Even less technical criminals are jumping on the bandwagon through a growing number of ransomware-as-a-service portals available on the Dark Web.
Regardless of how bleak this news may seem, organisations actually have a way to effectively defend themselves against ransomware. It starts by using some best practices to prevent as many attacks as possible and then taking appropriate precautions so that the impact of any successful attack is minimised.
Ten Things You Should Do Right Now
Here, then, are 10 critical steps every organisation needs to consider as part of their anti-ransomware strategy:
- Map your attack surface. You can’t protect what you don’t know needs to be protected. Start by identifying all of the systems, devices and services in your environment that you rely on to conduct business, and maintain an active inventory. This process not only helps you identify your most vulnerable targets but should also help you map out your system’s baseline for recovery.
- Patch and upgrade your vulnerable devices. Establishing and maintaining a regular patching and upgrading protocol is just a basic best practice. Unfortunately, far too many organizations simply don’t do it. Of course, not every system can be taken offline for patching of upgrading. In that case, they need to either be replaced (where possible) or protected using strict proximity controls and some sort of isolation or zero-trust strategy.
- Update your security systems. In addition to updating your networked devices, you also need to ensure that all of your security solutions are running their latest updates. This is especially crucial for your secure email gateway (SEG) solution. Most ransomware enters an organisation via email, and a SEG solution should be able to identify and remove malicious attachments and links before they are delivered to their recipient. Likewise, an effective web filtering solution that leverages machine learning ought to be able to effectively stop phishing attacks. In addition, your security strategy needs to include things like application whitelists, the mapping and limiting of privileges, implementing zero trust between critical systems, enforcing strong password policies and requiring the use of multifactor authentication.
- Segment your network. Network segmentation ensures that compromised systems and malware are contained to a specific segment of the network. This includes isolating your intellectual property and sequestering the personal identifying information of employees and customers. Likewise, keep critical services (like emergency services or physical resources such as HVAC systems) on a separate, segregated network.
- Secure your extended network. Ensure that security solutions deployed on your core network are replicated in your extended network – including operational technology (OT) networks, cloud environments and branch offices – to prevent security gaps. Also take time to review any connections from other organisations (customers, partners, vendors) that touch your network. Make sure those connections are hardened and that appropriate security and filtering are in place. Next, alert those partners to any issues you may discover, especially related to the possibility of malicious content being shared or spread through those connections.
- Isolate your recovery systems and backup your data. You need to perform regular data and system backups and, just as critically, store those backups off-network so they are not compromised in the event of a breach. Organizations should also scan those backups for evidence of malware. You also need to ensure that any systems, devices and software required for a full system recovery are isolated away from the network so they are fully available should you need to recover from a successful attack.
- Run recovery drills. Regular recovery drills ensure that your backed-up data is readily available, all required resources can be restored and that all systems operate as expected. It also ensures that chains of command are in place and that all individuals and teams understand their responsibilities. Any issues raised during a drill need be addressed and documented.
- Leverage outside experts. Establish a list of trusted experts and consultants who can be contacted in the event of a compromise to assist you through the recovery process. When possible, you should also involve them in your recovery drills.
- Pay attention to ransomware events. Stay on top of the latest ransomware news by subscribing to threat intelligence and news feeds, make it a habit for your team to learn how and why systems were compromised, and then apply those lessons to your own environment.
- Educate employees. Rather than being the weakest link in your security chain, your employees need to be your first line of cyber defense. Because ransomware usually starts with a phishing campaign, it is imperative that you educate them in the latest tactics cybercriminals are using to trick them – whether they target corporate, personal or mobile devices. In addition to the sort of regular, annual security reviews most employees are required to participate in, consider a regular cadence of awareness campaigns. Quick 30- to 60-second video updates, phishing simulation games, email messages from the executive staff and informative posters help maintain awareness. In addition, running your own internal phishing campaigns can help identify employees who may need additional training.