Companies urged to consider pros and cons of paying a ransom

The conversation is heating up globally about whether companies should pay in a ransomware attack. Unfortunately, these crippling cyber assaults are taking place too frequently across the globe, with targets and outcomes getting more consequential and more threatening for our workforce and communities.

Cybercriminals are hitting big industries across the world that have a direct impact on essential needs including fuel, health care and agricultural supply chains. In recent months we’ve seen the impact on agriculture via an attack on an Australian meat processor, the impact on health care due to an attack on five hospitals in the New Zealand district of Waikato which caused major disruption to IT systems and the Colonial Pipeline attack in the US which threatened the country’s fuel distribution network.

In a vacuum, the guidance not to pay makes total sense. We don’t want to negotiate with criminals. But when you need to get your business back online, a cost/benefit analysis is going to come into play, and a company is going to do what it needs to do to have continuity. Good cyber hygiene has to be a focus to avoid getting to this point.

Globally, we must learn from each other. The catastrophic attacks experienced by organisations in all corners of the globe in the last month alone instigates the necessity for IT professionals to ensure preparedness for ransomware attacks is on top of their agenda.

Sifting through the chaos and confusion during any cyber attack is the CISO, and a ransomware attack is no exception. Not only is it the CISO’s job to ensure that data safeguards are in place, but also data recovery operations in the event of a compromise.

Incident response is another key factor in possibly stopping the spread of the ransomware within a network as well as finding the vector of entry — and fixing it before it can be exploited further. None of this is new to the cybersecurity world. We all understand that these procedures, trainings and skillsets need to be enabled, and it’s the CISO’s responsibility to approve and enforce. So, where do we keep going wrong?

CISOs have an incredibly tough job, and the current state of the workforce isn’t helping. In the ISACA State of Cybersecurity 2021 report, the majority of respondents within the IT field indicated that their organisations’ cybersecurity teams were understaffed. The causes of this (underfunding, lack of skilled workforce, etc) are likely multilayered. But regardless of the obstacles, it is ultimately the CISO’s job to champion the efforts of the cybersecurity team. Understanding the technology, threat landscape and risks involved with their organisation’s infrastructure and being able to communicate it back to non-technical senior leadership is paramount to a security team’s success.

Aside from the technical aspects, there is the human factor to consider. In security we have wonderful technical controls and appliances that help mitigate information security breaches and cyber attacks. However, there is one factor that continues to elude infosec professionals and is somewhat of an “uncontrollable” control — culture and behavioural dynamics.

Creating a culture of security/cybersecurity is a buzz phrase that is starting to take hold, and for good reason. In the plurality of cases, the attack vector is social engineering, and human behaviour is not an easy thing to change organisation-wide. But this is the task that CISOs are ultimately responsible for: leading by example and being a champion of cybersecurity within an organisation while ensuring that all employees have the tools they need to be cyber aware and cyber safe.

My top 10 steps to ensure companies are better prepared for, and help prevent, ransomware attacks are:

Understand risk profiles — Organisations should have their risk assessed to accurately prepare for potential attacks. To do this, cybersecurity teams must take inventory of responsibilities, products and services, and the technical requirements affiliated with each. By defining these risk areas, cyber teams can better assess areas that require the most attention when allocating cybersecurity resources.

Realise data responsibilities — Each employee on a cybersecurity team should realise the types of data that they are responsible for storing, transmitting and protecting.

Test for incoming phishing attacks — Most attacks start with a phishing campaign, and they continue to be effective. Try testing filters by sending yourself de-weaponised phishing emails identified by others from an external test email account. How often will they make it through? Test it. It is possible that email filters need to be strengthened.

Assess all cybersecurity roles on a regular, event-controlled basis — Regularly assess and audit cybersecurity controls to ensure that they are applied and maintained appropriately. A truly mature organisation will test these controls on both a time-based schedule and in response to incidents.

Evaluate patches on a timely basis — Ensure that patches are applied in an organised and methodical fashion. For vulnerable legacy systems that cannot be patched or updated, isolate them in the network and ensure that those systems do not have access to the internet.

Perform regular policy reviews — Make sure that all pertinent cybersecurity policies not only exist, but are also regularly evaluated and updated based on the ever-changing cybersecurity landscape. Specifically, update these policies based on both time-based schedules and event-based instances.

Leverage threat intelligence appropriately — Reading and disseminating threat intelligence throughout a cybersecurity team can be overwhelming. Hacks and cyber attacks occur on a 24/7 basis, with different branches of similar attacks emerging overnight in many instances. Understanding which type of intelligence applies to your organisation and parsing it out correctly increases understanding of what threats may pose the greatest danger.

Protect end-user devices — We often forget to ensure 100% protection of end-user devices — not only for devices within the network, but for all devices used by remote users to access systems. Exclusion lists should be minimal.

Communicate clearly with executive leadership and employees — To gain executive support, ensure that reporting and communication to the leadership level is clear and accurate. Once leadership understands the threat, the risk and its potential impacts, cybersecurity teams are more likely to receive the funding and support required to protect the organisation.

Comprehend organisational cybermaturity — All points listed here are a part of comprehending an organisation’s cybermaturity, or its developed defensive readiness against potential cyber attacks and exploitations. Tools like the CMMI Cybermaturity Platform can help organisations understand and improve their cybermaturity.

We are living in a world where company leaders should assume they will find themselves being held to ransom by cybercriminals. Implementing the steps to protect the company ahead of this very real possibility is the best way to avoid decision-making about whether to pay a ransom.

*Dustin Brewer, CISM, CSX-P, CDPSE, CEH, is ISACA’s principal futurist, a role in which he explores and produces content for the ISACA community on the utilisation benefits and possible threats to current infrastructure posed by emerging technologies.

Brewer has 17 years of experience in the IT field, beginning with networks, programming and hardware specialisation. He excelled in cybersecurity while serving in the US military and, later, as an independent contractor and lead developer for defence contract agencies, he specialised in computer networking security, penetration testing, and training for various US Department of Defence (DoD) and commercial entities.

Top image credit: ©stock.adobe.com/au/VideoFlow