By Renee Tarun, Deputy CISO/ Vice President Information Security, Fortinet Inc.
Ransomware is getting nastier and more expensive all the time and it has affected almost every industry and geography. No one is immune from the threat.
In a global ransomware survey conducted by Fortinet, 67% of organizations report suffering a ransomware attack. Even worse, almost half said they had been targeted more than once, and nearly one in six said they had been attacked three or more times. The US Treasury’s Financial Crimes Enforcement Network (FinCEN) reported that organizations paid out almost $600 million in ransomware in the first half of 2021, which puts the US on track to surpass the combined payouts of the previous decade in a single year.
Last year’s attacks on the supply chains of companies like Colonial Pipeline and JBS made the news, but they are likely only the beginning. For each attack that garners headlines, countless more happen that don’t make the national news.
The ransomware threat is real, so it’s not a surprise that in the ransomware survey, 85% of respondents said they’re more worried about ransomware than any other cyber threat.
Plans and more plans for ransomware
The good news is that most organizations have plans in place to deal with ransomware. The bad news is that some of those plans may not be useful or effective. In the survey, less than half of the organizations reported having a ransomware strategy that includes basic cybersecurity tactics like network segmentation, business continuity, recovery testing, and remediation. The same situation is true of incident response plans, which should cover risk assessment, offline backup, and ransomware insurance. A plan is only as good as the information within and if you’re not covering the basics, you’re going to have a problem.
Amid all the alarming headlines about new tactics that cybercriminals are using, it’s easy to lose focus on the fundamentals. Plans should include training and basic cyber hygiene. Because remote work has expanded the attack surface, organizations need to take that into account when setting up cybersecurity training for their staff.
Education is more important than ever and it needs to incorporate cybersecurity elements that are unique to hybrid and remote work environments. It should include information on the latest social engineering attack approaches, such as smishing, vishing, and angler phishing. Attack methods are changing constantly, and employee training needs to keep up.
Collaboration and information sharing against ransomware
Ransomware is a massive problem and no organization can tackle it alone. All stakeholders at the company need to be on board and organizations also should work to establish partnerships with law enforcement and organizations such as the Cybersecurity and Infrastructure Security Agency (CISA). The only way to have an impact on cybercrime groups is by working together and sharing intelligence.
Because cybercriminals often target multiple organizations in similar industries or that are using the same networks, and systems, it’s important to collaborate to reduce the overall impact of ransomware within the larger industry or group. The sharing of threat information and attack data among public and private entities makes it more difficult for cybercriminals to get a foothold. These types of public-private partnerships also can help with data recovery, which reduces the overall costs of an attack.
The time to start protecting against ransomware is now
Organizations need to make sure that they have a cybersecurity strategy in place that includes the fundamentals: education, cyber hygiene, and private-public collaboration.
An educated workforce is key to having an effective cybersecurity strategy. According to the 2021 Verizon Data Breach Investigations Report, 85% of data breaches involve human interaction. Therefore, you can have all the security solutions in the world, but if you’ve overlooked training your employees in cyber hygiene and awareness, you’re never going to be truly secure. Employees should receive substantial training on how to identify and report suspicious cyber activity—including phishing emails. Approximately 50% of ransomware attacks involve some form of social engineering attack like phishing. Keeping your workforce trained on these types of attacks, especially as adversaries continuously refine their methods, will help ensure that your employees don’t fall victim by taking the bait. Though education and training, you can ensure your workforce maintains their cyber distance from adversaries and stays wary of suspicious requests to help keep critical digital resources secure.
Patching and hygiene are important
Along with training, cyber hygiene is another essential element in the fight against ransomware. First and foremost, you need to ensure that user devices and networks—including home networks—are properly maintained and secured. This requires ensuring that devices are properly patched and configured to prevent the adversary from exploiting them.
Zero trust access and endpoint security
Next, is implementing a zero-trust security model, which assumes that anything or anyone trying to connect to the network is a potential threat. When a zero-trust access approach is in place, every individual or device that tries to access the network or an application must undergo strict identity verification before access is granted. This verification uses multifactor authentication (MFA) and requires users to provide multiple credentials before they can have access—which adds an additional layer of protection beyond having strong passwords.
Attacks can take just seconds to compromise the endpoints so endpoint security is vital for ransomware. First-generation endpoint detection and response (EDR) security tools simply cannot keep pace. They require manual triage and responses that are not only too slow for fast moving threats and which also generate large volumes of indicators that burden cybersecurity teams. More modern solutions proactively reduce the attack surface, prevent malware infection, detect and defuse potential threats in real time, and can automate response and remediation procedures.
Work as a team
Public-private collaborations are essential for effective critical infrastructure security and resilience strategies. This includes timely, trusted information sharing among stakeholders within the public and private sector. For organizations to mitigate the unseen threats, they must have real-time actionable intelligence. The information must be shared between the different security layers and products within your environment to provide a proactive defence.
In addition, this information sharing should be extended to partnerships within the broader cybersecurity community outside of your organization such as Computer Emergency Response Teams (CERTs), Information Sharing and Analysis Centres (ISACs), industry coalitions like the Cyber Threat Alliance, law enforcement, and other government organizations like Cybersecurity and Infrastructure Security Agency (CISA).
Since no single entity or organization has all the answers on how to address the cyber threat, by working together and sharing information, we can increase our response times and break the kill chain before malicious activity spreads to other systems and organizations.