The Most Effective Ransomware Protection According To The Experts
Cyber extortion has quickly become the preferred cyber-crime for malicious actors. Attacks have grown exponentially and it is largely expected that the trajectory will only continue. In response to these attacks, organizations really need to be making careful assessments of their current cyber hygiene and strengthening their security measures. Below we have compiled some of the most effective cyber/ransomware security controls according to the experts and insurance companies. Not only will these controls help protect against cyber-extortion attacks but they will also help companies obtain more competitive terms and pricing when securing cyber insurance.
POLICIES & PROCEDURES
- REGULAR BACKUPS: Backups have always served as one of the best protections against cyber extortion attacks. Even if the cyber criminals do obtain your data, there’s a mirror copy you can back up from, which can help prevent victims from having to pay a ransom. It is important to note however, hackers are becoming more effective at circumventing backups by corrupting the backups themselves, and/or launching dual or triple extortion schemes to pressure their victims into paying. So while they are a bit less effective, all companies should be performing regular backups, while implementing best practices such as: maintaining multiple offline backups (preferably stored off site), periodic testing, and regular scanning for malware.
- DATA ENCRYPTION: Data encryption still serves as an important security control (especially for companies that maintain protected info), however in the event of a ransomware attack, hackers can still re-encrypt that data and demand a ransom for its return. Companies that do have strong encryption however, are more protected against hackers selling or publishing that info while concurrently requesting their ransoms.
- PASSWORD POLICIES: With the rise of the dark web and RAAS (ransomware as a service), credentials can be purchased online cheaply and easily. It is believed the Colonial Pipeline attack originated from a single stolen password that can be purchased online for as little as $1. While it may be deemed an inconvenience, companies should implement password policies prohibiting multiple usages of any single password, and requiring the regular changing of those passwords. Companies should also ensure that passwords are reset for any connected/IOT devices, as these can often be a weak link in the security chain.
- FORMAL BUSINESS CONTINUITY & DISASTER RECOVERY PLANS: Sustaining a cyber attack can be a frightening, dizzying experience…even more-so if you’re unprepared. Implementing formal continuity and recovery plans provides an effective blueprint in time of crisis, allowing organizations to respond as fast as possible which will also minimize the financial impact of any resulting downtime. These plans should outline among other items: how data/software/applications will be accessed, which computers will be used, roles of the personnel, which cyber specialists will be contacted, and more.
- VENDOR SECURITY ASSESSMENTS: Companies are only as secure as their weakest link. With the vast majority of companies relying on outsourced providers for business processes, it’s critical that organizations ensure their vendors have adequate controls in place to detect and prevent against attacks. A cyber attack affecting a 3rd party vendor could result in significant lost business income, or find its way to your network or software, infecting your computer systems. In order to minimize any such external risks, organizations should implement a formal set of required security standards for all outside vendors and require they provide proof of tech e&o and cyber insurance.
- EMPLOYEE TRAINING: If backups are the most common recommended security control, employee training is a close second. Most cyber attacks in general are carried out via email, so training employees to identify malicious emails and attachments is critical. Covid has also resulted in an over-stressed, over-worked workforce, effectively reducing employee awareness. This has created the ideal environment for phishing attacks which further underscores the importance of a formal training program for new and current employees.
- BYOD POLICIES: Malware, viruses and ransomware are all known to exploit vulnerabilities. For many organizations, employees may just be the weakest link. This is particularly true for companies that allow employees unrestricted usage of their own devices at the workplace. Employees may download malicious apps on their devices corrupting the company’s computer systems, spread existing viruses/malware by connecting to the company’s wifi, lose or misplace their devices which may contain protected info, or use their devices in manner that’s non-compliant with certain statutes or regulations. All of these risks highlight the importance of developing strong BYOD (bring your own device) policies. With the rise of the remote workforce, these policies are more important than ever.
- RESTRICT EMPLOYEE ACCESS: Employees should only be granted as much system access as required to complete their tasks. Granting more access than necessary not only exposes an organization to internal theft/fraud, but also to external threats. Allowing employees to download/install software for example may result in inadvertently installing of malicious code. Ransomware gangs are also increasingly targeting employees for assistance with carrying out attacks, further highlighting the importance of organizations’ restricting system access.
STANDARD SECURITY CONTROLS
- ANTI VIRUS SOFTWARE: Installing antivirus software is one of the most basic security controls companies can implement. Advanced attacks will likely bypass antivirus software but a 2019 study found that virus software is anywhere from 90% - 98% effective at protecting against intrusions.
- MODERN FIREWALLS: Firewalls are generally not known to be the most effective at preventing attacks, however they are a basic security control all organizations can implement easily, that will provide some protection. There are also certain practices that can be employed in order to maximize their performance. The newest generation of firewalls for example also include advanced features such as machine learning, and advanced sandboxing to detect and isolate potential threats.
- REGULAR UPDATES & PATCHES: This should include patching all web browsers, applications, software, operating systems, firmware, and content/data management systems as soon as possible and within 30 days of the patch or update being released. Organizations should also consider testing patches prior to organization-wide installation to ensure updates do not create any functionality or compatibility issues.
- ENABLE EMAIL AUTHENTICATION: With phishing/spoofing being one of the most common methods of intrusion, verifying the authenticity of an email can help prevent potential attacks. SPF, DKIM and DMARC are all different methods used for such verification. It’s also a control many companies can implement easily, at a minimal cost.
- DUAL FACTOR AUTHENTICATION: Dual factor authentication is another basic, yet useful tool in preventing unauthorized access. This can often thwart a malicious actor from accessing computer systems or software/applications by requiring a second means of verification. Dual Factor Authentication should be enabled on all email accounts (being accessed remotely), remote access software, and any business critical application that provides it as an option. Given the surge in remote work, this security control is more important than ever, and can be implemented easily, often at no cost.
ADVANCED DETECTION & PREVENTION
- SANDBOXING: Good cyber hygiene would dictate that suspicious files are avoided at all costs. However when suspicious files do require opening, or otherwise make it onto the network, a sandbox may be the only security measure preventing against an infection. They effectively provide a secure test environment used to isolate and test suspicious files that may be malicious.
- INTRUSION & THREAT DETECTION SYSTEMS: Advanced malware/ransomware can bypass anti-virus software. When an attack penetrates the first layer of security controls, the ability to immediately detect the threat and develop a response can minimize the resulting damages. These systems can provide a wealth of critical information regarding the attack and provide an automatic response.
- ADVANCED EMAIL THREAT PROTECTION: As its name implies, ATP software is advanced software that closely monitors emails for suspicious files. With a cited catch rate of 99.9%, advanced threat protection is the most comprehensive email security organizations can implement to detect email threats such as ransomware, phishing and business email compromise attacks.
- DATA LOSS PREVENTION SOFTWARE: Organizations that have a large amount of protected information or valuable IP should consider implementing data loss prevention software. DLP software oversees an organization’s sensitive data, monitoring what information was accessed by which users. If the software detects any unauthorized access of information and can automatically respond with preventative measures such as alerts and encryption.
Unfortunately even the most robust cyber security program can’t guarantee safety. All of these controls, when properly implemented, can significantly reduce the odds of being attacked, however most companies will still likely eventually fall victim to an attack at some point. Most organizations encounter a huge number of potential threats, and even if these security controls only allow a very small percentage to slip through, a small percent of a very large number still poses a sizable threat. When security measures fail, the only protection against significant financial damage, is a robust cyber insurance program. As an added benefit, these controls will also help companies secure favorable cyber insurance terms while reducing associated premiums. In our next post we discuss what to look for when reviewing/structuring ransomware insurance coverage.