This past weekend, news broke of a global ransomware attack that has struck individuals and companies around the world. In the wake of the attack, which has affected computers in 150 countries, many companies are wondering 1) if they’re going to be hit and 2) what they can do to protect themselves.
The WannaCry ransomware attack still isn’t over, and we’ll see over the coming weeks what the final numbers are. It’s not too late to improve preventative measures for the next wave, which will likely be smarter and even more widespread. The recommendations outlined in this blog are governance procedures. They require neither new investments nor new technology.
As we wrote last April, “it often takes a headline event to galvanize organizations into action. As your company seeks to protect itself from this latest attack, make sure it takes the eight steps below.
8 Steps to Prevent a Ransomware Attack
1. Ensure Off-Site Backups Are Up to Date
Backing up data with off-site servers is widely considered a best practice. Every organization and industry must determine the optimal frequency and scope of data backups, which depends on the type of information being handled.
The real danger here is the gap between internal policy and actual operations. Any gap puts your company at risk; regular verification of data backups is critical.
Studies have shown that (on average) anywhere from 10-15% of critical organizational data – scheduled for backups – is not actually backed up due to preventable, operational errors. Without backup verification, ransomware attacks can have an enormous impact on business continuity.
2. Implement Windows Patches as They’re Released
The malware used in this weekend’s attack targets organizations that have failed to perform this step. According to CNN, it spreads “by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March.”
The vulnerability wasn’t just detected months ago, it was fixed months ago. Employees around the world have been using computers that simply need to be updated. The fact that those updates weren’t automatically implemented and confirmed is evidence of poor governance, not poor technology.
Your security team likely assesses and approves patches on a regular basis. However, are implementations regularly verified? Often, patches will not deploy to some percentage of servers and users. Without governance (in this case, regular reviews of actual patch deployment), you might have an inaccurate understanding of which vulnerabilities are covered.
Simple operational issues like poorly scheduled machine restarts can block patch deployment. Preventing these vulnerabilities is a straightforward governance activity.
3. Update Virus Scan Software
Much as Windows releases patches and schedules updates that are not automatically pushed, so too do antivirus softwares. This leads a similar problem; your security teams have limited resources and require governance procedures and systems so they can monitor/prioritize automatic alerts. These automatic alerts are critical when verifying that key assets are patched and protected by virus detection rules.
4. Manage Passwords, Assets, and Access Rights
Some may think passwords and asset management are unrelated to ransomware. However, as we discussed in a prior blog, “How to Eliminate 63% of Your Cybersecurity Vulnerabilities in 90 Days,” everything in security is connected.
Permissions/passwords and asset management are the bridge to access rights, also known as entitlement. The principle of least privilege allows the assignment only of permissions needed for a user to perform their job responsibilities.
Most organizations have internal policies, but not an efficient way to operationalize them. Automated governance tasks – such as monitoring the percentage of employees maintaining access rights policies – is an essential aspect of limiting the spread of a ransomware attack.
Without regular monitoring, the evolution of employee roles and organizational structure can lead to unnecessarily high risk exposure. The technology to accomplish this step exists at most every organization. Usually, the missing component is effective governance.
Important: Remember that when interacting with vendors and other third parties, you can outsource the process, but you can’t outsource the risk; your vendors must satisfy the same standards you do. Read our blog on the Wendy’s data breach for a more detailed look at what can go wrong.
5. Monitor to Ensure Virtual Private Networks (VPNs) Time Out Automatically
VPNs, which allow employees to access company networks from outside the office, are often kept open too long. Automated monitoring is again the key; VPNs are an integral component of smooth operations, but unless they time out automatically, they can also serve as a conduit for malware and other cyberattacks.
New devices and software are upgraded and introduced constantly. Without monitoring to determine if policies are adjusted, over time unnecessary vulnerabilities will become commonplace.
Important: As with Step 4, your company should hold its vendors to the same VPN standards as it does its own employees.
6. Implement Infrastructure/Firmware Updates as Necessary
This ransomware attack took advantage of a Windows vulnerability. Other cyberattacks can also target chinks in your infrastructure’s armor. Obsolete hardware and firmware (e.g. in a firewall or other internet device that has not been updated in a timely manner) can lead to a false sense of security if it is not identified/assessed periodically.
Most employees’ home networking devices have vulnerabilities with freely available (but unused) patches or updates. How many organizations monitor the effectiveness of their security perimeter all the way out to employee and vendor devices?
7. Perform Business Continuity and Disaster Recovery (BC/DR) Testing
Adopting a BC/DR plan sounds like a sufficient action by itself. However, your company must make sure it’s actually able to implement a “clean recovery.” This is another form of governance monitoring. If data were seized by a ransomware attack today, would you be able to restore that data, then rebuild the infrastructure anew and resume meeting business objectives within 48-72 hours?
Most organizations believe the answer is yes, but how many can produce evidence that this verification activity has taken place on an annual basis?
Each application should be evaluated independently, then assigned a recovery time objective (RTO). The RTO is a measure of how long your organization can function (effectively) without that application. The clean recovery timeframe should ideally be smaller than the shortest RTO.
8. Understand what Cyber Insurance actually covers
Cyber insurance is inherently not preventative, unlike the previous seven steps. For this reason, it’s listed last. Insurance only pays for the forensic validation of a breach, covering legal defense costs. Operational and reputational damage are not covered by cyber insurance.
Policies require disclosure and evidence that Steps 1-7 have been conducted on a regular basis. Most companies answer risk assessment surveys positively, not realizing that if an actual cyber breach occurs, insurance will not pay out if answers are negligent (no matter how well-intentioned).
Without evidence for Steps 1-7, the cyber insurance policy is not worth the paper it’s printed on.
The Bottom Line: Avoid the Negative Effects of Ransomware
What’s most important to realize – before taking any reactive action – is that cybersecurity vulnerabilities usually emerge because of governance problems, not security or technology problems. Good governance allows organizations to make cybersecurity policies operational. Sophisticated policies and hardware cannot protect your company if they are not adhered to and implemented correctly.
With enterprise risk management software, each of these steps can be prioritized, automated, and documented, ensuring front-line operations line up with policies designed by security teams and approved by senior leadership.