10 Actionable Steps To Protect Your Business From Ransomware And Cyber Attacks – Part 2

Right now, ransomware is among the top business risks.

In the last article, we discussed the first five of ten steps we recommend to protect your business from ransomware and cyber attacks and minimise the damage caused. Today, we’ll cover the remaining five steps.

As mentioned in the last article, our recommendations are based on the CIS Controls, a set of security best practices that help businesses prioritise their efforts to protect against common cyber attacks. We recommend using the CIS Controls as the basis of a cyber security program for two simple reasons:

1. They are developed and updated based on the input of hundreds of IT and security experts.
2. They are highly effective for protecting against today’s most common threats.

Our recommendations are focused on protecting against ransomware attacks. However,  these steps effectively protect against all types of cyber attacks.

5 More Steps to Protect Against Ransomware And Cyber Attacks

Step 6: Malware defences

Ransomware trojans are malware, so defences intended to protect against malware are a logical step. Ransomware typically enters a network via vulnerabilities in endpoint devices, email clients, browsers, cloud services and other assets. In most cases, ransomware infections require users to take insecure actions, such as opening malicious email attachments, installing software, etc.

Some steps you can take to minimise the risk of ransomware infections include:

• Use anti-malware technologies such as antivirus (AV), Endpoint Detection and Response (EDR) and Endpoint Protection Platforms (EPP) and ensure they are configured for automatic signature updates.
• Ideally, use behaviour-based anti-malware tools. Attackers change their infrastructure and tools often but typically reuse the same attack behaviours repeatedly as they are much harder to change.
• Disable autorun for removable storage devices like USB sticks. If you want to lock things down, turn off removable storage altogether for most (if not all) users.
• Enable anti-exploitation features in your operating system.

Step 7: Data Recovery

Data recovery and backups are the most widely recommended defence against ransomware. The reasoning is simple: if critical files and systems have been locked up by a ransomware attack, restoring from backups is generally the fastest and most reliable way to get back up and running.

(Quick point of interest here. In the Colonial Pipeline attack mentioned earlier, the company’s directors decided to pay the ransom to restore operations more quickly. However, the attacker’s decryptor was so slow that the company was ultimately forced to use its backups. This illustrates an important point—paying a ransom is no guarantee you’ll receive an efficient (or even operational) decryptor, so you must have recent backups in place.)

Your business’s backups should be:

• Taken automatically, at least daily.
• Stored off-site.
• Completely segregated from your core network.
• Tested regularly.

You should also have a proven, tested plan to quickly restore your systems and files to a working state. Remember that many ransomware variants prevent you from using typical system restore functions, so you may need to reimage affected machines and servers.

Step 8: Secure Network Design

It’s not always possible to prevent an attacker from entering your network, but you can substantially reduce the damage they can cause. Networks are often securely configured when designed initially, but become less so over time.

It’s common for administrators to make exceptions to device configurations and access controls and allow traffic flows for specific purposes. However, these exceptions are rarely reviewed and often stay in place indefinitely, creating a significant security weakness.

To minimise this risk, essential steps to take include:

• Implement comprehensive network security solutions to protect the integrity, confidentiality and accessibility of your network.
• Keep architecture diagrams and review them regularly.
• Please keep track of exceptions and review them regularly. Revert when appropriate.

Step 9: Security Awareness Training

Users pose a significant security risk. Untrained users will inevitably take insecure actions that compromise your business’s security and are easily tricked by basic social engineering attacks.

In addition to locking down privileges to the bare minimum, users should receive a basic level of training in identifying malicious websites and emails, the types of threats they may face and the protocols they should follow.

Essential steps include establishing a security awareness training program and keeping it current. Some of the most important topics to include are:

• Recognising social engineering attacks via email, text and voice messages, etc.
• Authentication best practices, e.g., choosing secure and unique passwords, using Single Sign On (SSO) or password managers, etc.
• How to securely handle private data.
• Risks associated with the public Internet and email.

Step 10: Incident Response

No matter how strong your protective controls are, you can never prevent 100% of cyber threats, including ransomware. That means there’s a reasonable chance that a ransomware trojan will eventually fire inside your network and you’ll need to contain it.

The main purpose of incident response is to quickly find and contain threats before they can spread across your network and cause significant damage or disruption. So-called ‘dwell time’ is a substantial component of modern threats, where attackers have a presence inside a target network for days, weeks, or even months before they take malicious action. During this time, attackers expand their presence and privileges and often install additional malicious software to allow themselves to maintain access even if their presence is discovered.

Dwell time is significant for ransomware attacks, as attackers often spend time finding and stealing data before they start encrypting. If your business can identify the attackers’ presence during this time, you may be able to remediate the threat before the attacker can cause any significant harm.

Even if this isn’t possible, fast and effective incident response can minimise the damage,  disruption and cost of cyber attacks that successfully bypass your organisation’s defences. In most cases, you’ll be able to protect business continuity and minimise expenses. Building effective, always-on incident response capabilities can be costly and slow, so many businesses prefer to outsource this function to a trusted security partner.

We’re Here to Help

Making major decisions about the direction of your cyber security program can be daunting. The decisions you make—which tools you purchase, how you design your network and where you store your backups—can have huge implications for the future of your business.

At CyberOne, we have over 15 years of experience helping UK businesses design, build and improve cyber security programs that support their business objectives. Our consultancy-led approach will ensure you receive guidance and support tailored to your business.

Contact us today to learn more about our services or arrange a consultation.