Ransomware is more pervasive than ever, and the number of attacks is mindboggling. With help from ransomware-as-a-service (RaaS), cybercriminals and organized “bad actors” continue to wreak havoc. Cybersecurity vendor SonicWall recorded more than 495 million ransomware attack attempts globally by the end of Q3 2021, a 148% increase from 2020. Despite efforts by enterprises to secure their IT infrastructure, the U.K. has seen a 233% increase in such attacks. The United States is not immune either. It has had a 127% surge by the end of 2021 and, since 2016, has endured approximately 4,000 ransomware attacks per day as criminals attempt to monetize data.
Also concerning is that ransomware implications are much more insidious than a typical “smash and grab” cyberattack where bad actors smash through an organization’s security protocols, grab the data and then sell it. In a ransomware attack, cybercriminals hold an organization’s data hostage and demand payment instead of selling that data elsewhere.
Think of it this way: A typical cyberattack is like a jewelry theft where the bad guys break into a building, take the jewels out of the building and then resell them. The store owner replaces the smashed jewelry cases, adds additional alarms and reopens the doors to customers. In a ransomware attack, however, a copy of the jewelry is made and taken by thieves while the originals remain within the confines of the store. The problem is that those originals are inaccessible and cannot be sold, so your business has to shut down.
Despite efforts to secure IT infrastructure, businesses, health care, government organizations and educational institutions across the globe are more likely than ever to find their data encrypted and their IT infrastructure locked, shuttering operations until the demanded ransom is paid. In past attacks, we’ve seen organizations take a full week to get back online and service their customers. In many examples, businesses not only have to rebuild all their internal IT infrastructure, but they also take huge business and reputational hits because they weren’t able to provide customers with products and services. Organizations also face the very real threat of legal action due to the theft of personally identifiable information (PII).
Needless to say, every organization can and should be doing whatever it can to proactively minimize damage from ransomware attacks. The following strategies are a start in helping you prepare in the event your organization should come under fire:
- Eliminate unnecessary data. Organizations that follow data life cycle best practices will put in processes to systematically delete data that’s no longer needed. This requires an understanding of how to prioritize your data and to have “pruning” processes in place to reduce the attack surface. Diligent data life cycle management will help deny cybercriminals access to sensitive financial, operational and customer data. Another aspect of prioritizing data includes classifying data so that adequate protection mechanisms are used on the most highly classified information and that spurious copies are removed from less secure areas in the organization.
- Pay attention to email risks. From an IT security standpoint, the number-one attack vector is an email system. Email security best practices must be implemented across the entire organization. Equally important is regular employee training on email security, including mock attack simulations to test policies. These help to build internal muscle memory so these best practices are followed and all parties know what to do in case of attack.
- Ensure regular backup processes are in place. It is important to regularly back up data and also to test these backups regularly. Data that is backed up in an offline environment will likely not be affected by a direct ransomware attack. Access to this stored data should help minimize downtime. Backups also help you rebuild infrastructure if you choose to pay the ransom and get encryption keys—only to find your data has been corrupted and made unusable. If the organization understands how long it takes to rebuild from a backup then it can infer the estimated downtime from a ransomware attack. That downtime plays into the cost calculation in the next point.
- Include a ransomware attack plan in your disaster recovery protocols. The attack plan should be a part of an organization’s IT security runbook, which covers disaster recovery procedures. The runbook would include all of the technical aspects including the backup and process for getting back online. And because a ransomware attack locks access to your infrastructure, your plan should identify response protocols and actions based on the piece of the infrastructure impacted, whether is a single system or server or your entire Microsoft 365 environment, for example. There should also be a general company playbook related to security breaches that covers the non-technical procedures, including external communications and escalations, which is addressed in the next section. Finally, while not necessarily an item to be documented in the runbook or playbook, it is best to consider the question: “Are we going to pay?” prior to any attack. This is a really important question that should be discussed by the enterprise executive management team.
- Develop a ransomware communications plan. A ransomware attack communications strategy should be part of an organization’s general company playbook related to security breaches. It should spell out who must be informed—employees, customers, investors, other stakeholders—as well as how and when, what any communications will say and who will do the communicating (e.g., CEO, HR, legal). And don’t forget to factor in how communications will be sent if your organization’s Exchange server is locked down and inaccessible. Also, consider how a customer or employee would know to trust a new email address or source of any messages from your organization at this time. This may require legal review and ownership based on communication times required by some regional compliance requirements, such as GDPR.
- Understand where all data lives within your organization’s IT ecosystem. The critical systems and IP ownership are your organization’s crown jewels. Prioritizing data protection and security to protect these systems is critical. That said, do not forget to pay attention to other data. While some data is more important, all data is worthy of attention, even fringe data or log data on a system that sits on the edge of the network.
With ransomware attacks the norm rather than the exception in today’s world, organizations must understand that acting to prevent such an attack is an imperative rather than a ‘nice-to-have.’ Why? Because the prospect of losing access to organizational data is no different than having all data on-premises when the entire building goes up in flames.
As Benjamin Franklin once said: “By failing to prepare, you are preparing to fail.” The bottom line: An organization can feel comfortable saying “no” to ransom demands as long as it has confidence in the work it has done in advance to recover from the attack.