Posted 1 year ago
Ransomware is a top
nthreat to minimize; especially as it continues to grow, morph and become even
nmore virulent and effective. Why
nclassify it as Existential – for starters, governments have categorized it as
ndestructive as terrorism overall, plus the asymmetrical advantage criminals
nhave, putting the defenders at a significant disadvantage. This summary
npaper is meant to consolidate the main elements and key protections as serve as
n‘talking points’ to those who manage the business and protect all its assets.
Though this threat
ncan be scary, it can also be reasonably well-managed (there is no guarantee
neven close to 100% in cyber as well all know) – where you must invest
nin it with the same resolve as the criminals do to attack you.
Problem
noverview. Now that Ransomware has the attention
nconsumers (e.g., loss of gas availability. meat production, water safety, etc),
nthe risk has widespread attention. This
nis a very wide topic, so we only list the top contributing factors herein, not
nall the significant (and for the most part incalculable) organizational damages
nit can cause – as we assume those are well known at this point.
Key ransomware
nfactors:
It is
nnow a triple threat
n- (1) loss of data
navailability (encrypted), (2) data breach extortion (exfiltrated sensitive
ndata) and (3) extortion of your partners and clients for their data stolen from
nyou.
Ransomware
nas a Service (RaaS)
n– it is now a
ncommodity service that can be easily bought and then executed on any entity at
nany time. It is also much more targeted
nnow, not just a wide mass email to thousands, with gobs of social media data
navailable, the phishing attacks are well done (and getting better with AI / ML
ntoo). The company is also assessed for its ability to pay, including those with
ncyber insurance.
Cybercrime
nis a business
n– they are well organized, have business plans, share data and now we discover
nthey are supporting startup cybercrime entities as well. They are thriving as they reinvest into more
neffective methods, and tools – not to mention that they are essentially immune
nfrom the law or any real punitive repercussions (another story in itself)
Asymmetrical
nadvantage – the
nabove factors show they have the upper hand for the most part. It goes back to the adage that they need to
nfind one vulnerability and we need manage 1000s… As well as being a
nwell-organized, high profit and low risk business (with no stakeholders to
naccount to).
So, what
nto do? While this is as they say, a “wicked”
nproblem, it is not hopeless - the risk can be significantly reduced by an
naggressive ransomware risk reduction program – show your resolve, initiate a
nransomware task force! There are a lot
nof ransomware support resources, mitigations to follow, etc. (a few links are
nlisted at the end); whereas those are best reviewed and then integrated into
nyour own tailored, ransomware risk reduction program. Within the program you
nwill have researched all potential risk reduction measures and weighted their
nutility, then prioritizing their mitigations. Like all programs, ensure it is
nresourced, managed, tracked, and reported frequently. This is where you need to
nmake this risk reduction effort a priority or not – convince leadership that
nthe company future could well depend on this effort – because it can. If you cannot, then redo the message and keep
ntrying.
What are
nthe key mitigations? As mentioned, review the major ransomware
nsupport references and build, tailor your own; whereas there are some common
nitems to ensure are assessed, and in many cases must be verified / audited if
nneed be (for example, have IT proved they can restore critical data, and just
nwhat data do they store, where?). The ransomware mitigations effort must be
naligned and part of your overall risk-based security strategy, which must also
naccount for data leak/breach, resilience, etc. That is why your formal risk
nregister must keep track of all the risks, priorities, status, etc. – as most
nof us have a lot of risks, with the top business risk value efforts being done
nfirst. So, there it is – your top MUST DO task – use a risk register to account
nfor all your risk assessment efforts; use it to show stakeholders the overall
norganization’s risk story – how their key business success factors are being
nsupported.
As for
nwhat matters
n- it all
ndoes, and of course it depends, as the relative risks vary by environment and
nsome measures can be “good enough’ while resources are used elsewhere to drive
nthat risk down. The dozen items listed
nbelow are but one view, as many others exist, yet these tend to be key in both
nransomware risk mitigation and overall risk reduction in general. That said,
nplease skim the resources below and decide what matters for your environment – collectively
nthey will capture a risk-based ransomware protection plan.
