Ransomware has skyrocketed to the topmost feared attacks on an organization. Over the last year, the U.S. witnessed a huge spike with more expected in the future. Cybercriminals have targeted overburdened hospitals during COVID-19 and have infiltrated educational institutions and businesses, demanding payments. In September 2020, hundreds of health care centers operated by the Universal Health Services network were infected with ransomware. Soon after, the University of Vermont Health Network, the Sky Lakes Medical Center in Oregon, the St. Lawrence Health System in New York, and the Dickinson County Healthcare System in Michigan and Wisconsin all fell victim to the same malware. These attacks interfered with patient care and forced the hospitals to revert to paper records to continue operating, since they lost access to all their digital systems.
Despite dozens of very high-profile outbreaks, organizations across the globe have continued to fall victim to ransomware. Some organizations refuse to pay the sometimes steep ransoms. Others surrender to the attackers and pay up. All organizations that experience ransomware attacks suffer ongoing damage to their reputations.
With no signs of this threat abating anytime soon, there are seven key steps that companies can take to minimize the risk that ransomware will freeze them out of critical assets.
1. Identify enterprise application vulnerabilities and proactively patch them
Ransomware is like many other forms of malware since it typically exploits known vulnerabilities, such as outdated software and non-secure, third-party apps. These vulnerabilities need to be patched proactively by the security team before bad actors have the time to exploit them. This involves not only keeping up with patching at a steady and periodic cadence but also on an emergency basis when patches are released for a critical vulnerability. In these cases, emergency patching should be completed within hours of a patch being released.
Proper patching begins with an accurate inventory of all assets, including categorization and calculation of business criticality. From there, risk-based prioritization can ensure the most important vulnerabilities are fixed first. Reporting on key metrics, such as mean-time-to-patch (MTTP), can help you keep track of efforts and even introduce some gamification to provide an incentive to team members who are the first to identify and patch new vulnerabilities.
2. Update or get rid of obsolete software
Routinely update software and remove any outdated software. Older versions of software increase risk because the vendors stop issuing security updates for them. For example, five of the top 10 exploited vulnerabilities impact only old versions of Microsoft software, primarily Microsoft Office OLE components. Another one targets Adobe Flash Player, an end-of-life software package. Removing obsolete software and regularly taking inventory of all the company IT assets will strengthen your security posture and help to protect against ransomware attacks.
3. Either control or disable vulnerable services
Enterprise network services, such as Telnet, Remote Desk Protocol (RDP), and File Transfer Protocol (FTP), are important, but they can also present bad actors with opportunities to infiltrate your network. To avoid this, these services need to be carefully monitored and controlled. The first step is to identify critical assets running these services and analyze whether there is a true business need for the service, as well as whether the appropriate compensating controls are in place. Risk owner assignment can help ensure that these decisions are being made by the people closest to the area of the business where the assets are used.
4. Adopt stronger password hygiene
Enterprises have two main friends when it comes to strengthening password security: enterprise password managers and multi-factor authentication (MFA). Both add friction to the business but are usable at scale and are acceptable as a mitigation method, especially when compared to other draconian security tools some organizations use. An enterprise password manager will enable users to have strong and unique passwords for all accounts without having to remember them. With a password manager, passwords for systems that do not allow multiple users can also be properly shared. When properly implemented, MFA can add a major speed bump in a cybercriminal’s progress. If costs are a concern, use business risk to prioritize what critical applications you want to protect with MFA first and which ones can wait.
5. Implement antivirus and email security measures
It is important to employ antivirus software and email security to assist in protecting individuals and organizations from ransomware in addition to viruses, spyware, phishing attacks, spam attacks, and other threats. According to Verizon’s 2020 Breach Investigations Report, most malware is still delivered by email, with a smaller amount arriving via web services. Once you have the right tools in place, you will need to make sure they are up to date and patched as well.
6. Control user access
The principle of least privilege mandates that any employee or user should only have access to information that is necessary to perform a particular task. When current or former employees have access to more data and more privileges than the IT team is aware of, it increases the risk of insider threats, which in turn, can make the organization more vulnerable to being infected with ransomware. Email segmentation is a similar practice to least privilege but for email servers.
7. Companywide training
Preventing ransomware is a team effort, and ensuring your employees are appropriately trained and aware is as important as anything else on this list. A successful security awareness training program will strengthen cybersecurity posture and mitigate the cyberrisks associated with common human errors such as mis-clicks, misconfiguration, or the failure to fix a known vulnerability. As a best practice, employees should get a refresher in this security training every four to six months.
Staying a Step Ahead of Bad Actors
Unfortunately, there is no silver bullet for preventing ransomware. As with many other forms of attacks, adversaries can exploit a single weakness anywhere to implant the malware and freeze users out of sensitive data. By following the seven critical steps listed above, your organization and your security team will be more effective at preventing future ransomware attacks.