When a ransomware attack hits, time is of the essence to limit the impact on your organisation's operations. It has been said that prior preparation and planning prevents poor performance, helping with time management and ensuring that tasks are completed most efficiently.
The threat from ransomware continues to develop significantly. Previously, one or two endpoints would be compromised and have ransomware deployed to them. Now, attackers are compromising entire networks and deploying ransomware to every endpoint within the network.
The likelihood of this happening to your organisation is significantly higher if your organisation lacks a strong cybersecurity programme. With sensitive data in the hands of hackers, your files could also be accessed and shared with third parties, leaving your organisation, including customers and your supply chain, at risk.
A successful ransomware attack can result in loss of revenue, loss of competitive advantage, reputational damage, regulatory fine, and compensatory payments to customers.
Preparation is the main protective measure that an organisation can take to limit the impact of a ransomware attack.
The approach that many organisations take to mitigate the risk of ransomware attacks is to take out cybersecurity insurance. However, over the last couple of years, cyber insurance premiums have increased, with the rise of ransomware attacks being a significant driver.
It has been observed by Reuters that ransomware threat actors have been checking to see if potential targets have policies that could make them more likely to pay a ransom demand, which has further influenced the increase in insurance premiums.
A large percentage of organisations that have cyber insurance policies in place (and have claimed against their policy due to a ransomware attack) said that their insurer only covered a portion of their losses, leaving the organisation out of pocket.
Although taking out cybersecurity insurance helps to reduce some of the financial impacts of a breach, there are other actions an organisation can take to reduce the likelihood of it occurring in the first place or detect malicious activity in the early stages.
How to prevent ransomware
1. Security Awareness Training
The delivery method for ransomware is predominately through phishing emails which contain either a malicious file or a link that the end user is encouraged to open or click. By providing end users with regular security awareness training to identify and avoid common ransomware pitfalls - such as malvertising, phishing emails or malicious activity - an organisation can help to reduce the likelihood of ransomware entering the network in the first place.
Due to the variety of techniques used by threat actors, security awareness training should not just be focused on phishing emails but should include a variety of different topics including:
- Reporting of a security incident
- Securing devices and removable media
- Physical security
- Working remotely
- Use of public wi-fi
- Internet and email use
- Password security
- Social engineering techniques
Because of the ways that ransomware can be introduced to a system, and the reliance on your users to identify malicious activity, preparation is the main protective measure that an organisation can take to limit the impact of a ransomware attack.
2. An incident response plan
Every organisation should have an incident response plan that they can use in case of an emergency. The plan is not a step-by-step plan but contains enough information to guide you through what needs to happen when an incident occurs. An incident response plan is a high-level guide that is tailored to your organisation which:
- Defines what an incident is and the different incident tiers
- Outlines when the incident response plan needs to be invoked
- Identifies the key personnel that would be needed to support incident containment and resolution activities
- Identifies the stakeholders that need to be notified when an incident occurs
- Outlines any communication strategies and reporting requirements that the organisation has.
3. Tabletop exercises
Having a plan is not enough; it needs to be practised and individuals need to be aware of what is expected from them. A way that this can be completed is by completing regular tabletop exercises. This is where the key individuals outlined in the incident response plan will sit around a table and test the documented response plan. A scenario is prepared and presented to the audience, and an interactive discussion takes place to work through the scenario and outline the activities that are required. Several scenario injects are presented throughout the exercise to test the decision-making process.
These types of activities are used to test and refine the incident response plan to make sure that it will hold up when an actual incident happens. However, they also identify any potential gaps in security controls that might need to be addressed. It is now a common requirement to provide proof of tabletop exercises as part of compliance audits.
You can also choose to complement your organisation’s annual testing with other activities such as penetration tests to check if your infrastructure has any weaknesses that could be exploited by a threat actor.
4. Backing up systems
Often, when a ransomware attack hits, the only way to recover is by relying on backups. An organisation’s best mitigation against ransomware attacks is to make sure that all critical data is being backed up regularly, to multiple locations, and can be recovered in a time that limits the impact on the organisation’s operations.
If your organisation does find itself a victim of ransomware, you can safely wipe the impacted device and reinstall backup files and applications without the fear of losing them forever or having to pay a hefty sum to get them back.
A growing number of organisations are adopting the 3-2-1 rule which sees at least three separate versions of data on two different storage types, with at least one being kept offsite.
In addition, many organisations are now opting to keep at least one copy on immutable storage, which means that it cannot be changed once written.
Additional security measures & best practices
- Network segmentation and micro-segmentation – Avoid having a flat network as it makes it easy for ransomware to spread across the network.
- Maintain up-to-date patch levels – Systems that are left unpatched make it easier for a malicious actor to gain access to critical systems and data.
- Implement an intrusion detection system – Cut off ransomware attacks in their early stages by using continuous monitoring to detect anomalous or malicious activity.
- Employ email filtering – Block malicious executables, spam, and phishing emails to reduce the dependency of end-users to detect and report activity.
- Use of password managers – Prompt users to use a password manager to keep their passwords safe.
What else can you do to stop ransomware?
When it happens, a ransomware attack can be a catastrophic blow to an organisation. Above are just some of the actions that can be taken to help prepare for a ransomware attack. At LRQA, we are aware that it can be daunting to know where to start or where to focus effort to help reduce the risk to the organisation. We have a suite of services, including our ransomware resilience assessment, that can be provided as part of a managed service contract or as part of a smaller one-off engagement.
Please get in touch to learn more about how LRQA can support you to prepare and defend against ransomware.
Alternatively, if you have already fallen victim to a ransomware attack LRQA can support your organisation with recovery activities or mitigation against further occurrences with our cyber incident response service.