Right now, ransomware is among the top business risks.
In the last article, we discussed the first five of ten steps we recommend to protect your business from ransomware and cyber attacks and minimise the damage caused. Today, we’ll cover the remaining five steps.
As mentioned in the last article, our recommendations are based on the CIS Controls, a set of security best practices that help businesses prioritise their efforts to protect against common cyber attacks. We recommend using the CIS Controls as the basis of a cyber security program for two simple reasons:
Our recommendations are focused on protecting against ransomware attacks. However, these steps effectively protect against all types of cyber attacks.
Ransomware trojans are malware, so defences intended to protect against malware are a logical step. Ransomware typically enters a network via vulnerabilities in endpoint devices, email clients, browsers, cloud services and other assets. In most cases, ransomware infections require users to take insecure actions, such as opening malicious email attachments, installing software, etc.
Some steps you can take to minimise the risk of ransomware infections include:
Data recovery and backups are the most widely recommended defence against ransomware. The reasoning is simple: if critical files and systems have been locked up by a ransomware attack, restoring from backups is generally the fastest and most reliable way to get back up and running.
(Quick point of interest here. In the Colonial Pipeline attack mentioned earlier, the company’s directors decided to pay the ransom to restore operations more quickly. However, the attacker’s decryptor was so slow that the company was ultimately forced to use its backups. This illustrates an important point—paying a ransom is no guarantee you’ll receive an efficient (or even operational) decryptor, so you must have recent backups in place.)
Your business’s backups should be:
You should also have a proven, tested plan to quickly restore your systems and files to a working state. Remember that many ransomware variants prevent you from using typical system restore functions, so you may need to reimage affected machines and servers.
It’s not always possible to prevent an attacker from entering your network, but you can substantially reduce the damage they can cause. Networks are often securely configured when designed initially, but become less so over time.
It’s common for administrators to make exceptions to device configurations and access controls and allow traffic flows for specific purposes. However, these exceptions are rarely reviewed and often stay in place indefinitely, creating a significant security weakness.
To minimise this risk, essential steps to take include:
Users pose a significant security risk. Untrained users will inevitably take insecure actions that compromise your business’s security and are easily tricked by basic social engineering attacks.
In addition to locking down privileges to the bare minimum, users should receive a basic level of training in identifying malicious websites and emails, the types of threats they may face and the protocols they should follow.
Essential steps include establishing a security awareness training program and keeping it current. Some of the most important topics to include are:
No matter how strong your protective controls are, you can never prevent 100% of cyber threats, including ransomware. That means there’s a reasonable chance that a ransomware trojan will eventually fire inside your network and you’ll need to contain it.
The main purpose of incident response is to quickly find and contain threats before they can spread across your network and cause significant damage or disruption. So-called ‘dwell time’ is a substantial component of modern threats, where attackers have a presence inside a target network for days, weeks, or even months before they take malicious action. During this time, attackers expand their presence and privileges and often install additional malicious software to allow themselves to maintain access even if their presence is discovered.
Dwell time is significant for ransomware attacks, as attackers often spend time finding and stealing data before they start encrypting. If your business can identify the attackers’ presence during this time, you may be able to remediate the threat before the attacker can cause any significant harm.
Even if this isn’t possible, fast and effective incident response can minimise the damage, disruption and cost of cyber attacks that successfully bypass your organisation’s defences. In most cases, you’ll be able to protect business continuity and minimise expenses. Building effective, always-on incident response capabilities can be costly and slow, so many businesses prefer to outsource this function to a trusted security partner.
Making major decisions about the direction of your cyber security program can be daunting. The decisions you make—which tools you purchase, how you design your network and where you store your backups—can have huge implications for the future of your business.
At CyberOne, we have over 15 years of experience helping UK businesses design, build and improve cyber security programs that support their business objectives. Our consultancy-led approach will ensure you receive guidance and support tailored to your business.
Contact us today to learn more about our services or arrange a consultation.