In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses one of the biggest threats facing businesses today: ransomware.
Bryan discusses steps you can take to manage and survive ransomware attacks and crisis situations that can have deadly serious consequences to your organization’s operations, continuity, and reputation.
Related Episodes & Blog Posts
- Blog Post: The Importance of Having a Crisis Communications Strategy
- Blog Post: Insider Threat Webinar: The Threat Lurking inside your Organization
- Episode #59: All roads lead to one – Crisis Management Framework
- Episode #115: Ransomware and Backups
Episode Transcript
Hello and welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, Principal and Chief Executive here at Bryghtpath. And today I want to talk about one of the biggest threats facing businesses, small, medium, large, Fortune 50 sized organizations, and that is ransomware. And I want to emphasize the need to plan your ransomware attack response now. That there is no time to wait based on thinking about how you will manage this as a business continuity, crisis management, information security professional, as a chief security officer, or as a leader or owner of a business.
If you think about what we’ve seen in just the last six months, food manufacturing and food processing fuel pipelines, police departments, a transportation authority, cities and counties in terms of government. Those are just some of the largest targets that have been hit with ransomware attacks in the United States so far this year in 2021. But for every ransomware story in the news that we see, there are dozens of incidents that go unnoticed, unmentioned because either the company is too small for news outlets to care, or because the organization wants to handle that situation quietly on its own and usually by paying the ransom.
And ransomware is paying really good money. In 2020, the amounts that victim’s paid to regain the use of their data went up more than 300%. I bet your margin didn’t climb 300%, but theirs did. So it’s not surprising that the Washington Post is now claiming that the frequency of attacks have more than doubled from 2019 to 2020. And it seems to be a case of not if a company will be hit, but when a company will be hit. Also, the perfect storm has been created with the pandemic. The growth of remote work has really created the perfect condition for cyber attacks.
Although mobile work and mobile devices have increased for more than a decade now, companies really didn’t proactively communicate the urgency of hardening home-based information security, your home network the way that we should have. Billions of homeworkers during the pandemic have provided multiple entry points through insecure home routers possibly that are still running older encryption like WPS instead of WPA2 or WPA3 and wifi networks that may not even have password protection.
Now companies can shore up home-based offices, but you also need to change the attitude towards ransomware attacks. Tactically, we often focus cybersecurity efforts around regulatory and framework compliance and those are important, NIST, CSF, high trust, direct trust, PCI, and more. These are important, but we also need to build cybersecurity capabilities to withstand a determined adversary. The real enemy on the other end of the line is not a regulator or a compliance auditor. It’s the determined cybercriminal who wants to get into your network.
Recently, one of our clients we weren’t working with on cybersecurity issues lost their databases and their backups. The ransom group actually social engineered their way into the backup provider and persuaded them to erased their backups. Such initiative yielded the bad guys a more than $2 million payment. And companies also don’t yet fully realize how disruptive these incidents can be. You might think, for example, “Well, I’ve got backups if I still have one and that backup will cover me.”
But think about what it’s going to take in terms of time to restore an entire data center or multiple data centers. This is not a four or five-hour backup job and you’re back in business. Depending upon the extent of the breach, that recovery could take days or even weeks of round-the-clock work. Ransom attacks also present broader strategic and reputational implications. The problem now extends beyond a mere technical project or just decrypting your system. Consider the loss of revenue that you could be experiencing. What’s the impact to employee morale? How long before your customers choose to trust you again?
So what can you do? Three steps that we want to encourage you to think about. The first is to bolster your backup and recovery processes. Make sure you’re employing a three-generation backup approach for all critical files and databases. The grandparent is the oldest version, the parent is the second oldest version and the child is your most recent version. Store at least one version of this entirely offline and off-site on tape or another movable media that you can recover. Make sure your storage systems are immutable so that no one can overwrite or decrypt. I’m sorry, overwrite or delete encrypted backups. Finally, make sure that your off-site provider uses two-factor authentication to withstand a social engineering attack that could result in the deletion or access to your backups.
The second, build a playbook for ransomware. I want you to think about your data incident response and consider scenarios ahead of time so that you avoid the steep learning curve in the moment of crisis. Will your executives and board want to pay the ransom or not? If they choose to pay, how will you do it? Another significant consideration in this is the involvement of law enforcement. Will you involve the FBI when you discover an attack? This is the right thing to do from my perspective. Remember that making a payment in furtherance of criminal activity is technically a violation of US anti-bribery laws.
The Office of Foreign Asset Control or OFAC at the United States Department of State require a company that pays to complete some paperwork, which is another good reason to involve the FBI. They can help you with the recording process and help you manage this situation. In addition, anyone involved in paying the ransom could incur criminal liability personally if this process is not done correctly. Work with your legal team ahead of time, but these are things you need to think about before your data gets locked up.
When you complete your robust ransom response plan, then practice it through exercises. Make this more than just a technical exercise, by the way. The real threat to your organization is about your disrupted operations and the reputation of your organization. Play the complete response from a reputational crisis management standpoint. Third, take the appropriate cybersecurity measures to meet an active and present threat.
Your cybersecurity program has to do more than just keep you in compliance with HIPAA, ISO 27001, high trust, direct trust, PCI, or any other standard that you’re choosing to follow or that you’re forced to follow. As valuable as all these standards are, you need to weave cyber security into the fabric of your company’s culture. You already know the tools, but you have to use them. Firewalls, reputable antivirus protection, disabling all unnecessary remote connections, filtering and scanning incoming email for common troublemakers, macro-enabled executables.
Phishing. Run phishing campaigns inside of your organization to detect weak spots. Reveal hidden extensions, invest in security information event management, which can help you detect anomalies within your network. Implement a whitelisting/safe listing protocol particularly around sensitive information, and stay up to date with security patching. These steps are all on the technology side of ransomware protection, but even more important to you is on the people side, on the human side. Staff’s the weakest link, but it’s also your first line of defense. Train all your staff regularly on the dangers of malware and ransomware. Let them know how easily bad actors can infect their devices in your entire network and reiterate what staff should and should not do.
Make sure you use strong passwords that are changed regularly. Question the legitimacy of emails. Create a social media policy to limit what information spear-phishers can gather about your employees and executives. Don’t open unknown email attachments. Don’t click links in emails from unknown sources. Don’t open emails in your spam folder from unknown sources and make sure to conduct ethical social engineering tests frequently so everyone in your company keeps their threat awareness sharp.
Usually, ransomware events appear in the news after the fact, but that doesn’t mean that you can’t get a good look around the corner at potential threats and deterrents. Consider subscribing to the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency, CISA, FBI, NIST, and other cyber intelligence bulletins to understand current thinking.
Help your leadership decide now before an attack where they stand and what your plan is to manage and survive ransomware and other data incidents that threaten your organization’s operations and can harm your reputation. If here at Bryghtpath if we can help you with any of these efforts, including building your ransomware playbook, don’t hesitate to reach out at bryghtpath.com/contact. That’s it for this edition of the Managing Uncertainty Podcast. We’ll be back next week with another new episode. Be well.