Ransomware Is Everywhere — Here’s What You Need To Consider
Steve Durbin is Chief Executive of Information Security Forum. He is a frequent speaker on the Board’s role in cybersecurity and technology.
Though the risk of ransomware is very real, you can reduce it dramatically by considering how best to handle it, building your defenses and planning your response.
The threat of ransomware is ever present and it’s growing. There have been more than 4,000 ransomware attacks every day since 2016, according to an interagency U.S. government report. The response to these attacks has varied widely, with the least prepared organizations often paying the ransom demanded.
The potential damage is enormous. According to Coveware, the average cost to pay a ransom is $154,108, with an average downtime of 21 days. Organizations of all sizes must put resources into building resilience against ransomware.
Craft a reasoned strategy, put protections in place and test your defenses or you may find that your organization cannot recover.
To Pay Or Not To Pay
The first thorny question that arises in the face of a ransomware attack is whether to pay the ransom. Unfortunately, paying has a lot of downsides and relatively few upsides. For starters, if you pay the ransom, you’re sending out a dangerous message to criminals that you will play ball. The inevitable consequence is that they’re far more likely to target your sector or attack your organization again in the future.
Ethically, you must consider where the ransom money is going. Is the attacker a criminal gang or perhaps a terrorist organization? There may even be legal consequences if you are later found to have funded terrorism.
Finally, an issue that’s often missed in this scenario is that paying the ransom usually means you’ll receive a functioning decryption tool. This doesn’t instantly return things to normal, and you will have to allocate more resources to recover properly. Apart from the risk that the tool doesn’t work, you may face a logistically tricky task in simply entering all the keys on your various devices. Once this is done, there’s still the pressing concern of tracing and mitigating the original breach that led to ransomware gaining a foothold in your network.
Reporting Ransomware Attacks
While it may be tempting not to report a ransomware attack to avoid reputational damage, it’s crucial that you do. When organizations quietly pay, perhaps fearing regulatory wrath, they put everyone at greater risk. Threat actors share intelligence and if we don’t do the same, there’s a tangible risk they can run the same scams and attacks on multiple organizations and partners. Sharing information about ransomware attacks allows the Justice Department to issue warnings and advise others on how to better prepare and defend against them.
There are also regulatory requirements to think about, especially if you’re operating in several jurisdictions. It’s best to be open and honest, even if you aren’t sure whether data was exfiltrated. It’s smart to make some provision for reporting and coordinating with regulators because a flood of incoming queries when the news breaks could prove difficult to handle if you don’t have clear plans and responsibilities in place.
Guarding Against Ransomware
There are several preventive measures and precautions you can take to reduce the risk of a ransomware attack and to ensure business continuity should the worst happen. These three are crucial to emerging successfully:
• Maintain a proper backup: Regular and comprehensive backups don’t have to be especially expensive, and they will pay for themselves many times over if an attack does breach your defenses. Because there’s often a gap between infection and discovery, multiple historic backups from several points in time are the way to go.
• Patch continuously: Known vulnerabilities are low-hanging fruit for attackers, so you must work hard to keep software up to date and systems patched with the latest releases, which will often contain security fixes. Even though it takes time and there will always be some unpatched devices, having a clear picture of what’s patched and unpatched can also help you trace and remediate after an attack.
• Maintain an up-to-date asset list: Without a proper asset list that’s accurate, you will struggle to prevent or recover from a ransomware attack.
There are many other things to consider here, from better security awareness training to phishing filters for email to anti-malware tools, but they should build on top of these three basic concepts.
Plan And Rehearse Recovery
To give your workforce the best chance of handling a ransomware attack gracefully and with the minimum disruption, you must put clear procedures in place and ensure people understand their responsibilities. The only way to build confidence in your plan and expose areas that need to be addressed is to test it. Rehearse as realistically as you dare and then go a bit further. Practice builds confidence and makes it clear that recovery is possible.
Consider Cyber Insurance
While cyber insurance can be a useful add-on to lower business risk, it should never be seen as an alternative to a comprehensive strategy like what we’ve discussed here. Seeking cyber coverage has an added benefit that is easily overlooked, and that’s the audit and assessment the insurer will invariably carry out. Carriers are motivated to minimize their own risk and will do their utmost to point out systemic weaknesses and vulnerable threat areas that require attention.
Provided you’re putting all these controls in place, getting cyber hygiene right and making it difficult for would-be attackers will be aptly reflected in the premium your insurer charges.
Though the risk of ransomware is very real, you can reduce it dramatically by considering how best to handle it, building your defenses and planning your response.