Enterprise risk management (ERM) recognizes four responses to risk:
- Prevent, aka Avoid: Reduce the odds of the risk turning into reality.
- Mitigate: Reduce the damage should the risk turn into reality.
- Insure: Share the cost of the damage should the risk turn into reality.
- Accept, aka Hope: Do nothing, figuring the cost of prevention, mitigation, and insurance exceeds the cost of the damage should the risk turn into reality.
Which brings us back to what you ought to do about ransomware.
Last week’s KJR provided a starting point for recognizing that Accept is an unacceptable response. “Oh, dear, there’s nothing we can do except hope, and pay the ransom if we have to,” is just plain wrong.
In cop shows, kidnappers provide “proof of life” before anyone pays the ransom. There’s no such thing as proof of life following a ransomware attack; no reason to expect attackers to follow through on their restoration promises.
That leaves Prevent, Mitigate, and Insure. This week we’ll go deeper on these subjects, courtesy of my There’s No Such Thing as an IT Project co-author Dave Kaiser. Dave?
# # #
Here are some ways to prevent and mitigate an attack:
Prevent: To reduce the odds of successful ransomware penetration, create a very hard exterior defense:
- The biggest challenge with ransomware is that most victims have no idea that they’ve been penetrated, let alone when. We’ve seen lags as long as six months between infection and discovery. If you detect it anywhere, infer it’s everywhere.
- Remove admin rights from all PCs. This is critical, as PCs remain the #1 entry point, mostly via phishing attacks.
- Block executable files at the firewall so users can’t install them without assistance.
- Run an enterprise-grade PC/Server protection software system (my company uses Crowd Strike). Norton isn’t an enterprise-grade match for the newer, more sophisticated attacks.
- Segment your network and have tight rules on what traffic can flow from PCs to your backbone and cloud servers.
- Require multi-factor authentication for any web-facing email (including Microsoft 365), and for all system logins as well.
- Filter all email through a filtering service. Even the best of these services can’t eliminate phishing attacks, but they do improve the odds.
- Conduct quarterly (at least) phishing tests with your employees. Provide additional training for any employee who falls for the simulated attacks. While you’re at it, test your employees for vishing (voice phishing) attacks too.
- Engage a white-hat service to continually attempt to break into your network. Also conduct an annual deep dive security audit.
- Put a law firm specializing in this area on retainer. The legal challenges are complex, especially as applicable laws and regulatory requirements vary from state to state.
- Physical security: For intruders, “tailgating” into a victim’s offices and sitting down at an unoccupied, logged-in computer is still a popular intrusion strategy.
- Finally, patch, patch, and patch. Patching is critical, especially for preventing zero-day attacks.
Mitigate: To reduce the damage from a ransomware attack, take steps to recognize attacks early and facilitate rapid restoration:
- Run a tool that monitors the network for suspicious activity. The tool you select should be AI/machine-learning-based, capable of autonomously discovering good versus bad patterns.
- Deploy honeypots. Only intruders will hit these, warning you you’re being targeted.
- Snapshot your data frequently. Snapshots can help you determine when malicious encryption began, supporting both data and system recovery. Backup your data too, of course, but when you’re trying to recover it from a ransomware attack, you’ll find snapshots are sometimes more valuable.
- Establish IT security breach procedures and document trails.
- Operations staff should practice tabletop ransomware recoveries at random times – “pop quiz” style.
- Everyone else needs to plan how they’ll limp along until their systems and data have been restored.
- Make recovery plan updating a CAB (change advisory board) responsibility so recovery plans don’t get outdated.
- Keep your platforms and applications current. If you don’t or can’t, reinstalling them might not be possible – the versions you were running may no longer be available from the vendor and your installation files may be corrupted. Server snapshots and change logs are essential.
Buy cyber security insurance. If you do decide paying the ransom is the prudent course of action, and/or you have to pay penalties for one reason or another, it will help defray the costs. Your cyber insurance company can also provide prevention, mitigation, and response expertise in the event of a breach.
Dave’s last word:
- Align ransomware recovery priorities with those defined in your business continuity plan. You won’t be able to recover by flipping a switch. Your business continuity plan will help you with triage.
- Have a forensics firm under contract and on speed dial. You want them to know you and help you prepare for a ransomware hit by determining in advance what logging they’ll need in the event of a breach.
- Remember that perfect is the enemy of good. Insisting on unbreakable protection will interfere with establishing better protection.
Bob’s sales pitch: Dave and I hope it’s clear that ransomware isn’t an attack on your company’s information technology. It’s an attack on your company.
That’s one more reason the old-fashioned view that IT has to be “aligned” with the business is inadequate. Check out my recent CIO.com article, “The hard truth about business-IT alignment,” for guidance on how to go beyond alignment, to integrate IT into the business.