Chief Product Officer and cofounder of SpyCloud, helping companies around the world discover and prevent account takeover (ATO) attacks.
The threat of ransomware has become a major concern not only for security teams, but for the entire C-suite. From lost revenue to reputational damage, a ransomware attack can have a devastating impact on a company’s growth and its credibility among customers, clients and peers.
While organizations have increased their investment in ransomware mitigation tools, a SpyCloud report released this year found that, as cited by Forbes contributor Chuck Brooks, “90% of organizations were impacted by ransomware over the past twelve months, an alarming increase from last year’s 72.5%.” Given the ubiquity of the threat, it’s not surprising that respondents are losing confidence in their defenses.
A core challenge is that security teams can’t fix what they can’t see. The report found that the most dangerous sources of ransomware exposure are the ones that present a visibility problem—undetected malware infections on unmanaged devices.
To reduce the risk and prevent potential fallout from a ransomware attack, organizations must focus their resources on closing those gaps by increasing their visibility into their full exposure—starting with better remediation when malware infections occur.
From The Experts: How Security Leaders Are Thinking About Ransomware
Our annual report analyzes insights from over 300 IT security professionals at North American and U.K. organizations with at least 500 employees. The survey compiles their views on the evolving threat of ransomware, as well as their companies’ ransomware preparedness over the last year.
Fewer organizations across the board indicated that their existing ransomware mitigation solutions are in good shape, and those looking to upgrade or add new security technologies increased. More organizations implemented contingency measures, from opening cryptocurrency accounts to purchasing cyber insurance policies. Further, the security professionals surveyed ranked data backup as their most important countermeasure for mitigating ransomware attacks.
But security teams aren’t throwing in the towel yet. Ninety-six percent have implemented multifactor authentication, compared to last year’s 56%, but the report’s findings suggest that organizations have been focusing their resources on planning for an inevitable ransomware attack rather than closing the gaps that leave them vulnerable.
The problem with this approach is that the “plan B” tools many enterprises are depending on are not as reliable as leaders might think.
Why Some Companies Are Attacked More Often Than Others
Unfortunately, paying a ransom and the chance to retrieve data after an attack does not neutralize the exposure that results from having it stolen in the first place. Following a successful ransomware attack, criminals often share or sell stolen credentials, PII and device and web session cookies on the dark web, allowing attackers to use the data again and again.
As a result, businesses are more likely than ever to be impacted more than once: According to our survey, 50% were hit at least twice and up to five times, 20% were hit between six and 10 times, and 7% were attacked more than 10 times.
Moreover, the risk of exposed data is not contained to one company. Threat actors can access corporate networks through vendors and partners, especially third-party SaaS providers whose data has been exposed. According to research by IBM, 17% of organizations experienced a breach because of a business partner being compromised.
Amid this increasingly volatile threat environment, preventing the initial access often used to launch a ransomware attack can seem impossible. What can security teams do against an account takeover that results from an outside vendor’s stolen credentials—or a malware infection that occurred when an employee’s child downloaded a fraudulent study guide while doing their homework on a home device?
Prevention Is Still The Key
The first step is getting a clear picture of an organization’s exposure and understanding how that exposure can lead to a ransomware attack. Criminals still conduct traditional phishing expeditions using corporate email and take advantage of simple or reused passwords to perpetrate account takeover. However, in recent years, their tactics have grown in diversity and sophistication.
Every user with access to a corporate network—whether an employee, an outside vendor or a member of the C-suite—has a digital identity comprised of the work and personal accounts, applications and devices connected to them. Every aspect of that identity can be compromised. Therefore, prevention must focus on securing user identities and closing the points of vulnerability.
Users are still the first line of defense in preventing a ransomware attack. Strong password hygiene and multifactor authentication are essential baseline protections to stop criminals from walking in the front door. Increasing employee awareness of criminals’ newer tactics, such as the threat of malware delivered through text messages, images or in-application downloads, can help mitigate the risk posed by the 2.8 billion malware attacks conducted in the first six months of 2022.
Security leaders must also strengthen their vigilance by monitoring for exposed credentials and malware infections, especially on unmanaged devices. Personal phones, tablets and computers used to access corporate applications represent one of the riskiest threats because security teams often lack visibility into the threat of malware on those devices.
Locking down critical access to third-party applications through corporate VPNs, client-side certificates and CASBs are also options, although they can be costly depending on the number of users in your organization.
Analyzing recaptured botnet data is also one way to respond quickly to a successful malware incident. After a malware infection occurs, wiping and re-imaging the device does not address the exposed credentials, stolen session cookies and other data that could leave the door open for ransomware operators to launch an attack. Monitoring for exposure offers a more complete picture of the exposures after a malware infection, helping prevent ransomware attacks before they can take hold.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?