Ransomware is one of the most severe forms of cyberattack that affects modern businesses. Companies manage incredible amounts of sensitive data about their employees, clients, processes, and products. A ransomware attack or associated breach can cut off an organization’s access to critical data, affecting its ability to operate, as well as inflict long-lasting economic and reputational damage.
In response to the growing intensity of this threat, the U.S. government has released an updated version of its #StopRansomware Guide (https://media.defense.gov/2023/May/23/2003227891/-1/-1/0/StopRansomware_Guide_v1.1.PDF) to provide organizations with information and resources on how to reduce the likelihood and impact of a ransomware incident — and advise what to do if they experience an attack. While the risk levels and protocols for responding to a ransomware attack will vary by industry and company, every organization should educate its employees on this threat and take steps to protect its network and data accordingly.
Understanding the technology risk
Ransomware is a technique used by hacker groups that can compromise a system or network, encrypting files so users don’t have access, and demanding payment, usually in the form of cryptocurrencies to have the files unlocked. Ransomware usually happens at the end of the compromise. The breach occurs days, weeks, or even months beforehand, allowing hackers to get in and see what they can access.
The initial compromise could begin with one of many types of cyberattacks, including social engineering users to gain access to a system, network-based attacks, or malware installation. Common social engineering tactics include email phishing or vishing, where attackers use fraudulent messages and calls to gain network access. As companies’ IT environments become more complex, they create more potential entry points, increasing the companies’ vulnerability to ransomware and other attacks.
What makes a company an appealing ransomware target?
Certain companies are most attractive to organized cybercriminals, based on vulnerabilities and characteristics that increase the likelihood that they are susceptible to breaches and will pay the ransom to regain access to their data. These factors include:
- Value of the actual organization: If a company is critical to the life or safety of clients and cannot continue to provide critical services due to a system lockdown, it is more likely to pay the ransom.
- Type of data: Businesses with access to personal identification information, as well as those in heavily regulated industries, may be more likely to pay the ransom to secure their clients’ privacy.
- System complexity: Companies recently involved in mergers and acquisitions have had to merge tech networks and processes. These combinations create system complexity and potential vulnerabilities through security lapses.
- Remote employee access: When a high proportion of employees is working remotely, the business is likely to present criminals with more access vectors that need to be secured.
Preparation is prevention
Train your people. Preventing an attack starts with having a plan. To begin, educate your employees on the business’ IT security protocols. They should be trained on how to identify suspicious links, recognize illegitimate websites, and search results, set up multifactor authentication, create stronger passwords, and select software and vet it for security. Instruct them never to give user information, passwords, or financial data over the phone or on unsecured sites. It’s also important to repeat security awareness training frequently to make sure team members with access to your network remain up to date and vigilant about potential threats.1
Make sure you have an updated inventory of the data and devices on your network. Identify legacy equipment, and if it can’t be updated or replaced, put compensating controls around it.
Establish a layered approach to security. Since email is a typical initial entry point for ransomware, add security to that layer such as spam filters, third-party monitoring, and disabling macros. Conduct phishing tests to demonstrate to employees how breaches can happen. Make sure devices on the system have up-to-date security patches.
The new guidance from CISA and the FBI recommends zero trust architecture as a best practice. This security approach authorizes users to access only the information and systems they need and requires the users to reauthenticate their identities every time they access certain information or systems.1
Add network segmentation. Isolate essential systems and data, which makes it harder for hackers to get to key data. Back up critical functions and create special controls around them. Make sure to protect valuable administrative side functions such as human resources/payroll, accounts receivable and payable, and vendor management. Maintain offline, encrypted backups of all critical data, since automated cloud backups may overwrite unaffected data in the event that an attacker encrypts local data.
Secure the banking environment. Limit the number of employees who can access online banking systems. Establish permissions and checks, such as requiring dual approval on outgoing ACH (automated clearinghouse) or wire payments.
Track behavior and conduct mock incidents. Know what systems and users are supposed to be doing at what times and establish patterns that make it easier for an internal tech support team or a third-party monitoring company to identify anomalous actions. Make technological breaches part of your business continuity or disaster planning.
Invest time in preparation. Construct a response playbook and establish relationships with third-party response partners in advance of any security incident or breach. These incident response specialists are experts at navigating ransomware incidents and having an agreement in place enables them to step in and reduce the burden on your internal resources during an attack. Consider purchasing cyber insurance to help minimize business disruption following a breach.
What to do in case of a breach
Despite your enterprise’s best efforts, your company may experience a ransomware attack – hackers are organized networks of criminals who are well-resourced and sophisticated.
You should create a playbook to follow in the event you have an incident. Cybersecurity attorneys and response companies can help with the planning. In addition, you should also:
- Create an internal and external communications plan.
- Understand the notification requirements if you carry cyber insurance.
- Understand what type of information you maintain, so you can assess the notification requirements if personal identification information or financial data (from employees, clients or vendors) is exposed.
- Contact your financial institution to make them aware of the situation and determine next steps.
Responding to the ransomware threat
Ransomware is a powerful crime – it can shut companies down, cost them money to start back up, and damage their reputations. With cybercriminals searching daily for vulnerable businesses to target, now is the time to make sure your systems have the right prevention measures in place. Ensure you’re tracking alerts from government entities via StopRansomware.gov, be familiar with the Ransomware and Data Extortion Response Checklist that is published on that site, and keep employees informed of threats, IT security layers, and response protocols.
About the author: Phil Muscato is Market President and Commercial Sales Leader with KeyBank in Rochester. He may be reached by phone at 585-238-4159 or email at [email protected].
This material is presented for informational purposes only and should not be construed as individual tax or financial advice. Please consult with legal, tax and/or financial advisors. KeyBank does not provide legal advice. KeyBank is Member FDIC.© KeyCorp 2023 CFMA #231030-2309331