Ransomware Prevention: What You Need to Know
If you've been reading our ongoing ransomware series, you're likely up to speed on all the foundational basics: what it is, where it came from (and how it's evolved), what its impacts are, how it enters networks, and which types of ransomware are out there.
Now we're going to start talking about it from more of a tactical perspective—that is, what can you do to prevent a ransomware attack?
From the way we've been writing about it up until now, you may have been feeling some anxiety. After all, ransomware is a threat that's growing all the time, and as most security experts will tell you, it's often not a question of if you'll be targeted, but when.
Even so, there's still quite a bit that you can do to prevent ransomware. So let's get into it.
Step 1: Put things in perspective
As noted in a recent post on our blog, there are excellent reasons to prevent a ransomware attack in the first place. Ransomware attacks are costly, disruptive to operations, damaging to brand reputations, and a possible factor of people within the organization losing their jobs.
What's more, for companies that are targeted by ransomware attacks, paying the ransom doesn't always get them out of the situation. As Bisson points out in the blog:
Sometimes, victims couldn't recover their information even after paying the requested ransom. Nearly half (46%) of respondents in Cybereason's survey said that they had regained access to their data after fulfilling a ransom demand but that the attack had left some or all of their data corrupted. Only 51% of victims regained access to all their data without any data loss after paying the ransom, while three percent didn't restore any of their data following payment.
Even more troubling is the fact that in some cases, complying with a ransomware attacker's demands actually sets up the victim to be targeted in future attacks. Remember, the goal of the attack is to usually get the organization to pay so you can fund future attacks. Again, from Bisson: “Of those organizations that told Cybereason they had paid the ransom, for example, four-fifths said they had incurred another ransomware attack. Nearly half (46%) of those respondents believed that the attack originated from the same attackers.”
All this to say, there's a great deal that you can do to make sure your losses are minimized in the event that you do get targeted by an attack, but the absolute best stance you can take is to try to prevent one from occurring at all.
Step 2: Understand your environment
As our Chief Information Officer, Sheila Carpenter says, the next most important action to take before implementing any security measures is to understand your assets.
“You need to know what's running in your environment and what's externally facing, as well as really understand the data that's in those assets,” she says. The following activities can help paint a picture for you:
- Documenting all systems and integrations to understand attack points
- Implementing a security review process for new technology
- Data mapping to understand the flow of data and which applications it's housed in
- Implementing strong change management to control what goes into your environment
Each of these activities will help you lay the foundation for managing vulnerabilities, understanding risks, and having the right prevention tools where they belong.
Step 3: Get proactive
There are a number of controls you can put in place to make sure ransomware doesn't find its way into your network in the first place. And as we've all heard before, the best defense is a good offense.
We've mentioned that email (specifically phishing scams) is one of the top ways that ransomware can enter networks. An email security audit is a great way to help source and remediate potential vulnerabilities quickly.
It's also important to make sure you have data loss prevention (DLP) and threat protection measures in place. Those tools will inspect and analyze incoming emails as well as flag or block anything that looks suspicious so that anything fishy (pun intended) can be blocked before it ever finds its way to an inbox.
It's also great to have a vulnerability management program in place that patches all aspects of an environment: laptops, servers, web servers, and anything external-facing. Of course, setting up endpoint detection on machines goes a long way, as does having the right anti-virus and anti-malware software in place.
Finally, says Carpenter, it's important to implement the right controls, especially with employees working remotely. This means having strong password controls (and multi-factor authentication), denying local admin access privileges, and having a good understanding of what's happening within your environment from a login perspective.
Step 4: Test and educate
Controls and security measures go a long way in preventing ransomware, but don't discount the importance of educating employees on which risks exist and how to manage them.
Carpenter suggests introducing mandatory annual security training for all employees. This way, you can ensure everyone's up to date on emerging risks and what they could look out for, as well as which protocols to follow if they're ever faced with a potential security breach.
As a part of ongoing employee training, Carpenter suggests conducting regular tests to make sure you're resilient in terms of recognizing and protecting against potential threats.
Additional ransomware prevention resources
There's a wealth of additional resources you can refer to when it comes to ransomware prevention, but here we will share what we found to be the most important highlights from the U.S. Cybersecurity & Infrastructure Security Agency's (CISA) recommendation:
Apply best practices when using RDP / remote desktop services to prevent attackers from using this as a common entry point.
Keep all software up-to-date including operating systems, servers, applications, anti-virus and anti-malware software, and every other potential software that can be abused to gain access to your network.
Secure all devices (laptops, mobile phones, etc.) that have access to your network and ensure they follow company security policies.
Employ multi-factor authentication (MFA) rather than allowing users to log in with a password alone.
Implement a cyber security awareness training program for employees to know the risks of working in a digital world.
Manage access properly like limiting privileged accounts and developing an allow list for applications.
Have a robust data backup strategyin place that backs up your data regularly—this won't necessarily prevent ransomware threats, but it is an important piece to include proactively in case of attack.
Of course, even with the most robust prevention plan in place, ransomware attackers grow more sophisticated every day, and may still find ways to enter your network. In future articles, we'll go over tabletop exercises you can conduct to ensure you're prepared for an attack, as well as recovery efforts you can put into place to minimize the damage if you are attacked.
We'll notify you when new articles are released
It may not be an age-old question, but it's an important one nonetheless: if you're targeted by a ransomware attack, should you pay up?
The sad truth is that even the most stringent prevention measures sometimes aren't enough to keep a ransomware attack from occurring. Once it happens, the best you can do is try to minimize damage and get to work restoring things as best you can.
In the effort to protect your organization from ransomware, which is more important: prevention or preparedness?.