zephyr_p - stock.adobe.com
How can the channel help fend off the ransomware threat?
It's the security problem that keeps users awake at night and scares MSPs that might be targets, but there are things the channel can do to deal with the issue of ransomware
Ransomware is generating a lot of headlines and angst as one of the worst security threats to companies and organisations. Barely a week goes by without a story of a business or organisation suffering a ransomware attack. The stats can appear frightening as survey after survey reveals huge increases in attacks and threats – and the cost of the ransoms.
There is no denying the danger is real, but what can channel partners do to help customers protect themselves more effectively against ransomware and mitigate the effects?
As Ed Baker, Europe, Middle East and Africa (EMEA) partner lead at McAfee Enterprise, says: “Ransomware is an effective and profitable approach for cyber criminals, so the tactic won’t be disappearing any time soon.”
To provide the best guidance and support, channel partners need to be aware “of evolving ransomware threats and adapt to the changes their customers are experiencing across the IT and security industry”, says Baker. They should be helping customers put the technologies in place to “predict and prioritise potential threats” and encouraging them to adopt a zero-trust approach to security “to maintain control over access to the network and all instances within it”.
A great place to start, says Sam Curry, chief security officer at Cybereason, is to deploy endpoint detection and response (EDR) or XDR on all endpoints to put attackers “on notice that defenders see them and are stopping them”. The problem is that a significant number of companies do not deploy these technologies.
There is also the challenge of “separating product hype and the sheer number of security vendors espousing their virtues around the effectiveness of ransomware detection and prevention, from those that are truly capable of stopping sophisticated ransomware attacks”, says Curry.
David MacKinnon, chief security officer at N-able, agrees that “it’s not all about implementing shiny, new security solutions”. He adds: “Customers need to be realistic and understand that although they might have all the tools money can buy, attacks can, and likely will, still happen. It’s important for technology partners to have an overall view of any potential vulnerabilities, so they can put a plan in place for the worst-case scenarios and reinforce any weak spots they uncover.”
Many businesses do not have the right level of knowledge or understanding of threat modelling to combat ransomware or sophisticated supply chain attacks, says MacKinnon. “This is where the community, and specifically MSPs, come in,” he adds. “As trusted advisers, MSPs need to evolve their knowledge to help customers understand their cyber risk. They need to start opening conversations about how serious a threat ransomware is and the steps customers should take to protect themselves against it.”
Channel partners can do a lot to help
There is a broad consensus that channel partners can do a lot to help businesses deal with the ransomware threat. Thom Langford, global security advocate at SentinelOne, says: “Channel partners can play a vital role in helping organisations defend themselves effectively against the insidious and debilitating threat of ransomware.”
Langford argues that an effective channel partner “doesn’t just shift product – they make sure it is integrated well, effective at its intended function, and can offer perspectives on next steps and enhancements in lock-step with business goals and growth”.
He adds: “Because they are somewhat technology and vendor agnostic, they can ensure that whatever solution is provided is a strong cultural and technological fit. If one vendor or technology doesn’t quite fit the bill, they can pivot quickly and effectively to another that offers solutions in the same space.”
But partners first need to make sure they are secure. Keith Bird, EMEA senior vice-president at Proofpoint, points to “a worrying rise in ransomware attacks” that use the supply chain and supplier relationships “as a key attack vector to cause widespread disruption”.
He adds: “One of the most important ways in which channel partners can protect their customers is shoring up their own security. It is vital for channel partners to pay more attention to basic, yet critical, cyber security hygiene.”
Partners need to help customers tackle the issue at source, says Bird. “It is impossible to come out of a ransomware attack entirely unscathed, so the priority should be avoiding the initial infection at all costs.”
Attackers rely overwhelmingly on some form of human interaction to gain a foothold before launching the ransomware itself, he says, “so it is critical that employees are aware of threats and trained on secure online behaviour”. He adds: “Channel partners can help their customers implement robust and dynamic training and awareness programmes, reducing risky behaviour and empowering employees to form part of the organisation’s defences.”
Employees are the first line of defence
People and education figure highly in any discussion about how to mitigate or prevent successful ransomware attacks. Lauren Marsden, EMEA channel director at Forcepoint, stresses the importance of education because employees are the first line of defence. “Ransomware attacks can start from something as simple as someone clicking on a link or entering user credentials to grant access inadvertently,” she says. “Channel partners need to be working closely with their customers to build initiatives to make employees aware of the role they can play.”
Rob Tomlin, VP UK channel at Dell Technologies, says combating ransomware effectively involves “at least two layers of protection – technology that prevents ransomware attacks by blocking threats, and educating employees about cyber security best practices”.
Combining the channel’s expertise with the latest suite of data protection innovations will ensure customers stay a step ahead of cyber threats, says Tomlin. And while ransomware may “continue to wreak havoc on many”, businesses should not accept defeat “as a foregone conclusion”, he adds.
Daniel Hurel, VP cyber security and next gen solutions at Westcon EMEA, uses a slightly disturbing term when he warns that the biggest risk for a business when it comes to ransomware “isn’t its software or hardware, but rather its ‘meatware’ – the human element within a computer system”.
The first port of call in combating the possibility of human error allowing attackers access should be “the implementation of more endpoint security protection tools, such as multi-factor authentication”, says Hurel. “But the single most effective way to avoid malware attacks is a well-informed, educated team trained to properly identify risks,” he points out.
For example, channel companies should not assume that staff know how to identify a phishing email. “All it takes is one employee to be tricked into making an error, thereby providing bad actors with an entry point,” he says.
Along with many others, Hurel advocates a zero-trust approach to try to avoid a ransomware attack. “It’s critical that businesses have a zero-trust policy in place and a strict vetting process when working with new companies,” he says. “The pandemic has radically changed the threat landscape for practically every business – hybrid working patterns have meant that more devices have been issued with access to company networks. More devices connecting through more insecure home networks creates more vulnerable entry points for bad actors to target.”
Zero-trust policy essential
Hurel believes a zero-trust policy is essential. “Only then can you mitigate the risk of ransomware and prevent any potential spread in the event of an attack on a customer or partner’s network.”
John Brown, director for EMEA channels at Menlo Security, says there is “an opportunity for channel partners to hand-hold customers”, starting with educating them on how ransomware infections happen. “They can then take them through the process of how to limit the chances of a ransomware attack and what steps to take in the event of an attack, including having a robust cyber resilience plan in place,” he says.
Brown says partners and customers “should look to work with vendors that adopt a platform approach”, adding: “Zero-trust can be a significant undertaking, crossing multiple security disciplines spanning the technology stack, including network, data, identity, endpoints and operations and analytics – and opinions differ as to which tools and technologies are most effective. There is no right answer, so deciding on a starting point should be based on a customer’s goals, capabilities and strategy.”
Ben King, SCO at Okta EMEA, believes basic security hygiene can make a huge difference for companies. “Every organisation needs a fundamental information security programme which involves aspects like discouraging the reuse of passwords,” he says. “Using multi-factor authentication makes the job of ransomware gangs incredibly difficult, because they can’t use brute-force attacks on passwords. They should also implement identity-centric zero-trust frameworks.”
King adds: “Channel partners should be enforcing these tactics within their own businesses, and encouraging customers to adopt these methods of protection too. As threats continue to evolve, customers will increasingly look for offerings that encompass optimal security measures and protect data privacy.”
David Ellis, VP security and mobility solutions at Tech Data EMEA, says that because a ransomware attack is not just an IT issue but affects everyone, channel partners need to work with customers “to ensure they have a playbook in place that sets out what happens in the event of an attack”.
He adds: “Encouraging this kind of intra-organisational collaboration and helping to design and implement an effective response to an attack is a real value-add for channel partners, shows considerable specialism and will help bring them much closer to their customers’ business and its unique challenges.”
What technology to deploy
When it comes to deciding what technology to deploy to protect themselves, says Ellis, most businesses are “looking to implement a multi-layered, multi-vendor approach in order to meet the specific needs of their organisation”.
He adds: “Navigating the complexity of which products combine to create the best overall solution and ensuring that all of these systems work in an effective manner is one of the key challenges that organisations are turning to the channel to solve.”
The increasing number of threats and attack vectors, and a corresponding increase in solutions to match them, means that partners will “have to work with vendors and solutions aggregators to keep their training up to date and market knowledge relevant”, says Ellis.
Gavin Knapp, cyber defence technical lead at Bridewell Consulting, says: “The channel needs to help customers understand how modern ransomware attacks work, for example by targeting recovery controls as part of their kill chain. It also means working as trusted partners to help customers continually improve their security posture through testing, assessing and improving controls to prevent, detect and respond.”
Managed service providers (MSPs) also have a responsibility to protect themselves because they are now “a key target as supply chain vendors”, says Knapp, who adds: “It is critical that they eat their own dog food and implement robust cyber security hygiene focused around zero-trust and 24/7 extended detection and response [XDR] capabilities to stop their software, services and infrastructure being used to breach customers.”
Robert Graf, founder and CEO of ProLion, makes the point that ransomware is, at its core, “a financial transaction – if you want your stolen data back, you pay for it”. So, like Bird, he argues that it is best to try to prevent rather than cure it. “This is where the channel plays a key role,” he says. “As trusted advisers, the channel can add a full layered defence incorporating training, application and OS upgrades, endpoint protection and, of course, dedicated proactive ransomware protection for central storage systems.”
Identifying potential network breaches
There is a danger that ransomware “could be a symptom of a far more serious network intrusion”, says Graf. “This is where the channel has a key role to play in identifying potential network breaches. Even with the ransomware removed and the system restored from backups, the problem may not have gone away because the attacker might still have backdoor access to the network and could just as easily redeploy the ransomware.”
As there is no way to completely protect an organisation against a ransomware attack, businesses should adopt a “defence in depth” approach, using layers of defence with several mitigations at each layer, says Graf. In this way, they will have more opportunities to detect ransomware and stop it before it causes real harm. “Again, this is where the channel has a key role to play in guiding and advising their clients in turn,” he adds.
Jason Howells, VP sales international at Barracuda MSP, agrees with Knapp that “one of the best things MSPs can do to protect their customers is to make sure they’re first protecting themselves”. He says they need to “become more security-centric” because pushing the usual emphasis on customers for security training and upkeep is no longer enough. “MSPs need to make sure their customers are covered from the beginning of their journeys with them,” he adds.
“MSPs play a vital role in educating customers to better understand the current threat landscape and arm them with the tools they need to effectively protect their critical data,” says Howells, “but they need to know about the best tools to aid their customers.”
Nick Ross, cyber security consultant at Trend Micro, argues that as trusted advisers, the cyber security community of vendors and channel partners “owe it to customers to ensure they become better protected from threats like ransomware”. He adds: “The marketplace is awash with ‘next-gen’ technology that might help, but simply selling more product shouldn’t been seen as a silver bullet.”
The solution is services, says Ross, particularly as the cyber security skills shortage means many customers “don’t have, can’t afford or can’t retain the limited cyber talent available in the labour pool”.
Ransoms – to pay or not to pay?
But what about companies that do succumb to an attack – should they pay the ransom?
Cybereason’s Curry says his company recommends not paying ransoms because “it doesn’t pay to pay unless it is a matter of life and death or national emergency”. He cites a recent ransomware study of more than 1,200 global organisations that found 80% of organisations “that paid a ransom were hit a second time, often by the same attackers”.
Chris Watkins, head of security at Ultima, says the advice is always not to pay ransoms, “but people still do”. He adds: “However, with the right backup and disaster recovery processes, this shouldn’t be necessary. The key is making sure your backups work well and you test your DR [disaster recovery] capabilities regularly and fill in any gaps. Only this way will you limit damage and exposure of your company’s IP.”
David Guyatt, CEO at Osirium, cites the company’s 2021 Ransomware index survey, in which 53% of respondents agreed to some extent with the statement: “It would be cheaper to pay the ransom demand than continuously invest in preventing [ransomware].”
But as he points out, the cost of paying a ransom is “merely the tip of the iceberg” – “Add in the extra real and virtual costs, such as reputational damage, regulatory fines and lost business through downtime, and it is hard to justify not having robust malware and ransomware protection.”
Like others, Guyatt believes there is “a great opportunity for channel partners to become invaluable to their customers to alleviate the stress and ongoing worry involved in fighting back against ransomware”. He adds: “Finding the right solution is the key – one that balances security and productivity by removing risky local administrator rights from users, while at the same time allowing escalated privileges for specific applications.”
Trend Micro’s Ross accepts that some victims of ransomware might consider paying to make the problem go away, but it “is like pouring fuel on the fire”, he says. “If organisations were better protected in the first place and they – and cyber insurance companies – didn’t pay cyber criminals, ransomware would quickly stop being a ‘thing’. Then the malicious actors would go and find some other shady activity to line their pockets.”