Maksim Kabakou - Fotolia
Think technology, process, human risk to manage ransomware
Effective ransomware handling boils down to three core areas – technology, process and human risk
Effective ransomware handling is not simple – it must span every area of the business and requires a multi-layered approach. To achieve this, CISOs need to focus on providing all employees and the organisation with the necessary “tools” to recognise and react appropriately to an attack and prevent it from succeeding.
These can be broken down into three core areas – technology, process and human risk.
Technology
Technology provides various ways to guard against ransomware attacks. The threat evolves constantly, so it is important to be proactive to ensure that detection and defence systems (such as firewalls) at the endpoints of systems are always up to date and as strong as they can be.
Patching all the public-facing systems and platforms that extend the organisation’s network perimeter is essential to avoid data extortion and leaks, as is keeping all software updated and patched. Computers need to run the latest operating systems, applications and anti-virus, and only protected devices should be allowed to connect to the company’s resources. Whitelisting applications to determine which can be downloaded and executed on a network is also good practice.
CISOs should ensure their organisation has a comprehensive asset inventory, so they can understand the operational value of each asset – and therefore the risk – should it be compromised. This helps to assign priority protection to the highest value assets and, in the event of an attack, may help the organisation to determine what should be protected or (in a worst-case scenario) recovered first.
Identity and access management has a key role in guarding against ransomware because it ensures that only authorised and authenticated users enter the system. Applying robust access control policies to users and accounts serves to limit the potential for exploitation in the event of a breach as it can prevent attackers from travelling through systems and finding valuable assets.
This is particularly important when considering privileged accounts, whose elevated access and increased scope makes them especially valuable to attackers. Employing a principle of “least privilege” is the best way to approach this. Users or accounts are given the lowest level of access required to perform their job – anything else is removed or restricted. Also, the often-overlooked administrator access to all devices should be managed with additional controls, such as multi-factor authentication and logging, to minimise abuse and misuse.
Process
The technology element needs to be reinforced with appropriate, user-centric policies that are easy to understand – but also easy to stick to. In other words, it should be easier to do the right thing than subvert. These policies need to be enforced through monitoring and specific follow-up for non-adherence. For example, rather than hope that people download and apply patches in a timely manner, automated scripts or tools can be configured to apply these, with follow-ups to check adherence to optional updates, etc also carried out.
People need simple channels to report anything suspicious, coupled with an understanding that they have a responsibility to do so. They should also be confident that reporting something such as clicking on a suspicious link will not result in negative consequences.
Also, clear instructions on what to do and who to contact should someone fall victim to cyber criminals must be included. Understanding how an attack happened and taking the required action to prevent it from occurring again is key information – being updated on new threats and technologies is a crucial part of a CISO’s strategy.
Key systems (or those under the greatest threat) should be monitored continuously to detect intrusions, with alerts set up to flag anything untoward. This is helped by CISOs having a thorough understanding of their threat landscape. Knowing where they are more likely to be targeted enables control efforts to be focused effectively. Sharing cyber threat intelligence between relevant organisations keeps all parties updated on the latest security risks, thus helping to reduce the likelihood of a successful attack.
As well as the organisation, its devices and its employees, third parties need to be part of the equation so that everyone protects data and systems to the same agreed standard. This can be done contractually if necessary.
Human risk
But with roughly 90% of data breaches occurring because of phishing attacks (Cisco’s 2021 Cybersecurity threat trends), the biggest threat to an organisation’s security is its people, albeit unintentionally.
Guarding against phishing is important at any time, but particularly at this time of year in the run-up to the holiday season and online shopping events such as Black Friday and Cyber Monday. Many people will be ordering items and expecting deliveries, making them susceptible to phishing emails related to failed or rescheduled deliveries.
Users targeted in phishing attacks can be exploited to gain access to client systems. CISOs must therefore equip the whole workforce with the knowledge that they form a critical part of the first line of defence – as noted above, everyone has a responsibility to guard against bad actors. This requires an organisational culture in which people understand the real threat posed by cyber criminals, the potential for a ransomware attack, how to spot phishing attempts, and how to react if they notice anything suspicious.
Regular, enterprise-wide, security awareness training is essential, covering topics such as cyber hygiene awareness, infosec principles, good IT practices and how to recognise suspicious emails. This can be reinforced with methods such as phishing simulations, which help employees to recognise and avoid malicious communications.
Training needs to be tailored for different groups of users based on the specific types of attack different parts of the company are likely to face, and help employees to understand why tasks such as patching – often viewed as an inconvenience – are essential.
By improving security awareness across the organisation, CISOs reduce the attack surface – and, with it, the likelihood of a ransomware attack succeeding.
To further minimise the organisation’s exposure to bad actors, security awareness can be supported with technology. For example, blocking private use of corporate email addresses, or preventing access to personal emails on corporate devices, also reduces the risk of a phishing email being able to pass something into the corporate network.
A role for everyone
Protecting the organisation against ransomware is an ongoing and evolving task that requires a combination of up-to-date technology, straightforward processes and informed people.
However, while CISOs are the lynchpins that make sure the necessary blocks are in place, in an age of “porous perimeters”, everyone in the enterprise has a role to play in protecting their workplace from bad actors.
Read more from Computer Weekly’s Security Think Tank series on ransomware
- Strategies to extend ransomware protection beyond backups and intrusion detection must centre dark web monitoring, among other things.
- Greater transparency regarding ransomware attacks, including details about attack methods used and what kinds of assets were compromised, would likely help the community prevent future attacks.