Share with your friends

In my previous blog, Ransomware: The 2nd Pandemic, I covered how, even in the midst of the COVID-19 pandemic, cyber criminals have no qualms extorting companies and in some cases individuals, for ransom payments to either decrypt their IT systems and/or prevent the selling or publication of sensitive data.

I also shared some key questions all business leaders in every organization must ask their Cyber Security and IT teams to establish a readiness to respond to ransomware attacks.

Let’s assume you have asked these questions, but you are none the wiser if the risk to your organization is mitigated or even controlled. Where do you start to address the issue at hand?

The Verizon 2020 data breach report indicated that 85-90% of ransomware campaigns work by targeting known vulnerabilities to gain initial access. These are existing issues or gaps in IT systems for which a fix is known — indicating that much more can be done to combat the threat proactively – thereby reducing the likelihood of a ransomware attack being successful. However, when (not if) a ransomware attack is successful, preventive steps can be taken to reduce impact and minimize business disruption.

Considerations to reduce the likelihood:

Immediate considerations

Some of the considerations to reduce the likelihood of a ransomware attack being successful are:

  • Audit your IT user account and privileges regularly. Determine who has access to your systems and whether they still require it.
  • Check who can access your most sensitive and/or confidential data and ensure that Multi-Factor Authentication (MFA), as a minimum baseline, have been applied to strengthen your identity and access management posture.
  • Enforce cyber security standards throughout your organization and strive to achieve certification or accreditations levels, e.g. ISO27001, NIST, CIS, etc.
  • Check if your end-user devices – laptops, tablets, smartphones, etc. – are security hardened and an Endpoint Detection and Response (EDR) solution has been deployed for wider visibility over these devices and what’s happening to them.
  • Make sure your IT team can monitor the network, wherever remote working may take it. And that they can filter out anything bad, address vulnerabilities, respond to events and maintain logs of what has happened.
  • Test the strength of your defenses and response by getting some ‘ethical hackers’ to play the role of a cybercriminal. This is known as penetration testing and can be used to probe your systems for common vulnerabilities and recommend fixes, test your own IT team's response, and train them in improving defenses and responses to reduce the impact of becoming the victim of a cyber-attack.

Medium-term considerations

  • Conduct phishing campaigns to continuously educate end-users on the dangers of this attack method, what to look out for and how to take appropriate action upon receiving phishing emails.
  • Develop and roll out cyber security eLearning modules focusing on social engineering, hacking, data privacy and cyber fraud.
  • Consider developing specialized cyber security training modules that is targeting specific business roles and functions, whether it is the CEO, finance administrator or IT administrator, as each role faces a different cyber challenge.
  • Consider the impact of a successful ransomware attack on your organization and identify possible courses of action. Think about key systems and services, stakeholders, vendors and suppliers.
  • Consider what your response metrics will be. How you can refine processes and critical training requirements and consider how lessons learned may be captured and ‘playbooks’ developed to speed response.

Longer-term considerations

  • Consider how you can continuously improve your cyber maturity on an annual basis to ensure your basic cyber and IT hygiene is at a minimum maintained with an improvement as a target.
  • Consider whether you would engage with a third party to frequently conduct an independent review of your organization’s cyber security posture and technical health.

Now that you have considered and implemented actions to reduce the likelihood of a ransomware attack being successful, you will need to accept the reality that it is only a matter of time before you will become a victim of a ransomware attack.

Effective response capabilities are essential to reduce the impact of a cyber incident and the following should be considered to maintain calm management of the incident, with practical advice on containment, mitigation and restoration of normal business operations.

The following reactive considerations will help you to reduce the impact of a successful ransomware attack by getting a view of the immediate impact and risks by quickly investigating the geographical spread of networks, people and systems. 

Considerations to reduce the impact:

Immediate considerations

Some of the considerations to reduce the impact of a successful ransomware attack are:
  • Ensure that in the event other cyber security controls fails, good backups are available. This will enable you to restore and rebuild even if your organization suffers an unrecoverable ransomware attack.
  • Segregate your backups from your other systems so that it can’t be compromised from a network-wide ransomware incident.
  • Test your backups.
  • Consider the criticality of your systems. Which system has the most impact on business operations from being ‘down’ for the longest period? Which system should be restored first?
  • Consider the data point that you wish to be able to restore from and how quickly it needs to be done.
  • Consider whether you would engage with a third party to fulfil this role and, if so, determine how you would engage with them rapidly and integrate them into your response.

Medium-term considerations

  • Create custom playbooks for each technology to assist with any containment, isolation, recovery, and remediation.
  • Consider a health check as a mechanism of discovering leading practices such as defined and rehearsed actions for ransomware detection and recovery while building or improving playbooks.
  • Be sure to dig your playbooks out regularly to exercise with and feedback on any possible improvements.
  • Consider the impact on your organization’s brand and reputation. The importance of good communication to customers, stakeholders, and the public can reduce the effects of such incidents. Consider the following:
  • Who will act as the public persona of the organization in such events?
  • Create pre-prepared content and plans that you can use to speed your response to such events.
  • Decide if you have the right capabilities in the organization, and if not, consult or engage others and work out how to get their support rapidly when, not if, needed.

Longer-term considerations

  • There may be a role for forensic investigation in any response. Think about what conditions will demand forensic investigation, including where the triggers and demands of such a view may come from: regulator, law enforcement, the board, insurers, etc.
  • Also consider:

—   Immediate costs: largely unavoidable costs that include business and media impact, plus the operational cost of restoring the confidentiality, integrity and availability of data and systems.

—   ‘Slow-burn’ costs: these vary depending on the incident severity but may include the cost of reimbursing victims/customers, litigation expenses and regulatory fines and penalties.

—   Policy requirements: more insurers are demanding a basic level of security as part of the policy. Make sure you satisfy the requirements.

  • During a ransomware attack, legal support becomes key in providing advice and counsel in many facets of the incident, from views on contractual customer and service provider liabilities to regulatory reporting and determining the legality of some actions in certain geographies, e.g. the paying of ransoms. Ensure your legal counsel have or have access to this specialist knowledge.

Globally, we have taken countless measures to reduce the likelihood and the impact of COVID-19 infections to protect ourselves, our families, communities and economies. The same actions are required to fight the second pandemic – RANSOMWARE.  

Stay safe, on all fronts.