Most weeks, you will be able to find news of a ransomware attack taking out an organization or even government services and municipalities. While these are often targeted attacks, the occasional one slips through from a widespread email spray. The downtime seen from an attack can reach multiple weeks. According to a recent Datto Global survey, the average cost of this downtime to an SMB is $141,000. That’s more than a 200% increase on the previous year’s average of $46,800. With numbers like these, it’s understandable that IT teams dread seeing that lock screen on any of their devices. But the question must be asked; given the media attention and number of high-profile ransomware attacks, why aren’t businesses more prepared and what needs to be done?
Why Aren’t Businesses More Prepared?
The answer, in my opinion, is often an easy one to overcome… budget! Despite the media coverage of the costs to businesses who aren’t prepared and protected against an attack, IT/security budgets still don’t cover what is needed to successfully defend against an attack or recover if an attack does happen. We still experience the age-old problem of funding being available only after an attack has happened — when it’s already too late.
What Needs to be Done?
Once the first hurdle is overcome, how can organizations allocate their spending and what are some areas that organizations can focus on for their upcoming budget? One of the most beneficial areas to invest is a complete Business Continuity and Disaster Recovery (BCDR) solution. If you aren’t going with a full solution from a single supplier, a good methodology to follow is the 3-2-1 rule. This means having three copies of your data — the original and two backup copies. The two copies should be on different devices and/or storage media. This could be a cloud and an on-premises copy, or a SAN and a tape copy. Whichever media types are chosen, there needs to be two! And one of these copies should be kept at a disconnected off-site location because ransomware now has worm-like capabilities and will try to replicate itself across any and all connected devices.
Of course, we must not forget about the second part of BCDR — the recovery. It is vitally important that the recovery is tested with a well-documented procedure. It’s great to have a backup solution following the 3-2-1 rule, but if you can’t recover that data in a timely manner, it is not much use. And this should be an ongoing process to be sure that if the need arises, your data is always available.
Another area to invest in is multi-factor authentication (MFA), sometimes referred to as 2-factor authentication (2FA). Ryan Weeks, CISO at Datto, states “2FA across all technology solutions is one of the most effective controls to reduce the likelihood of a successful attack.” With a 2FA solution deployed and strong user and identity access controls, it becomes a lot more difficult for any malware — not just ransomware — to gain a foothold and spread across the environment.
The Importance of Educating Users
An area that was frequently overlooked in the past is employee awareness training. While this domain is rapidly growing in its adoption, there is still a lot to be done. In the Datto Global report, we see that 67% of ransomware infections in SMBs come from phishing emails. Educating users on not just the obvious phishing emails, but also the more sophisticated ones, is paramount. A common and easy control is to highlight when an email is coming from an external source. This would cover any potentially spoofed emails; however, employees still need to be vigilant. Whether you run an internal campaign using an open-source solution or you purchase a solution, user awareness is the first line of defense.
Even with all these controls in place, there is still no such thing as 100% secure. After all the controls have been implemented and you have a strong recovery procedure, the last piece of the puzzle is cybersecurity insurance. Many insurance companies now offer some form of cybersecurity insurance. If you are considering this type of insurance, you should talk to your current provider to see what they offer. Make sure that the policy covers ransomware attacks along with the recovery phase.
This is by no means an exhaustive list of the defenses and protections you can implement against a ransomware attack. I didn’t mention things like Endpoint Detection and Response (EDR), Identity and Access Management (IAM) or simply email/spam filters and controls. As with all security defenses, this is not a “set it and forget it” scenario. The solutions are dynamic and will need to be tuned, adjusted and enhanced over time. The threat landscaping is ever-evolving, and so we must evolve our controls to match it.
If you would like to learn more about protecting businesses from ransomware attacks and other hacking dangers, contact Arrow today!
Last modified: November 25, 2019