It seems to be in the news at every turn. Ransomware attacks. Corporate breaches. Identity theft and data loss. As businesses continue to move toward more robust and redundant backup solutions, the frequency of ransomware payments diminished because businesses were able to recover their data from backups. Threat Actors (TAs) started to see this trend and changed their modus operandi. Cybersecurity can play a critical role in protecting a business during the interruption caused by a ransomware attack.
The Current Methodology of Ransomware Attacks
Threat actors are now shifting to exfiltrating (stealing) the business’s data prior to the ransomware attack to ensure that they are paid the ransom. The business may have a viable backup, but their intellectual property, confidential business data, client information and PII (personal identifiable information) or ePHI (electronic protected health information) may have already been stolen.
To have some assurances from the hackers that they won’t publish their data on “shaming” or auction sites, the business often opts to pay the TA for the removal of their information from the hacker’s servers.
How should a business proceed if faced with this predicament? What is the potential impact of paying or not paying the ransom?
An Analysis of Ransomware Risks
Let’s analyze each aspect of the attack and understand the risks associated with them. The first is the encryption of the data by the TA. When a ransomware attack is executed, the primary impact to the business is the encryption of the data. There are a few things that must be considered.
- What is the status of the backups – are they viable?
- How long will it take to restore the data from the backups?
- What is the depth and scope of the attack?
- Are all or most of the workstations and servers impacted? If so, how long will it take to rebuild the machines?
If the backups have been destroyed, are unrecoverable or are incomplete, the only option may be to pay the ransom. If this is the case, insurance may play a vital role in helping the business recover from the interruption of the attack, i.e., lack of business continuity, as well as the ransom payment and legal fees.
In many cases, the entire network may need to be rebuilt because the attack damaged computers and the TA deployed additional hacking tools on the network. Also, due to the nature of the attack and the financial impact of business interruption, a decision may be made to pay the ransom to help the business recover in a shorter period, rather than by trying to recover from backups.
How to Protect Your Business
What must businesses do to properly protect themselves? The answer is multifaceted and not simple, especially for businesses that deal with confidential and regulated information.
Can your business afford to be down for two or more weeks as the result of a ransomware attack? In most cases, regardless of the size of the business or the types of backup solutions in place, the business must make plans for being down for two weeks. Let’s look at some recommendations to help minimize the chances of an attack.
First, most small and medium-sized businesses do not have any type of Incident Response (IR) Plan in place to deal with a cyber event, ora natural disaster (fire, flood, hurricane, etc.). When an event occurs at a business, there is often panic and chaos as a result of poor planning. A disaster and incident response plan will help guide the business through such an event by providing a detailed methodology for dealing with the situation, speeding up the recovery process.IR plans should include:
- Legal and insurance contacts
- Contacts for business stakeholders
- Software license information
- Vendor contracts
- Backup strategies
- IT contacts
- Emergency contacts for building maintenance
- An Incident Response firm.
The Importance of a Security Risk Assessment
A root cause for many ransomware attacks is the lack of analyzing risk for the business. Most businesses have not conducted a thorough security risk assessment executed by a cybersecurity company. They have no idea of the size or scope of their attack surface, and the business often “feels good” about the security their IT company has put in place. Without understanding where the business has risk, they cannot address it. A security risk assessment helps the business identify risk and put processes and technology in place to mitigate and reduce it.
A business should be investing in security technology and training for its employees. Businesses are typically hit in one of two ways—their people or their technology. Having a formalized cybersecurity awareness training program helps mitigate social engineering scams.
Other steps, such as threat hunting, external and internal vulnerability management, penetration testing, EDR/XDR software, multi-factor authentication, comprehensive and off-site backup, and third-party risk assessments, will significantly reduce the attack surface and bring to light risks the business was not even aware of.
Implementing effective risk management strategies and combining it with cyber coverage is the best approach to mitigating the impact of an attack against a business.