The proliferation and severity of ransomware attacks are largely attributable to organizations’ inadequate security controls. Companies in the middle market are targeted because they possess a substantial amount of valuable data but lack the protective controls and personnel of larger organizations.
62% of mid-market companies, according to a recent RSM survey, believe they are vulnerable to ransomware in the next 12 months. On a spectrum ranging from “top of mind” to “this gives me severe migraines,” leaders’ attitudes toward cybersecurity fall somewhere between “top of mind” and “this gives me severe migraines.”
As ransomware continues to be the preferred method for actors to monetize their access, there is an urgent need to understand organizational levels of preparedness and to identify and remedy gaps before an attacker exploits them.
By following the NIST CSF framework and asking, “Do we have something like this in place?” for each of the core functions: “Identify,” “Protect,” “Detect,” “Respond,” and “Recover,” lean cybersecurity teams can quickly assess their ransomware readiness.
Identify
Asset management is the process of identifying your organization’s essential assets, their locations, their owners, and who has access to them. Data must be classified for access to be governed, and the company will benefit from ensuring the data’s integrity. Depending on the classification, only a subset of an organization’s data requires confidentiality protection. Controls that ensure the utility and veracity of data provide real value to an organization.
Protect
Identity is a type of data that specifies the relationship between an individual and an organization. It is validated through credentials (username and password), and a security event becomes an incident if compromised. Using compromised credentials, for example, allows threat actors to install ransomware on your computers. According to the Microsoft Defender Report 2022, basic security hygiene such as Multi-Factor Authentication (MFA), applying zero-trust principles, keeping software up-to-date, and utilizing extended detection and response anti-malware still protects against 98% of attacks.
Another important aspect of protecting identities is training employees to recognize malicious attachments and links. It is important when it comes to breach simulations, to reward employees who performed well rather than punish those who did not. When conducted improperly, breach simulations can severely erode employee confidence in the organization.
Good data security can safeguard your data from ransomware and enable you to recover from an attack. This involves implementing access management, encryption, and backups. Despite the apparent simplicity, many organizations fall short in at least one or two of the aforementioned areas. Under the “Protect” function of the NIST CSF, additional controls include vulnerability management, URL filtering, email filtering, and restrictions on the use of elevated privileges.
It is essential to restrict software installation; if you cannot install software, you cannot install ransomware. However, some ransomware can successfully exploit existing vulnerabilities that allow for an elevation of privileges, thereby circumventing restricted installation control.
The following control under the “Protect” function of the NIST CSF is policy control. The number of personnel required to implement controls such as restricting use and installation to only authorized software or restricting the use of elevated privileges can be reduced with policy enforcement software.
Detect
Technologies that address the requirements for controls under this function can make a difference, but only in conjunction with a human component. User and Entity Behavior Analytics (UEBA), Centralized Log Management (CLM), Threat Intelligence (TI), and EDR/XDR/MDR are all abbreviations.
Good UEBA can easily detect ransomware because it performs actions that no legitimate software would. This technology is only capable of detecting ransomware; it cannot prevent or eliminate it. Prevention requires additional software, such as anti-phishing, continuous security monitoring, and EDR/XDR/MDR. According to IBM’s Cost of a Breach 2022 report, organizations with XDR technologies detected and contained a breach 29 days faster than organizations without XDR. Also, organizations with XDR experienced a 9.2% reduction in the cost of a data breach, which may seem like a small improvement, but when you consider that the average cost of a data breach is USD 4.5 million, this represents a savings of nearly USD 500,000.
Respond
No matter how effective the organization’s controls and tools are, something will always require a human response. Having a plan and testing it reduces the average cost of a data breach by USD 2.66 million, according to the report.
Additional controls can maximize your ransomware preparedness: having communication templates (to ensure the team knows what, how, and who to contact during an incident), performing mandatory event analysis, and deploying Security Orchestration, Automation, and Response (SOAR) technology as a standalone product or as a native component of an XDR solution.
Recover
Having a recovery plan, immutable cloud backups, and an incident communications plan are the three most important controls for maximizing your organization’s ransomware preparedness.
In the event of a breach, a ransomware recovery plan must include the means to recover encrypted data, reestablish operational systems, and restore customer trust.
Ransomware functions by preventing data access. If the data can be recovered from a device that was not infected by ransomware (irreversible backup), then the recovery process can be quick and relatively inexpensive. According to the Microsoft Defender 2022 report, 44% of ransomware-affected organizations lacked immutable backups.
By providing mechanisms for rapidly alerting and coordinating internal and external stakeholders while monitoring customer sentiment, an incident communication plan improves an organization’s ability to respond and mitigate reputational damage.
Cynet provides a quick, NIST-based ransomware readiness assessment as well as a deeper dive into the core functions to aid cybersecurity leaders in building ransomware resilience.
Download Cynet’s Ransomware Readiness Assessment to assess the resilience of your security controls.
