Ransomware was once just another cybersecurity threat to deal with. Now it’s become a national security issue.
Ransomware attacks, which hackers use to lock up computer systems or sensitive data and demand payment to set them free, have become an ever-present risk, estimated to occur every 11 seconds and on pace to cost companies $20 billion globally in 2021.
In June, the U.S. Justice Department announced it would handle ransomware attacks in much the same way it does terrorism cases. The move followed the Colonial Pipeline attack, which shut down the country’s largest refined-product pipeline for several days, causing gasoline shortages and price spikes.
What can companies do to guard against this onslaught? We asked several cybersecurity leaders to share what they consider the most effective strategies.
Plan for the worst
There is no quick fix to combat ransomware or any other cyber threats we face today. Companies need to be prepared to make a strong multiyear plan and financial commitment to improve cyber hygiene. Leadership within the entire organization must buy into the value of cybersecurity.
Simple steps—such as implementing multifactor authentication, storing offline or encrypted backups (and testing those backups), instilling awareness, and providing employee training—can all help to build better cyber habits and processes that will offer protection against most common threats.
A zero-trust model is also a valuable tool. This would have prevented many of this year’s most notable cyberattacks on some of our country’s critical infrastructure.
Focus on preparation and response
Your operating assumption must be that preventative controls won’t be sufficient. One way or another, an attack will get through or mistakes will let data be exposed. Preparation and optimized response are critical success factors. This is more than a runbook on the shelf. Rather than approach preparation as a “necessary evil,” look for ways to make the effort fun, educational, and cross-functional. Two key areas will make your response more effective:
First, use a tabletop exercise with cross-functional teams to understand how things work today. Then, evaluate your processes to focus on speed and collaboration. Look for ways to subtract the friction through better data sharing and automation, such as getting event data or asset context, or assigning work, or notifying employees.
Second, think like an attacker. Anchor your plans around what attacks or incidents are most likely given your business, which assets or services or teams would be most affected, and how much your customers or business or employees would be damaged as a result. This will help you prioritize your planning and response to protect your business.
Stop being an easy target
Prevent ransomware from encrypting your files in the first place. Your defenses do not have to be perfect, but they must be better than other victims. Ransomware is opportunistic. It goes after easy targets providing reasonably good payoffs.
Keep your systems patched. Install current anti-malware solutions. Make sure you have multifactor authentication and good vulnerability management procedures. And have a good plan for what you’ll do to get your systems back online and how you’ll deal with the hackers in the event of an attack. It is much easier and less stressful to think these problems through before an attack than in the middle of one.
Ensure you have executive support
Companies need to be prepared at an executive level to make some really challenging decisions. In many cases, executives are not grounded in reality. They don’t fully comprehend the danger of ransomware until it’s too late. You’ve got to have a plan and practice it constantly. Plenty of companies say they do backups, but they’ve never had to restore from them. They don’t understand it can take weeks to recover your backups. If they practice backing up in advance, it will go a lot more smoothly if something actually happens.
Don’t negotiate on your own
If you are hit, do not contact the threat actor before consulting a professional. I recommend contacting a law firm with a breach practice and asking them to refer you to a professional negotiator. Cyberinsurance companies can refer you too.
The reason you shouldn’t try to negotiate yourself is that you’re not likely to be objective. The bad guy will know they’re not dealing with a professional and take advantage of you.
Keep in mind that the moment someone does interact with the bad guys, the negotiation clock starts. There are threat milestones associated with that clock. When it reaches a particular point, the ransom price doubles and they will leak 20% of your critical data. Do not start that clock before you have a well-designed response plan.