Oddly, the general business reaction to ransomware attacks mirrors the reaction to Covid-19. While I’m not going to claim a person’s political views influence what they think of ransomware and how they respond, it is clear beliefs and corresponding responses fall into three groups.
First, let’s look at those who are certain ransomware isn’t as big a deal as the media makes it out to be. We’ll call them the “what are the chances, really” group. While they know there are companies who have gone through the experience of being breached and that it resulted in having important data being held hostage, they don’t think it could happen to their organization.
While some may think they are unlikely targets, it’s more likely they (incorrectly) believe they are breach-proof. Too many companies with very good security protocols have been breached because of human error or lax use of security tools such as multifactor authentication (MFA).
MFA can play a critical role in stopping ransomware, but it doesn’t mean an attack won’t reach your systems. When it is properly configured, deployed, and used consistently, MFA decreases the vector points where a bad actor can gain entrance. Assuming the presence of it within an organization guarantees no bad actors could get in is pure wishful thinking. Unfortunately, even when the only door in is through a credential, which is seldom actually the case, 100% deployment is unlikely, let alone 100% correct configuration, deployment, and usage. This conceit is also a significant crack in zero trust initiatives.
In addition, the assumption that MFA solves everything forgets about the possibility of an attack through a compromised service. These attacks totally bypass authentication. If the attacker reaches the shell, they are able to create new accounts and can launch their reconnaissance from there.
While this group is no more likely to be the target of a ransomware attack, by trivializing the seriousness of ransomware or their chances of being a target, they increase their chances of, if attacked, having it make a great negative impact. They are less likely to detect an attack and won’t know of it until their data is encrypted and a ransom demand is made. Organizations who continue with inaction even after paying ransomware are likely to be the victims of additional attacks with an increasing cost.
The second group fear they are not doing enough to address the possibility of an attack. They also believe it is likely someone unknown has already been in their systems. Although this group realizes the gravity of having critical data inaccessible, they may not know the best way to protect against having an attack or minimizing its impact if someone is able to access critical data. In some instances, particularly in organizations without a dedicated security function, there is a counterintuitive reaction. Because an individual or group fears not making the right security decisions, they make no decisions at all. In other words, they scare themselves to the point of metaphorical paralysis. They don’t purchase the right security solution because they don’t know if it will address every possibility. A key difference from the group in denial of the possibility of an attack is that if the fearful group becomes a victim of ransomware, they are much quicker to act. Their response is likely to be more thorough with a focus on wanting to determine how the breach was possible. They are also more likely to make a fast cybersecurity solution purchase, though because of their haste it may mean their purchase is more likely to be with one of the first vendors they’ve met instead of one properly vetted through a purchasing process.
The reason the third group has a healthy dose of respect for the likelihood of an attack and what it would mean for their organization is because they have assessed their situation prior to any known attempted or successful attack. This group follows a process that starts with assessing risk from both a monetary and vulnerability perspective. I strongly suggest removing the question of “how likely is my organization to be attacked?” This self-assessment is likely to be incorrect. In February, Sonic wall released its 2022 Cyber Threat Report, in which it reported that ransomware attacks increased 105% in 2021 with governments worldwide reporting an 1,885% increase and the healthcare industry seeing a 755% increase in these attacks. While these increases are stunning, law enforcement believes many ransomware attacks go unreported. The true number of ransomware attacks and related cost is unknown.
Next, organizational assessment must identify threat vectors, the paths someone could take to gain access to a device or system. It’s important to assess not only what is protected, but where there may be forgotten access points. This could be in the form of software where a third party was given access for support, but it was never revoked. Similarly, an employee who left an organization may have access to data through an admin login or other granted permissions, but because it wasn’t tied to their own username, this access is left unprotected. Even a SaaS business tool no longer in use is a possible threat vector. Once it is forgotten, the related security is likely to be forgotten as well.
When creating a plan to address all the found vulnerabilities, it is also essential to have a realistic budget and implementation timeline. It is equally important to measure how well solutions are actually protecting against attack. If multiple cybersecurity solutions are required, implementing them one by one may mean too long a delay in addressing vulnerabilities. Therefore, a plan capturing all known needs will enable security teams – even if it is one person – to prioritize, plan for parallel deployments, and determine effective measurements. As part of the regular assessment of ransomware vulnerabilities, organizations should also expect to evaluate new solutions for yet to be protected vulnerabilities. While bad actors are continuously innovating their methods, so are cybersecurity vendors. Problems that seemed insurmountable just a few years ago are now addressable with advancements in areas such as machine learning and cloud-based scalability.
As with the global pandemic, how well an individual organization will be able to combat a ransomware attack or minimize its impact is determined by preventive measures and a planned response. How much time and money is put into this preparation will affect the organization now and for years to come.