Cyber-attacks remain a top business risk year after year, increasing in frequency, severity, and sophistication. At the top of the cyber-attack list? Ransomware.
Ransomware has become an industry, and every organization is a potential target. Attacks now routinely disrupt operations for days or weeks. Companies with poor cyber hygiene can become low-hanging fruit. Cyber-attackers are constantly evolving their tactics and scanning corporate technology environments to identify companies with poor cyber hygiene, such as lax controls or unpatched software. The increase in attack sophistication shows no signs of slowing.
Planning is everything. Read on to see best practices that your business can adopt.
Plan and test. Develop or update your existing incident response plan to include ransomware considerations. Once your incident response plan is in place and accounts for ransomware, it is time to put it to the test. Evaluate your incident response plan with a ransomware tabletop exercise. Practicing a hypothetical ransomware scenario is critical for the quality of a real ransomware response.
Develop a decision-making framework. Use this to help analyze whether you can restore data and systems on your own and whether it makes sense to pay an extortion demand. The framework should include criteria to analyze specific circumstances, including the criticality of impacted data and systems, the length of time your organization can operate without critical data and systems, and the cost and length of time for your organization to restore the impacted data/ systems on your own and/or with external support. Engaging external counsel to help develop and review the framework is recommended.
Establish ransom payment criteria. When developing ransom payment criteria, include the amount of the initial extortion demand, the threat actor’s track record of negotiating the initial demand downward, the threat actor’s history of providing working decryption code upon payment of the ransom, and an estimate of the length of time it will take to restore data and systems using the decryption code.
Ensure regular backups and periodic data restoration testing. Storing backup data offline and offsite in a secure manner can substantially expedite recovery from an attack. Limiting access to privileged users is also important. A full backup should be completed at least once a week, although more valuable data may need to be backed up more often and incrementally. Businesses should conduct tests to confirm that backed up and restored data will work in a live environment.
Update your software. Patch regularly to maintain the security of applications and operating systems. Address all critical patches immediately.
Enhance security awareness. Cybersecurity awareness training for employees is an important cyber hygiene practice, as employees are the first line of defense against phishing attacks. Employees should be trained to recognize phishing emails and other threats. At the same time, security tools can also prevent phishing emails from reaching an employee’s inbox.
Consider ransomware as part of your organization’s broader risk management efforts. Take into account your risk tolerance, cybersecurity controls, cyber insurance coverage, broader enterprise risk management programs, and value chain as you review and develop your ransomware plans and prepare for the possibility of an attack.
Transfer your risk. While understanding the financial impact of your ransomware exposure is essential, it’s only one piece of a comprehensive cyber risk management strategy. Risk transfer can help protect an organization’s balance sheet and provide resources if risk mitigation tactics fail. Cyber insurance can provide comprehensive coverage for ransomware attacks, including for ransom demands, business downtime, and associated costs.