The cybersecurity industry and internal security teams are stretched thin, and this was before the COVID-19 pandemic struck in 2020. Ransomware attacks are now so abundant that some businesses and organizations face significant struggles in getting back online.
With a shortage of workers in the cybersecurity industry, this often means there is no immediate help in sight. With the rise in ransomware attacks, we wanted to hear from cybersecurity experts and other leaders in the IT and security industries about how businesses and organizations can protect themselves from ransomware and how they can recover if they become victims of ransomware attacks.
”You should have a solid cybersecurity plan, disaster recovery, and cyber insurance as 3 high levels of protection. Also having a Cyber Security-focused IT provider adds to your protection with the expertise to handle such an attack and perform an incident response”, said Nick Allo of SemTech IT Solutions. ”A lot of businesses don’t understand how some basic steps can go a long way in protecting their data and business from ransomware. There are three super easy and simple things businesses can implement right away”, said Ashu Singhal of Orion Networks.
- Make sure all computers and servers are updated regularly either via Auto-Update or regular security patching policy. Think of these as plugging the holes as soon as they are found so ransomware cannot get into your network.
- Make sure you have a good robust Antivirus and Malware protection like ESET, Webroot, etc. Do not skimp on this and go for freeware or low-budget ones. That few dollars extra spend can help save thousands you potentially will lose in malware or ransomware attacks
- If your network is growing, get a proper IT Consultant or Company that knows what they are doing. Again, sometimes saving your infrastructure can be a cat and mouse game, and it goes a long way having someone whose sole focus is your IT infrastructure.
Advice for Small Businesses
According to Homeland Security, today there has been a 63% Increase in cybercrime during the pandemic and has already inflected damages totaling $6 trillion globally in 2021 according to Cybercrime Magazine. The potential scope and impact of a ransomware cyberattack on a business can be staggering. If carried out, an attacker could cause chaos or catastrophic damage to the critical infrastructure and economic operations of your business. The bad news is that many businesses are not taking the necessary steps to secure their infrastructure and are vulnerable to disruption and damage, at least in part due to our own hubris and complacency. The good news is there are steps that can be taken to reduce exposure to potential ransomware cyberattacks and lessen the recovery time and resulting expense, said Anthony Buonaspina, BSEE, BSCS, CPACC, CEO and founder of LI Tech Advisors.
Buonaspina provided a list of tips for small businesses to help protect themselves against ransomware cybercrimes and quickly recover if attacked.
- Secure your hardware — make sure you are using the latest security patches and complicated passwords are being implemented. Use 2-factor authentication where possible. Also, make sure that you turn on BitLocker device encryption for all your Windows 10 devices and enable remote-wipe any mobile devices that might be lost or stolen in order to protect the data it has access to.
- Encrypt and Backup data — you need to make sure you prevent physical access to sensitive data and also render it useless if it falls into the wrong hands. Data encryption is the best “quick fix” for data breaches. If a data breach should occur, the data would be inaccessible.
- Perform a network security scan — you should periodically run a network security scan of your network to see what devices are attached and where security holes may reside.
- Train your employees — One of the weakest security points are your employees. Ongoing training is very important to maintain a heightened level of awareness of cyber threats. Purchase a cybersecurity training service that will automatically send out fake phishing attempts to test your employees and train them if they fail.
- Invest in cyber insurance — consider this business continuity insurance in the event that any of the security measures you have taken fail. If you fall prey to a ransomware attack, cyber insurance will help you recover by offering financial support to quickly remediate the issue.
Ransomware Recovery: A Multi-Layered Approach
”There is no silver bullet when it comes to protecting your business from ransomware attacks. The best defense comes from a multi-layered approach of establishing foundational cybersecurity policies and implementing a combination of cybersecurity best practices within your company. It all starts with establishing some basic security policies within your organization that you can build off”, said Kenny Riley of Velocity IT.
Some examples of these would be a written information security policy (WISP), password policy, and acceptable use policy. From there, auditing edge devices on your network such as your firewall and ensuring that unnecessary and insecure ports are closed is vital to ensure that your organization isn’t leaving the door open for a cyberattack from the outside”, added Riley.
Riley also said, ”Implementing various cybersecurity best practices within your company such as multi-factor authentication, email threat protection, an EDR/MDR (endpoint detection & response/managed detection & response) solution, and cybersecurity awareness training for your employees go a long way in preventing a ransomware attack from occurring.”
”In the unfortunate event that your company is the victim of a ransomware attack, your only real chance of recovery outside of paying the ransom (which is never recommended!) is going to be relying on good backups. Your organization should have an established backup & disaster recovery protocol in place and those backups should be tested regularly to verify data integrity. Another recommendation is that your company obtain cybersecurity insurance to help with the liability and possible litigation that may occur in the aftermath of a ransomware or cybersecurity attack within your organization” said Riley.
Security Awareness Training
Ransomware continues to grow at an explosive rate, and employees need to be given effective security awareness training. It will be easier to prevent ransomware attacks and other cyberattacks if your employees know what to look for. If your employees understand the latest techniques and tactics of cybercriminals, it will be easier for them to avoid making mistakes that could harm your business.
”Email continues to be a primary infection vector for malicious payloads. Consistent security awareness training for employees is a cost-effective measure that businesses can take to reduce the likelihood that a phishing attack will be successful. Many of the recent ransomware attacks have leveraged unknown or ‘zero’ day vulnerabilities. This means that while regular updates and patching of software are important, it’s not enough. Additional layers of security that detect abnormal behavior across the network are needed. Cybercriminals are gaining access to networks and selling that access to ransomware gangs — often, that unauthorized access has been in place for months, undetected. Regular account audits, especially of privileged accounts are essential”, said Michael Anderson of 365 Technologies.
In the event of a ransomware attack any other cyberattack, it is essential to have your data backed up. Many businesses and organizations have been able to recover from a ransomware attack because they had an effective backup solution.
”The key to a timely recovery from ransomware is backups”, said Joe Cannata of Techsperts, LLC. ”We often get pushback when recommending backups on all user systems, not just servers. The pushback comes because clients feel not all users have critical data and look to keep costs down. The reason why full image backups on all systems are important is not just for the safety of the users’ data, it allows the timely restoration of the clients’ system as it was before the ransomware infection. Without a full image backup, these systems would need to be individually configured wasting precious time during the recovery”, added Cannata. ‘
‘Taking into consideration that ransomware attacks seem to be the latest episode of the fast and the furious, it is effectively impossible for us to play defense all the time. In order to protect a business from ransomware, backups in the back of the strategy have to be sound and solid. I believe that every backup should have airgap copies that are not on the network which could be restored should I ran somewhere attack hit a business”, said Ilan Sredni of Palindrome Consulting, Inc.
”Recovery from a ransomware attack requires good backups. That is, backups that are 1) Current; 2) Tested and verified, and 3) isolated or ‘air gapped’ from the production environment. Many strains of ransomware are able to detect the backup solution in place, encrypt the backups first, then the production data before announcing its presence. It is critical that backups be properly isolated or hardened to prevent this from happening”, added Anderson.
If you become the victim of a ransomware attack, you should always consider your options carefully. ”Paying the ransom should always be the last resort, for several reasons”, said Anderson:
- As a paying victim, the company identifies itself as a target for future attacks
- There are questions around the legality of paying a ransom, with some governments declaring it illegal in an attempt to disrupt the proceeds of cybercrime
- There are efforts to ‘crowdsource’ decryptor keys for ransomware. The No More Ransom project (https://www.nomoreransom.org/en/index.html) is one example and claims to have saved businesses over $1 Billion in ransom payments.
Cameron Call, CISSP, Technical Operations Manager at Network Security Associates, Inc. added, ”You protect yourself from ransomware with backups AND backups of the backups. A priority target in a ransomware attack are the backups. The primary backups should have their own security, but a copy of these should also be stored at another location, accessible only by way of another transport method and credentials.”
”For example, if backups are pushed to on-premise storage via SMB the copy could be made via HTTPS with a different username and password to the offsite location and from a different device. No other connectivity should exist between the primary location and the offsite location. Most attacks are opportunistic and not targeted. Mixing the protocols and credentials used will diversify the system and require extra effort from an attacker. If they can get 10 other attacks done in the same time it takes to push yours further they may just do the 10 instead. Thought should be given to recovery time. If your business will go under after two days without data it can’t take two days to get your data from the offsite before you even start to restore”, said Call.
”The absolute biggest mistake companies make about cybersecurity insurance and cybersecurity in general is that they don’t need it and that they are not a target. And even worse, that they think they are already protected. There are 6 basic things businesses should be doing at a minimum and if they are not, they are probably already breached and don’t know it yet”, said Bryan Badger of Integral Networks.
- Find and work with a reputable Managed Services Provider.
- One that has experience dealing with and recovering businesses that has been breached is a plus as they can help you navigate what you should put into place based on your business.
- A good MSP will come with its own toolsets and security software to deploy.
- Put a proper security appliance(firewall) into place.
- If you’re not paying an annual license subscription for a firewall device that includes security services, it is worthless and not protecting you.
- Email security filtering services
- Link poisoning & Phishing are real thing, and employees are the #1 source of breaches
- Implement multi-factor authentication
- This adds a layer of security to all logins and helps to ensure that only authorized people are actually logging in.
- And last, have a rock-solid backup and disaster recovery plan that focuses on both Recovery Point Objective(RPO), how often is data being backed up in order to minimize data loss, and Recovery Time Objective(RTO), how long will it take to recover systems in the event of a breach.
- Have a Cybersecurity Insurance policy.
Using A Cybersecurity Framework to Combat Ransomware
”I know businesses are often looking for the one silver bullet that will protect them, but it doesn’t exist. The best approach is a layered approach, and it’s easier if you follow a framework. If you’re not in an industry that requires compliance and a framework there is the NIST Cybersecurity Framework (CSF) that does a great job at addressing all of the areas that need attention”, said Eric Schueler of HRCT.
”With that being said, if you had to roll out just one new change to better your protection, I would recommend an Endpoint Detection & Response service (EDR) that includes a 24/7 security operations center (SOC). A lot of business owners think that endpoint protection (antivirus) is all they need but the fact of the matter is that cybercriminals are stealing passwords and logging into networks without being detected. How is that possible when you have antivirus? The purpose of antivirus is to block malicious code”, added Schueler.
”When cybercriminals gain access to your network they do reconnaissance work, data exfiltration, and run regular IT department tools that don’t include running malicious code. It’s not until days, weeks, or months later that they deploy their ransomware encryption code that antivirus springs into action. Only it’s usually too late because they have admin rights to the computers, and they can just disable it before running their ransomware. With an EDR and SOC, they pay attention to suspicious activity at odd hours of the night and with the right service they will even block stop and respond on your behalf”, said Schueler.
Ransomware is much more than a financial crime; it is a national security risk that threatens businesses and organizations across the globe. This is not a crisis that one group can solve alone. It will take nothing short of a collective effort to help businesses and organizations to prevent ransomware attacks and recover from ransomware attacks.