You almost can’t blame cyber criminals for their relentless barrage of ransomware attacks against the corporate world. From their perspective, it’s easy money.
Corporations face a much more frustrating calculus. You can either refuse the attackers’ ransom demands and suffer potentially disastrous disruptions, or fork over valuable cash — with no guarantee that your IT systems will be restored, possible law enforcement consequences, and the infuriating awareness that you surrendered to the bad guys.
Ransomware isn’t a single, specific thing. It's an attack strategy that uses many things to force your company to surrender.
Everyone knows such a dynamic is untenable. Businesses need to do better at reducing the threat of ransomware, so that refusing attackers’ demands becomes an easy, obvious choice.
To achieve that ideal state, however, compliance and risk officers first need to understand what ransomware truly is. Then you can begin to develop the capabilities necessary to defang its threat.
Ransomware is not a weapon; it’s a strategy.
That is, ransomware is a set of actions that criminals use to achieve their objective, which is getting your business to give them money. When we say, “My company suffered a ransomware attack,” what we really mean is that criminals took a series of steps to maneuver you into a position where you had to give them money; that would be your best choice, given the circumstances you faced.
This is an important point to understand, because too often we think of ransomware as a single, specific thing — like a piece of software that attackers lob over the firewall, or an app that they run. Ransomware attacks are much more complex than that. The attackers will…
- Look for promising victims, such as a business that can’t afford to be knocked off-line or haven’t been updating their software systems.
- Use multiple attack techniques, such as phishing attempts against employees and SQL injections against web pages your company runs.
- Target your most important assets, such as customer data or intellectual property, IT systems that control sales operations, or even physical assets like sensors and medical devices.
- Show you they’re serious, perhaps by releasing some of your hostage data to the public or ruining one device.
- Force you to work on their timeline, by giving you tight deadlines before your data or IT systems are ruined forever.
No single countermeasure can work against all that — because, as we said before, ransomware isn’t a single, specific thing. It's an attack strategy that uses many things to force your company to surrender.
If ransomware is a strategy, then you need to develop an effective counterstrategy to defend against it.
Understand the elements of a good counterstrategy.
Developing an effective counterstrategy is all about using the resources at your company’s disposal to neutralize the attackers’ threat as much as possible.
Some of the steps you take will very much be traditional cybersecurity measures, such as implementing a strong firewall and segmenting your network. Other measures, however — probably the most effective, important ones — won’t come from the cybersecurity team. They will come from steps that compliance and risk management teams take to change how your business approaches cybersecurity risk.
For example, a competent risk assessment will be crucial. You’ll need to know where your most important data is, how well it’s protected from attack, and how often it is backed up. You’ll need to know how many third parties can access your confidential data, and which third parties provide mission-critical services.
Employee training for a risk-aware culture will also be critical. The single best risk management device under the sun is an employee trained and empowered to say, “Hold up, this seems weird.” Your cybersecurity team can help to devise the actual training material that explains how attacks happen and what they look like; but HR, compliance, and audit teams can play vital roles assuring that the training is delivered and sinks into employees’ heads.
Policies and procedures will be important, to encode your risk management objectives into practices that employees follow and that will work. For example, if you decide to use multi-factor authentication for access to confidential data, you’ll need to declare that as a policy and implement specific procedures for proper access control. If you want vendors to attest that they keep their ERP software updated, you’ll need a procedure to collect those attestations and preserve them.
This will take a team, and technology.
As you can see, multiple parts of your enterprise will need to work together to develop and implement an effective counter-strategy against ransomware. That means the organization will need to define roles and responsibilities, to assure that there’s effective leadership and accountability to push your strategy forward.
Exactly who does what? Each organization will need to decide that for itself, depending on your resources. To succeed, however, you will need support from the board and the C-suite to get this done. They are the ones who do the defining of roles and holding people accountable.
In all likelihood, you’ll also need technology to orchestrate all this effort. A single repository of trustworthy data, alerts for tasks not done, escalation for requests ignored – these are all critical for success, and can easily be lost in a sea of spreadsheets and old emails. Plus, you’ll need an easy way to report your cybersecurity posture to the board, regulators, and prospective customers.
Then, if everything goes right, you can achieve your objective: confidently telling your ransomware attackers to get lost.
