The conversation is becoming more commonplace about whether companies should pay in a ransomware attack. Unfortunately, these crippling cyber-assaults are taking place too frequently across the globe, with targets and outcomes getting more consequential and more threatening for our workforce and communities.
Cyber-criminals and other nefarious actors are hitting all levels of industry both large and small across the world that have a direct impact on essential needs including fuel, healthcare, public utilities, and agricultural supply chains. In recent months weโve seen the impact on agriculture via an attack on an Australian meat processor, the impact on healthcare due to an attack on five hospitals in the New Zealand district of Waikato which caused major disruption to IT systems, and the Colonial Pipeline attack in the US which threatened the countryโs fuel distribution network.
In a vacuum, the guidance not to pay makes total sense. We donโt want to negotiate with criminals. But when you need to get your business back online, a cost/benefit analysis is going to come into play, and a company is going to do what it needs to do to have continuity. Good cyber-hygiene and open discussions on possible threats and mitigation has to be a focus to avoid getting to this point.
Globally, we must learn from each other. The catastrophic attacks experienced by organisations in all corners of the globe in the last month alone instigates the necessity for IT professionals to ensure preparedness for ransomware attacks is on top of their agenda.
The Colonial Pipeline attack sparked a major response from leaders and authorities across the globe. In the days following this attack, an intensive survey was conducted by global IT professional association ISACA, to discover how IT professionals feel about negotiating with cyber-criminals.
The insights certainly validate my own views including:
- Only 22% say a critical infrastructure organisation should pay the ransom if attacked.
- 84% of respondents believe ransomware attacks will become more prevalent in the second half of 2021.
- Four out of five survey respondents say they do not think their organisation would pay the ransom if a ransomware attack hit their organisation.
Among the surveyโs other findings:
- 85% of respondents say they think their organisation is at least somewhat prepared for a ransomware attack, but just 32% say their organisation is highly prepared.
- Four in five respondents say their organisation is more prepared for ransomware incidents now than four years ago.
- Two-thirds of respondents expect their organisation to take new precautions in the aftermath of the Colonial Pipeline incident.
- Nearly half of respondents (46%) consider ransomware to be the cyberthreat most likely to impact their organisation in the next 12 months.
- Despite the clear risks from ransomware attacks, 38% of respondents say their company has not conducted any ransomware training for their staff.
Iโm extremely encouraged by the fact that more than 80% of organisations are more prepared for ransomware incidents now than they were four years ago and that so many will be taking new precautions after Colonial Pipeline. Open reporting of cyberattacks appears to be working, and in this transparency, we can expect to see newer threats mitigated earlier with faster response times. Also, being prepared and conducting table-top exercises with the right stakeholders and responsible parties can help prevent reactionary responses and instead create a pro-active posture for cybersecurity programs within organisations.
Inย addition, knowing yourย responses,ย RTO andย RPO, andย risk appetite, willย not only help inย preparing forย a ransomware event, but also in understanding what your enterpriseโs threshold isย in theย decision-makingย process for consideringย whether to payย the nefarious actors to get your business back up and running.ย Thisย decisionย will, ofย course, needย to happen on aย case-by-caseย basis.
My top 10 steps to ensure companies are better prepared for, and help prevent, ransomware attacks are:
- Understand risk profilesโOrganisations should have their risk assessed to accurately prepare for potential attacks. To do this, cybersecurity teams must take inventory of responsibilities, products and services, and the technical requirements affiliated with each. By defining these risk areas, cyberteams can better assess areas that require the most attention when allocating cybersecurity resources.
- Realise data responsibilitiesโEach employee on a cybersecurity team should realise the types of data that they are responsible for storing, transmitting and protecting.
- Test for incoming phishing attacksโMost attacks start with a phishing campaign, and they continue to be effective. Try testing filters by sending yourself de-weaponised phishing emails identified by others from an external test email account. How often will they make it through? Test it. It is possible that email filters need to be strengthened.
- Assess all cybersecurity roles on a regular, event-controlled basisโRegularly assess and audit cybersecurity controls to ensure that they are applied and maintained appropriately. A truly mature organisation will test these controls on both a time-based schedule and in response to incidents.
- Evaluate patches on a timely basisโEnsure that patches are applied in an organised and methodical fashion. For vulnerable legacy systems that cannot be patched or updated, isolate them in the network and ensure that those systems do not have access to the Internet.
- Perform regular policy reviewsโMake sure that all pertinent cybersecurity policies not only exist, but are also regularly evaluated and updated based on the ever-changing cybersecurity landscape. Specifically, update these policies based on both time-based schedules and event-based instances.
- Leverage threat intelligence appropriatelyโReading and disseminating threat intelligence throughout a cybersecurity team can be overwhelming. Hacks and cyberattacks occur on a 24/7 basis, with different branches of similar attacks emerging overnight in many instances. Understanding which type of intelligence applies to your organisation and parsing it out correctly increases understanding of what threats may pose the greatest danger.
- Protect end-user devicesโWe often forget to ensure 100% protection of end-user devicesโnot only for devices within the network, but for all devices used by remote users to access systems. Exclusion lists should be minimal.
- Communicate clearly with executive leadership and employeesโTo gain executive support, ensure that reporting and communication to the leadership level is clear and accurate. Once leadership understands the threat, the risk and its potential impacts, cybersecurity teams are more likely to receive the funding and support required to protect the organisation.
- Comprehend organisational cybermaturityโAll points listed here are a part of comprehending an organisationโs cybermaturity, or its developed defensive readiness against potential cyberattacks and exploitations. Tools like the CMMI Cybermaturity Platform can help organisations understand and improve their cybermaturity.
We are living in a world where company leaders should assume they will find themselves being held to ransom by cyber-criminals. Implementing the steps and having the right discussions with the right people in an organisation to protect the company ahead of this very real possibility is the best way to avoid decision making about whether to pay a ransom.