Here are the facts: Every week there’s news of new breaches that impact global companies, major government institutions, and agencies. Unsurprisingly, ransomware attacks are on the rise with the United Nations reporting a 600% increase in malicious emails sent over the course of the pandemic. IT researchers report that over 450,000 new pieces of malware are detected every day. With the threat landscape increasing at these rates, IT security professionals need to ask themselves:
- Do I have a system security plan? If so, when was it last updated?
- Have I done a cyber risk assessment?
- What is my plan of action and milestones (POA&M)?
- Do we have an Executive Risk Report?
These questions should form the basis of risk determination for any company, but more often than not they’re not even being asked. In fact, organizations are failing to take care of so many basics that cybersecurity today is as much about changing the prevailing mindset as it is about simply upgrading the technology. This starts at the top.
Hackers are not just targeting Fortune 500 companies, they are hitting all organizations. Today’s small and medium business owners often assume nobody will go after them because they’re too small—but it’s a numbers game. Simply put, ransomware goes after the largest possible number of vulnerable targets. This helps explain why SMBs are in reality. getting hit with the lion’s share of ransomware attacks and data breaches. 50% to 70% of attacks hit small and medium businesses and 70% of all ransomware instances over the last 24 months have been in the mid-market. Every company no matter how large or small needs to focus on cybersecurity.
The History of Ransomware
Ransomware has evolved to become easier for bad actors to embrace. In fact, it has become a service (e.g., RaaS – Ransomware as a Service). Beginning in 2012, criminal divisions arose that included:
- Programmers – To maintain some distance between themselves and criminal activity, programmers sold their software rather than run it themselves.
- Well-organized criminal groups (a.k.a. Organized Crime Syndicates such as REvil) – These groups sought ways to weaponize and monetize the software.
- The Dark Web, Cryptocurrency Exchanges -These dark marketplaces enabled the sale of nefarious software to criminal enterprises via cryptocurrency.
This perfect storm led to a rise in ransomware in 2014 that included CryptoLocker and Locky. Though crude by today’s standards, they worked well. They locked corporations out of their data and people were willing to pay to get it back. But those attacks were primarily directed at an endpoint: a workstation or individual machines. When the victimized businesses realized this, they stopped paying the ransom and just reloaded their machines.
Then in 2018, attackers had some success going after servers to get at the source of the data which increased the likelihood a ransom would get paid. To combat this, companies improved their backups and added insurance. But in response, attackers started asking for higher ransoms, since they knew it would be covered by cyber insurance—which then drove up the cost of cyber insurance.
The Second Extortion: Data
Far more devastating is that over the last eighteen months, attackers have also begun targeting and stealing data. Now ransomware attacks are also data breaches. This secondary extortion is often designed specifically to negate the value of good backups. Organizations have to pay to prevent their data from being exposed. Recall the meat supplier, JBS, who paid $11M to prevent their data from being made public.
Simply put, today’s cybercriminals are no longer dominated by the metaphorical script kiddies living in their parent’s basements. They are employees of fully-organized criminal groups operating through ransomware as a service model. The economic drivers on the criminal side are just too powerful, so they will come after you no matter what size or type of business you run. And the fact that they can use RaaS as the tool of attack means that the number of attackers can increase exponentially, year over year.
The Third Extortion: Reputation
Criminal groups will now advertise their breach directly to your customers by posting your name on a shame website. This represents the third extortion. They will attempt to induce payment by talking to victims’ business leaders, quoting from financial documents and stock value reports. In certain cases after a non-payment, criminals have even turned their victims over to regulators! All of these are the (exceedingly public) ways these organizations are attempting to get paid for the attack they just successfully completed.
Strategies For Responding To (and protecting against) Modern Threats
Cyber insurance companies have already pushed back by raising rates and refusing to insure companies against ransomware. This means companies must immediately devise new solutions to protect themselves. However, the problem is that the marketplace is so flooded with cybersecurity products that companies are too overwhelmed to find a good solution. While we can expect some compression of the cybersecurity market over the next year as bigger companies acquire smaller organizations, the fact remains that IT personnel need to follow a set of strict best practices no matter what their IT security posture looks like.
For more strategies on protecting your organization against modern threats, listen to our podcast with HPE:
Best Practices For Building A Solid Cybersecurity Framework
Setting best practices is about understanding what you have. What’s valuable to you and taking the appropriate actions to protect it. Where do you start? By conducting a risk evaluation, such as NIST 800-37 or the recently published draft document NISTIR-8374.
Often senior executives don’t understand the risk that ransomware poses—or have a hard time believing the risk is real. A risk assessment enables senior executives to understand the organization’s various risk levels e.g. critical, high, and moderate risks. Conducting a risk assessment and adopting a risk management framework will help leadership set policies that will ultimately build a culture of security within an organization. This radical adoption and change in mindset are fundamental to operating in the digital age.
Remember what we said up top: This is a numbers game. Every company has a 25% chance of being hit by ransomware in any given year. Preparation will lead to a much better outcome than waiting for the critical level to happen and then trying to respond on the fly. Consider these best practices to form a preparation framework:
- People are the weakest link in any security posture. For a long time, the average computer user simply didn’t realize certain things were problematic: don’t click an email link you weren’t expecting, don’t ever reuse passwords, etc. The path to improving the awareness of end-users and system administrators is through training. Staff needs to be trained to avoid phishing—a very common attack vector. Everybody, even system administrators, has to go through the appropriate training to recognize their part in maintaining cybersecurity.
- The Process includes having a disaster recovery plan, an incident response plan, and a backup and recovery plan. (And remember to test your backups regularly! It’s been estimated that as many as 75% of backups fail during a recovery operation.) Having these plans and testing them, along with maintaining a relationship with an incident response company (e.g. CrowdStrike), provides cybersecurity support to give you peace of mind. In addition, written policies around passwords must have “teeth” and be audited. Make sure you have procedures in place to determine if anybody’s using bad or weak passwords and give those folks a deadline to change them. (And test those regularly, too.)
- Technology includes new firewalls, a centralized backup system through HPE (e.g, HPE, Nimble, 3Par), identity and access management, logging, monitoring, and alerting. These are preventative and detection technologies that most people are familiar with. Be careful with anyone who talks about a technology purchase before gaining an understanding of what risk you are trying to mitigate. Modern Cyber ThreatsOnce you’ve determined your cybersecurity goals, technology becomes the method to achieve the goal rather than the goal itself.
Need help evaluating where your risk is? Contact us to analyze your people, business processes, and supporting technologies to create a prioritized risk register that tells us exactly what we need to do and exactly what you need to protect. It’s all about managing risk.