Ransomware: Don’t just accept the risk

Like Tweet Pin it Share Share Email

Enterprise risk management (ERM) recognizes four responses to risk:

  • Prevent, aka Avoid: Reduce the odds of the risk turning into reality.
  • Mitigate: Reduce the damage should the risk turn into reality.
  • Insure: Share the cost of the damage should the risk turn into reality.
  • Accept, aka Hope: Do nothing, figuring the cost of prevention, mitigation, and insurance exceeds the cost of the damage should the risk turn into reality.

Which brings us back to what you ought to do about ransomware.

Last week’s KJR provided a starting point for recognizing that Accept is an unacceptable response. “Oh, dear, there’s nothing we can do except hope, and pay the ransom if we have to,” is just plain wrong.

In cop shows, kidnappers provide “proof of life” before anyone pays the ransom. There’s no such thing as proof of life following a ransomware attack; no reason to expect attackers to follow through on their restoration promises.

That leaves Prevent, Mitigate, and Insure. This week we’ll go deeper on these subjects, courtesy of my There’s No Such Thing as an IT Project co-author Dave Kaiser. Dave?

# # #

Here are some ways to prevent and mitigate an attack:

Prevent: To reduce the odds of successful ransomware penetration, create a very hard exterior defense:

  • The biggest challenge with ransomware is that most victims have no idea that they’ve been penetrated, let alone when. We’ve seen lags as long as six months between infection and discovery. If you detect it anywhere, infer it’s everywhere.
  • Remove admin rights from all PCs. This is critical, as PCs remain the #1 entry point, mostly via phishing attacks.
  • Block executable files at the firewall so users can’t install them without assistance.
  • Run an enterprise-grade PC/Server protection software system (my company uses Crowd Strike). Norton isn’t an enterprise-grade match for the newer, more sophisticated attacks.
  • Segment your network and have tight rules on what traffic can flow from PCs to your backbone and cloud servers.
  • Require multi-factor authentication for any web-facing email (including Microsoft 365), and for all system logins as well.
  • Filter all email through a filtering service. Even the best of these services can’t eliminate phishing attacks, but they do improve the odds.
  • Conduct quarterly (at least) phishing tests with your employees. Provide additional training for any employee who falls for the simulated attacks. While you’re at it, test your employees for vishing (voice phishing) attacks too.
  • Engage a white-hat service to continually attempt to break into your network. Also conduct an annual deep dive security audit.
  • Put a law firm specializing in this area on retainer. The legal challenges are complex, especially as applicable laws and regulatory requirements vary from state to state.
  • Physical security: For intruders, “tailgating” into a victim’s offices and sitting down at an unoccupied, logged-in computer is still a popular intrusion strategy.
  • Finally, patch, patch, and patch. Patching is critical, especially for preventing zero-day attacks.

Mitigate: To reduce the damage from a ransomware attack, take steps to recognize attacks early and facilitate rapid restoration:

  • Run a tool that monitors the network for suspicious activity. The tool you select should be AI/machine-learning-based, capable of autonomously discovering good versus bad patterns.
  • Deploy honeypots. Only intruders will hit these, warning you you’re being targeted.
  • Snapshot your data frequently. Snapshots can help you determine when malicious encryption began, supporting both data and system recovery. Backup your data too, of course, but when you’re trying to recover it from a ransomware attack, you’ll find snapshots are sometimes more valuable.
  • Establish IT security breach procedures and document trails.
  • Operations staff should practice tabletop ransomware recoveries at random times – “pop quiz” style.
  • Everyone else needs to plan how they’ll limp along until their systems and data have been restored.
  • Make recovery plan updating a CAB (change advisory board) responsibility so recovery plans don’t get outdated.
  • Keep your platforms and applications current. If you don’t or can’t, reinstalling them might not be possible – the versions you were running may no longer be available from the vendor and your installation files may be corrupted. Server snapshots and change logs are essential.


Buy cyber security insurance. If you do decide paying the ransom is the prudent course of action, and/or you have to pay penalties for one reason or another, it will help defray the costs.  Your cyber insurance company can also provide prevention, mitigation, and response expertise in the event of a breach.

Dave’s last word:

  • Align ransomware recovery priorities with those defined in your business continuity plan. You won’t be able to recover by flipping a switch. Your business continuity plan will help you with triage.
  • Have a forensics firm under contract and on speed dial. You want them to know you and help you prepare for a ransomware hit by determining in advance what logging they’ll need in the event of a breach.
  • Remember that perfect is the enemy of good. Insisting on unbreakable protection will interfere with establishing better protection.

Bob’s sales pitch: Dave and I hope it’s clear that ransomware isn’t an attack on your company’s information technology. It’s an attack on your company.

That’s one more reason the old-fashioned view that IT has to be “aligned” with the business is inadequate. Check out my recent CIO.com article, “The hard truth about business-IT alignment,” for guidance on how to go beyond alignment, to integrate IT into the business.

Comments (4)

  • Ransomware will blindside you when you least expect it.

    BACKUP early
    BACKUP often
    BACKUP again
    Do it to real hardware media not some cloud thingie somewhere.
    That includes your full bootable opsys disk image not just data
    And then back them up too while keeping duplicate copies offsite.

    Use MBAM

    The problem can not be stopped like you suggest with exterior defense.
    Firewalls and passwords are useless kabuki theatre.
    I saw my company get hit when a contractor clicked on an enticing email link and then it spread.
    You will need interior defenses.
    Or Get MBAM anti ransomware.
    And strip all clickable links off all emails and website pages being accessed.

    email filtering filters out good emails more than bad ones.
    MIT showed that you must check emails at the end point not in the middle.
    Which brings us back to contractors, and also employees who are careless.

    Never patch.
    I have encountered more worse problems with patches and fixes.
    Get an absolutely secure system.
    YES! They can be ARCHITECTED then designed and finally built to be absolutely safe.
    It will take some work and a few years of time to do the new chips and software the architecture will require as well as set up secure locations to do the work and set up people safeguards.
    But it is doable — if NSA would actually let you do it.
    Remember NSA built the first computer virus (that I know of ) that attacked IBM 360 Opsyses.
    They might have done it earlier but I can not verify that myself.

    AI/machine learning can not learn or stop ransomware.
    You might be able to stop the old one again, if you reuse the same environment but not a new one.

    There are no recoveries for ransomware whether by IT or any other means that will always work.
    Certainly not from some tabletop play group.

    forensics firm?
    again ROTFLMAO
    there wont be anything for them to analyse that will help you.

    NOT having totally secure unbreakable protection will always leave you at risk.
    Join other companies and set up a consortium that will finally ARCHITECT design and then build to spec without deviation a totally secure system. If enough enterprises pool resources and work together the cost will be far cheaper than what is being done now and in a few years the problems
    like ransomware will be moot.

  • Thanks Bob and Dave for providing approaches do prevent, and deal with ransomware attacks. These all sound like really good ways to operate when you are a large company with the resources to put these elements in place. However, what approach would you recommend for a small business with 1 – 2 employees and no dedicated IT department? Many thanks! — Bert

  • Dave and Bob,

    Thanks for pulling together this comprehensive list. Usually IT and Business leaders hear about only a couple at a time. These are all low cost low efforts that would substantially reduce an organizations cybersecurity risk profile.

  • Hi Bert –

    You make a great point where best practices and best fit do not align. Sadly in the current state of cyber security, insurers are enforcing best practices to get coverage. This will be a huge challenge for smaller businesses.

    In your position, I would do two things.

    1. Do your own risk assessment and rank the risks by probability and severity. That helps you use the resources you have. Example, patching would rank very high for me for a small business as would protecting email.

    2. Engage a security company to assist you. There are many cloud-based solutions that can help with little work for you. An example is Proofpoint which is a very effective email tool for phishing. A security company can also do an annual audit for you to help you understand your greatest risks and identify mitigations.

    One other note, if you can get cyber insurance, many of the insurers offer a wealth of resources to help businesses become more secure.


Comments are closed.