By Castellan Solutions:
While numbers from 2021 are still being tallied here in early 2022, it’s hard to get a good handle of the actual number of ransomware attacks last year, but there’s one thing most reports agree upon—ransomware attacks have increased at an alarming rate, not just in volume, but also in complexity.
It’s one of the reasons why we encourage our clients to transition away from the old-approach to business resilience planning—one that hinges on organizational response if an event occurs—to a more proactive, holistic approach that’s crisis-ready for when a disruption happens. This is especially true for cyber resilience, where we’re seeing organizations of all sizes, across a range of industries targeted in ransomware attacks.
And as diverse as attack methods have become, so too are many organizations’ approaches to ransomware attacks.
In a recent Castellan webinar, “Ask the Experts: Business Continuity Strategies for Cyber and Ransomware,” we asked attendees how their organization approaches ransomware. The top answer was a close split between either the attendee didn’t know the organization’s ransomware response strategy at 51%, to 47% saying their organization doesn’t pay the ransom. Only 2% indicated their organization would likely pay up if faced with a ransomware attack.
When it comes to a response standard, there’s really no right or wrong answer. The reality is it depends on a range of factors, unique to each organization and situation.
Chris Wentz, director of information security at Castellan, recommends having these hard conversations now, before an event occurs, not at the point of crisis. That’s a similar approach suggested for disaster recovery, business continuity, and other programs. It’s important to know who will serve as an incident commander and who will make decisions. Sometimes, depending on the organization, that person is one in the same.
It really comes down to individual business choices and how they perceive the impact and what that impact might be, Wentz said.
The stronger you build your response and resilience plan, the more it can sway it one way or the other. When you have all the key players together beforehand, you have the opportunity to make effective decisions based on your organization’s strategies, plans, and goals, not reactive crisis decision-making.
Managing a Ransomware Event
Long-gone are the days where cyber breaches are considered a problem just for IT teams. Today, in support of resilience management, a growing number of executives and key stakeholders are involved. When it comes to ransomware response, specifically, there are a few key takeaways for executives to consider when managing ransomware response.
Michael Bratton, Castellan consulting practice leader, offers these tips:
- Pre-plan as much as possible
- Ask: What’s the potential customer reaction?
- Understand the board or other senior leader expectations regarding ransom payment
- Know your organization’s risk impact tolerance and understand at what point might threshold sway a decision to make a ransomware payment
- Work with your IT team and CISO gathering important information you’ll need to know to make effective decisions
- Routinely participate in exercises so you have a better understanding of what may occur during real-world response
Implementing Controls to Support SBM Response
When it comes to ransomware response and recovery, small-and-medium sized businesses (SMBs) sometimes face challenges they don’t have the tools, resources, or skills to effectively mitigate. Instead of accepting defeat, there are frameworks and controls SMBs should consider to help with response and recovery.
Wentz says a great starting point is ensuring proper roles and permissions are assigned throughout your organization. While this may seem overly simplistic, some organizations haven’t yet mastered why it’s important to limit user roles on their own machines, especially those who would otherwise have access to sensitive and protected data and systems. Think less privilege, but it’s also about ensuring proper role administration.
Also, SBMs can benefit from reviewing how they handle data backups. How many copies do you have? Where is your data stored? How is it isolated and protected? These backups become critical when it comes to addressing ransomware response strategies.
Rob Giffin, Castellan’s chief technology officer, also recommends adopting multi-factor authentication (MFA). He calls it a magic bullet, saying that when your organization has MFA, it’s harder for attackers to take over accounts and get access. It’s especially important for small businesses that use SaaS products. Many of those products support MFA, so it’s important to turn it on. MFA, Giffin says, can save a lot of headache and serve as a perimeter to help protect your organization.
Building Vendor Trust
As we’ve seen an unfortunate increase in ransomware attacks, in the past year, we’ve also seen a growing number of these breaches happening along the supply chain. As such, it’s important to build relationships that encourage trust among your organization and your vendors, understanding expectations and requirements to keep your data safe.
Building that trust isn’t always an easy thing, Giffin points out, but the reality is it’s not an option to not trust these vendors anymore. And in many cases, those vendors are obligated to meet the same compliance and regulatory mandates for data security and privacy as you are.
The key is understanding how you manage supply-chain risk, and at that core is understanding how much and what type of data your vendors can create, process, store, or transmit.
If your vendor is multi-tenant, for example, it could be in attackers’ sights for larger-scale and complex attacks. The good news is many of these large vendors (think Google or Microsoft or Amazon) are prepared to defend against and respond to these types of attacks.
Ultimately, it’s all about understanding and documenting your vendors’ mitigation and response strategies, not just at the time of contract signing, but throughout the duration of your relationship.
Interested in more tips or information about ransomware and effective response strategies? Check out our on-demand webinar, “Ask the Experts: Business Continuity Strategies for Cyber and Ransomware,” or contact a Castellan advisor today.