By RICHARD LONG
Over the past year, the COVID-19 pandemic has siphoned attention away from many other problems, including that of ransomware attacks—but organizations are still being locked out of their systems by hackers and told to “pay up or else.”
The COVID-19 pandemic has dominated media coverage over the past year while news of cyberattacks has received less attention. Nonetheless, “2020 was a great year for ransomware gangs” according to WIRED magazine, with schools, hospitals, and municipal governments being frequent targets. Many analysts predict such attacks will be even more common this year.
As the country starts to reopen, companies need to be more vigilant than ever about protecting their data.
Ransomware is a type of malware that infects the victim’s computer, encrypting critical data files and demanding that the victim pay a ransom to have the files decrypted. Ransomware attacks typically warn that if the ransom is not paid by a certain time, the files will be deleted or further corruption will occur.
Current guidelines are to not pay the ransom. Paying the ransom encourages further attacks, identifies your organization to hackers as a potential cash cow, and might not even get your files back.
Your goal should be to put your organization in a position where it is capable of following the guideline against paying when a ransomware attack occurs. (Notice that I said when, not if.)
Wouldn’t it be great if, when hackers demand that you pay them to get your files decrypted, you can safely ignore them?
This will be possible if, and only if, you have the proper plans and protections in place.
How to Protect Against Ransomware Attacks
The following are some things that you as a business continuity professional can do and advocate for to help protect your organization against ransomware attacks.
- Train the employees to be on guard against cyberthreats. A company’s employees are its best line of defense but also its weakest link. If we could only train people to stop clicking on unknown links, most attacks would be foiled. One of the most important actions a company can take to protect itself against cyberattacks is to provide frequent training and communication to employees on how to handle email and digital files. Hackers are becoming increasingly adept at using social engineering and publicly available information to send emails and place phone calls that seem legitimate. The importance of providing sound training in this area cannot be overstated.
- Establish file-sharing protocols and limitations. Setting these polices requires striking a balance between security and efficiency. Consider implementing policies about personal data and non-business data use. Because of the prevalence of personal cell phones, there is little reason for employees to use company equipment to stream music or non-business videos, read personal email, and so on.
- Set up filters, firewalls, and file scanning. If these are not in place and consistently reviewed, your organization is vulnerable and even basic malware can enter your digital environment. Given people’s propensity for clicking on unsafe links, the more limited their access, the less likely that a damaging click will occur.
- Keep software and patches up-to-date. While patching can take time and effort and is not without impacts, maintaining our environments is critical to warding off aggressive activity.
- Migrate from unsupported environments. Any environment that is no longer supported, whether it’s an operating system or an application, is a risk to your organization.
- Collaborate with the security and network teams. Consider talking to these teams about their plans for updates and modifications to the security architecture.
- Enforce “least privilege” to systems and services. Least privilege is the practice of restricting access for applications, services, and hardware to only those services or resources required to perform activities or actions. (For example, application access does not require database access and database access does not require server access.) Keep access for each person to the bare minimum necessary for them to do their job.
- Consider implementing “zero trust” security. According to the NIST, “zero trust security assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or on asset ownership.” Zero trust focuses on protecting resources rather than network segments.
- Implement immutable backups. Immutable or air-gapped backups are not accessible on the network and are thus safe from ransomware. These backups may be slightly less current, but some data loss may be better than complete data loss.
- Test the restore process of the backups. Almost all organizations can back up data. Relatively few can actually ensure the ability to restore from a backup.
- Develop the capability to segregate infected and non-infected devices.
- Develop the capability to shut environments down quickly. Do you have shutdown procedures for your applications and environments? This may be the best defense in preventing the spread of an attack. The longer systems are up and potentially communicating, the faster malware can spread.
- Perform penetration testing and address identified gaps.
- Develop a cybersecurity plan that includes measures to protect against ransomware. These plans identify actions, including communications internally and externally, plans for team responses, external resources to call in, and specific milestones or triggers so there is no need to figure things out ad hoc.
- Perform a due-diligence assessment of your access and data security on a regular basis. You should do this even if you feel you are prepared and ready. Your organization is more likely to experience a malware attack than any other type of outage or crisis event.
Practicing Digital Self-Defense
Even as the world’s attention was focused on the COVID-19 pandemic over the past year, hackers were busy launching ransomware attacks against schools, hospitals, and municipalities, among other targets. Such attacks are expected to be even more widespread in the coming year.
Business continuity professionals should anticipate that their organizations will eventually come under attack. To avoid ending up at the mercy of a gang of digital thugs saying “Pay up or else,” every organization should practice digital self-defense by taking the steps outlined above.
Helpful Government Resources
- Internet Crime Complaint Center (IC3): Ransomware Fact Sheet
- Cybersecurity and Infrastructure Security Agency: Ransomware Guidance and Resources
- NIST: Computer Security Resources Center: Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
For more information on defending against ransomware attacks and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- Attack of the Black Swans: When Strange Things Happen
- 8 Bad Things: The Most Common Business Continuity Threats
- What BC Professionals Can Do to Help Guard Against Cyberattacks
- Crisis Response in Today’s Breakneck World
- Driving Blind: The Problem with Skipping the Threat and Risk Assessment
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.