity strategy that software licensees can use to protect their mission critical applications in an ever-changing environment."
He maintains the same is true today: “Active software escrow not only provides rapid recovery should your systems fail, but also protects management from a negligence claim from shareholders and South Africa’s laws of good governance.
“The recent wannacry ransomware attack that swept at tsunami speed through the computers of 100 countries in one weekend saw companies locked out of their business-critical IT including the NHS in the UK (reports and records blocked), Renault in France (suspended operations), Spain (gas and water utilities disrupted) and Fed-Ex, to name but a few,” he said.
“The only way out was to pay up earning, the cyber-crimminals a tidy $50 000 in bitcoin in two days, according to www.forbes.com
“So, why did this happen if full protection was available? It appears that an it-won’t happen-to-meattitude left companies dangerously exposed. Jason Bloomberg writing for Forbes, suggested that executives were caught by surprise because they inaccurately weighed the risk of such an attack against the cost of the protection.
“The fact is that these risk managers missed a trick – the escrow trick.
“Escrow is the deposit, verification and vaulting of the developer version of your business critical software, by an independent and neutral escrow service provider. Should your system fail, an escrow means rapid access to a technically sound back-up, designed for disaster recovery.
“For the risk manager, escrow equates to the life vest under the aeroplane seat, or the fire extinguisher near the lift door. And the cost is, in corporate terms, negligible.”
According to the Risk Frontiers Africa 2017 survey, carried out by Commercial Risk Africa, cyber risks have shot up the risk register as companies recognise the huge threat to their business. It is not just about the technical failures in a system but also the reputational damage that can result. Reputational damage has become another major risk factor as social media evolves.
For the first time, Risk Frontiers Africa specifically asked risk managers about the cyber threat. An overwhelming number (82.4%) said the cyber threat to their business is increasing, with 11.3% saying the risk hasn’t increased and 6.3% who are unsure.
Added to that, 46% of respondents said, on a scale of one to ten (with ten being the most extreme) the risk is from eight to ten in terms of severity to their business, and 12.5% said it is at the most extreme level of ten.
“Being aware of the threat is one thing, taking steps to protect the company and its business from that threat is another,” said Krige. “If you are a risk manager or a chief information officer, why not listen to Gartner and determine if escrow is the elegant, inexpensive trick you’ve been looking for.”