Every 11 seconds, a ransomware attack occurs. Organizations now face the daunting reality that no longer is the question “if” a ransomware attack will happen; now, it is only a matter of “when” they will get hit. Is there anything you can do when you know the enemy is at the gate? The answer is a resounding “Yes.” The steps your organization takes (or doesn’t) can make a difference in preventing attacks and mitigating damage. What you do now will impact your business continuity as well as the speed of your recovery. Learn the five best practices to help your organization survive a ransomware attack.
Protection against ransomware can be boiled down to a few simple steps. While the steps are simple, implementing them and instilling the discipline to follow them is hard. The mindset needed should be developed and relentlessly followed. These steps not only protect an organization but also protect against any external threats.
Be ready to restore: Assume your systems and applications are rendered inoperable. Feeling helpless versus starting the recovery process depends on your readiness and access to quality backups. Create a reliable and “air gapped” backup for all your critical systems. Test them often. Execute and stress test the recovery process. Remember the organization will be under severe duress when the event happens. The recovery process, timelines and communication system should be well documented and understood. Plan for a hiccup or a few. You are and remain in control as long as the data is encrypted, and the backups are in place.
Assume that no user can be trusted. Insider threats are the next largest cybersecurity concern after ransomware threats. This is because an insider threat is the most frequent means
Practice 1: MFA
Attackers exploit the weakest link to gain access to your systems. Often this comes from stolen or phished credentials. Phishing attacks account for 22% of all breaches. Chances are your organization has already faced numerous phishing attempts; according to Proofpoint, over 75% of organizations experience a phishing attack. Criminals that are using these stolen credentials, masquerade as legitimate users to slip through security. This same technique is used to access internal systems and upload infected files into trusted organizational data stores.
Multi-factor authentication (MFA) makes it harder to use stolen credentials. MFA requires an additional factor, such as a secret key from a device or email confirmation, to allow the account access. MFA is commonly achieved through apps tied to the users’ phones. So even if they steal account credentials, the lack of MFA validation renders them useless.
Practice 2: Encryption
Protect your data: assume that every external security protection you have will fail. This usually happens when you are hit by ransomware. What is your failsafe? What are you trying to protect? Use encryption to keep data protected at all times. This will be your failsafe when all else fails.
Encryption may not be your first thought for ransomware protection, but it’s essential. Traditional encryption solutions are inherently flawed as they only protect data while it is at rest or in motion. They do not protect data that is in use by keeping it encrypted – in use here refers to data that is being analyzed or queried. Due to this, encryption technology is often dismissed as a legacy security tool. However, there are revolutionary encryption solutions that ensure data is protected all the time, regardless of where it is located – even while it is being queried or shared with downstream systems.
When attackers are being prevented from the ability to access, use, or release an enterprise’s data even after it’s stolen, an attacker has much less leverage to hold an enterprise at ransom. Data is rendered useless and cannot be released to the public.
Practice 3: Log and Usage Analysis
Monitoring what happens not just on your network level, but more importantly at the data level is crucial for detecting ransomware attacks early on. Organizations can identify suspicious behaviors using automated log collection and analysis tools. Many systems can use suspicious behavior as a trigger for alerts that indicate a potential attack. Traditionally, organizations had no means of detecting anomalies at the data level. Modern data protection technology allows organizations to not only detect repeated accessing of structured and unstructured data, but also to alert security teams and stop malicious behavior in its tracks via machine learning. Organizations are able to evaluate anomalies and review automated threat scores. This can be risk-based alerting, where attributes are included versus auto mitigation techniques derived from a data protection platform that can be tied into current SIEM solutions.
Practice 4: Harden the Infrastructure
Security gaps can be deadly. Cybercriminals find existing vulnerabilities in your infrastructure and exploit them. According to Veracode, 80% of attacks use known vulnerabilities more than three years old. Many of these have existing patches to remediate risk, but the patches were never applied. Unpatched exploits invite attackers to help themselves to your valuable data or take your systems hostage.
Simple patch management is by far the easiest solution security boost. Numerous enterprise tools will automate the detection, distribution, and application of patches. Keeping systems and applications up to date removes an easy attack vector and helps keep cybercriminals out.
Practice 5: Backups
Security is not 100% bulletproof. Remember that no longer is the question “if” a ransomware attack will occur; it’s only “when.” The painful fact is that ransomware will sometimes get through your defenses despite proactive measures to prevent it. In these cases, the worst thing that an organization can do is to pay the ransom. Doing so only emboldens the criminals and provides capital to continue funding the development of new exploits and more dangerous ransomware.
Instead, businesses need to have solid, recent backups for all of their critical assets. Taking periodic backups and storing them in a separate location creates insurance against data loss. Rather than paying the ransom, organizations can fall back to restoring backups once the infected systems are rebuilt. This is a critical part of your disaster recovery plan and ability to get systems back up and running as quickly as possible.
The foremost part of preventing ransomware is making your organization an unappealing, difficult to penetrate target. Implementing simple practices that make it harder for bad actors to get in and deploy attacks reduces your risk. Taking a data-first approach that secures data at the data-level in addition to securing the network-level, organizations can continue daily business without concern that data is left vulnerable at the source. Attackers look for soft targets because they gain more with less work. The practices listed above are not complex and, in many cases, are already part of existing IT best practices. But, cutting corners and skipping any of these steps is an invitation that may result in your “when” being today.