Ransomware is a specific and extremely harmful type of malware used by cybercriminals to extort money from individuals, organizations, and businesses (see Ransomware Insurance and Cyber Risk Landscape). The infections block access to your data until you make a ransom payment, at which point you’re supposed to regain access.
In reality, nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later – which is why everyone must protect against ransomware.
Ransomware is a particularly painful type of malware. Malware is “hostile or intrusive software” that is illegally introduced onto your system for malicious reasons. When ransomware attack infects your system it blocks access to your data until the payment is delivered to the criminals who are extorting you or your business. It’s an illegal threat to your data.
What Does Good IT Security Look Like?
Defending against ransomware requires a holistic, all-hands-on-deck approach that brings together your entire organization. Below are 9 ways can help stop attacks and limit the effects of ransomware.
1. Ransomware identification
- Are anti‑ransomware toolsets deployed throughout the organization? (see Ransomware Trends & Predictions)
- What proactive measures are in place for identification of ransomware threats?
- Are policies, procedures, access controls methods and communication channels updated frequently to address ransomware threats?
- Are in‑house capabilities or external arrangements in place to identify ransomware strains?
2. Business continuity planning/incident response plan
- Are ransomware‑specific incident response processes in place?
- Have there been any previous ransomware incidents? If so, what lessons have been learned?
- Are pre‑agreed IT forensic firm or anti‑ransomware service provider arrangements in place?
3. Anti‑phishing exercises and user awareness training
- Is regular user training and awareness conducted on information security, phishing, phone scams and impersonation calls and social engineering attacks? (see Cyber Insurer Perspectives on Ransomware)
- Are social engineering or phishing simulation exercises conducted on an ongoing basis?
- Are regular backups performed, including frequent backups for critical systems to minimize the impact of the disruption? Are offline back‑ups maintained as well?
- Are backups encrypted? Are backups replicated and stored at multiple offsite locations?
- Are processes in place for successful restoration and recovery of key assets within the Recovery Time Objective (RTO)?
- Are backups periodically retrieved compared to the original data to ensure backup integrity?
- Are endpoint protection (EPP) products and endpoint detection and response (EDR) solutions utilized across the organization on mobile devices, tablets, laptops, desktops etc.? (see Ways to Insureds’ Cybersecurity Controls)
- Are Local Administrator Password Solutions (LAPS) implemented on endpoints?
6. Email, web, office documents security
- Is Sender Policy Framework strictly enforced?
- Are email gateways configured to look for potentially malicious links and programs?
- Is web content filtering enforced with restricting access to social media platforms?
- Are physical, logical segregations maintained within the network, including the cloud environment?
- Are micro segmentation and zero trust frameworks in place to reduce the overall attack surface?
8. Monitoring patching and vulnerability management policies
- Are automated scans run to detect vulnerabilities? Are third party penetration tests performed on a regular basis?
- Does the organization ensure appropriate access policies, enforcement of multi‑factor authentication for critical data access, remote network connections and for privileged user access?
- Is continuous monitoring in place for detecting unusual account behavior, new domain accounts and any account privilege escalations (administrator level), new service additions, and unusual chain of commands being run during a short time period?
9. Mergers and acquisitions
- What due diligence and risk management activities are performed prior to M&A?
- Are regular security audits conducted on newly‑integrated entities to ensure evaluation of security controls?
All of the recommendations are technical advisory in nature from a risk management perspective and may not apply to your specific operations.
Please review recommendations carefully and determine how they can best apply to your specific needs prior to implementation. Any queries relating to insurance cover should be made with your local contact in underwriting, agent and/or broker.
AUTHOR: Scott Sayce – Global Head of Cyber and Group Head of the Cyber Centre of Competence AGCS