Nic Sarginson, Principal Solutions Engineer at the authentication product company Yubico, discusses what businesses need to defend against ransomware.
News of ransomware attacks break with alarming regularity. According to Check Point Research, there was a 41 per cent increase in attacks on organisations since the beginning of 2021, and a staggering 93 per cent increase year on year. Unfortunately, stopping attacks can feel like a game of whack-a-mole — hit one attacker and three more pop up. It is not a matter of if, but when, the next attack will come. Businesses can reduce the risk and impact of attacks by having a ransomware mitigation plan and an incident response procedure in place.
It is a common misconception that the primary cause of ransomware attacks are users clicking on suspicious links. While the first defence against these attacks is to stop users from clicking the links, the biggest reason these breaches succeed is because weak authentication protocols fail to stop attackers from gaining access to a system in the first place. Stronger multi-factor authentication (MFA) methods, such as phishing-resistant hardware security keys, are the solution.
The unfortunate events of the SolarWinds breach and Twitter account hacks are examples of attackers exploiting outdated credentials to enter an organisation’s systems. These events emphasise the importance of why user access credentials need to be regularly assessed and updated throughout the business and the critical need to have a comprehensive ransomware mitigation strategy in place.
To build a plan, start by executing a business-wide audit to explore and assess every endpoint within a system and reinforce those which seem particularly susceptible to being compromised. An in-depth checklist should be part of the mitigation plan and include a wide range of fundamental questions. For example, how many users have access, what processes are available to recover lost data, what controls are in place to secure vulnerable data. Once the plans are in place they must be tested and adjusted accordingly.
When reviewing options for cyber insurance policies, insurance companies have been known to base their premium costs on the level of cybersecurity and risk mitigation measures an organisation has. Insurers may even deny coverage until MFA measures are implemented. Therefore, having a fully realised ransomware mitigation plan paired with modern MFA tools comes as an added benefit for organisations.
An incident response procedure (IRP)
In addition to a ransom mitigation plan, a well-developed incident response procedure (IRP) can be the difference between a major ransomware catastrophe or a minor systematic error. An IRP must be updated and tested regularly. It should also be thoroughly detailed to avoid having to make on-the-spot decisions during an attack.
Cybercriminals are always looking to increase the impact of their attacks and find new ways to evade existing cybersecurity defences. Reporting tools and automated systems can be useful for detecting anomalies, however, most are primarily designed to counteract and identify known cyberattack vectors. Dealing with new or unknown attack vectors is where an IRP can be most effective.
When developing an IRP, ensure that all key stakeholders like operations, security teams and senior-level leadership can share their input throughout the process. Organisation leaders should foster an environment of open communication and education of cybersecurity best practices to ensure all departments and teams are aligned during an attack. It is with this internal communication and collaboration that stakeholders can be sure that all areas of the business are ready in the event of a ransomware attack. Additionally, they should consider implementing incentives such as performance bonuses and actionable goals to keep teams focused and motivated when maintaining the IRP.