Best practice to limit ransomware damage
Ransomware attacks have become the world's most pervasive cyberthreat, with severe consequences in 2021 for businesses ranging from one of the world's largest meatpacking companies to the pipeline that provides much of the fuel for the eastern US.
The problems are worsened by the growing practice amongst attackers of extracting companies' confidential data and storing it away before locking up a victim's network. Victims that balk at paying the ransom are then threatened not only with being unable to access their data and systems but also with sitting by helplessly while their confidential files are released to the world — and rivals.
"Ransomware is now becoming a concept of double extortion," said Allison Davis Ward, CPA, a partner with CapinTech, a division of CapinCrouse LLP headquartered in Indianapolis, Indiana in the US. "The implications of not having the controls in place to recover from it and prevent it are hugely impactful."
Ward said the risks from ransomware attacks are spurring companies to beef up their cyber resilience, which she describes as the combination of prevention and detection controls that give companies the ability to quickly recover.
"Having management understand that is really the first step because they will be able to support IT and your cybersecurity group," Ward said.
With so many cybercriminals concluding that computer crime does pay, businesses are under more pressure than ever to stay alert.
What's more, the ransomware problem seems to be getting worse. IBM Corp. recently said that ransomware has become the worst malware threat for businesses, representing 23% of the attacks in its sample. For example, an attack that hit hundreds of businesses during the Fourth of July holiday weekend in the US made a supply chain intrusion through software provided by Kaseya Ltd. The attack was the latest in a series of reminders of the growing risks from ransomware.
The global average cost to remediate a ransomware attack in 2020 was $761,106, according to a report by British IT security company Sophos.
"Organisations need to continue evaluating the true nature of the risk of a ransomware attack," said Steven Ursillo Jr., CPA/CITP, CGMA, a partner with Cherry Bekaert LLP in West Warwick, Rhode Island in the US.
The evaluation should start with a look at an organisation's overall governance plan for its cybersecurity and then proceed to an examination of how computer networks and individual systems are protected from outside attacks. Organisations then need to look at the vulnerabilities in their technology supply chains and how they can respond to the weaknesses.
In addition, organisations need to assume that they are currently under attack and that an adversary has already breached the perimeter. They should have the systems and controls in place to identify any anomalies or indicators of compromise as attackers attempt to move laterally within the environment. Having a well-defined incident response plan will also be a key driver for successful recovery.
Businesses should also educate their staffs about the risks from phishing attacks (see the sidebar, "Employees Are a Vital Resource in the Fight Against Ransomware").
"The access point of these attacks is invariably through some degree of social engineering or phishing email," said Brian Lord, the CEO of London-based cybersecurity consulting firm Protection Group International Ltd. "It's always the case."
The perpetrators of ransomware attacks are "very agile in the way in which they deploy the campaigns, and they're looking for new and emerging ways to get in", Ursillo said. The hackers' resourcefulness means businesses must regularly review their information security environment, where data enters the systems, where and how it's processed, and where the data goes.
Lord advised businesses to start securing their networks by reviewing their information technology architecture and then determining the systems that are the most valuable and in need of the most sophisticated protection. The next step consists of ensuring that there is a rigorous patching regime to ensure that updates from providers are quickly applied.
"You need to apply security updates to anything and everything you have tied to the internet," Ward said.
Lord said that each time a vulnerability becomes known (through research or an attack) vendors are fairly quick in writing the updates and patches to their software to close the vulnerability that was exploited. Delayed patching leaves an open door for attackers; quick patching forces attackers to find new vulnerabilities.
Lord advised companies to focus their security efforts on their most valuable systems and data and not try to build massive, impenetrable barriers around every server and program.
"You identify the critical systems, or critical data, and you start protecting those incredibly well," Lord said, explaining that in most cases, the more difficult a company makes it for a hacker to attack its systems, the more likely it is that the hacker will give up and move its focus to another network.
"Other than specifically targeted attacks, most cybercriminals are opportunists. If they find an organisation difficult to breach, they will move on," Lord said, in reference to hackers' efforts to breach individual networks.
"The first time mainstream cybercriminals come across a company which has actually got some decent protection in place, it becomes too much hard work, and they will go somewhere else," Lord said.
Ward said that contracting out a portion of an IT network to a third party doesn't relieve executives and partners of the responsibility for supervising their systems. "You have to take ownership and responsibility of managing that relationship and ensuring they're doing what they need to do," she said.
Ursillo said businesses must understand how hackers can raid their systems, and he recommended that businesses make sure they have thought through their security architecture and require users to log on with multifactor authentication with least-privilege access control policies.
In addition, businesses must do more than rely strictly on the defences to their networks' perimeters and must also review their threat-detection software. They then need to assess how they can retrieve data that has been targeted in an attack and determine if they can retrieve it independently of the systems the attackers locked.
Lord said that critical data and systems should be backed up, protected, and segregated so that if a company's production systems are disabled by a ransomware attack, the company can continue to operate. Hackers have become more sophisticated over the years and have learned how to encrypt nonsegregated, backed-up data as well as the live production systems.
Ward said businesses are being advised to configure backup systems to ensure they are segmented properly from their production environment, or air-gapped, as an extra measure of protection. That type of configuration will stop the attackers from blocking access to the backup data at the same time they shut down the production network.
"The reality is it's a matter of when, not if" a business will be hit by a ransomware attack, Ward said. "No industry is safe. We've seen time and time again that every industry can be targeted. So, it's important for you to make the investment so that you can put yourself in a position to minimise the impact of an attack."
Arguably one of the most difficult challenges any victim of a ransomware attack has to confront is whether it should pay the ransom. Law enforcement agencies such as the US Federal Bureau of Investigation and some of its foreign counterparts advise against it. In October 2020, the US Treasury Department's Office of Foreign Assets Control issued an advisory that said victims of ransomware attacks could themselves have a legal liability if it's determined that the ransom they paid winds up being used for criminal activity.
Lord said that while that was a correct principle, any organisation that has been hit still needs the freedom to make the decision that fits its situation.
"The challenge for management and directors, should the company's leadership decide to pay, is to have a sound justification for their decision that can be presented to the general public, customers, suppliers, shareholders, and regulators," he said. "We also ensure that our clients' leadership test this aspect of incident response in scenario-based exercises because the first time an organisation considers the complexity of such issues shouldn't be when it's happening for real against a ticking clock."
Joseph Radigan is a financial writer based in the US. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, FM magazine’s editorial director, at Kenneth.Tysiac@aicpa-cima.com.
Employees are a vital resource in the fight against ransomware
Although ransomware’s emergence as a favourite tool of cyberattackers is somewhat new, one of the most important tactics for preventing a breach has been a cybersecurity staple for years.
Experts say that ransomware attackers often gain access to systems by tricking unwitting employees into letting them in. Ransomware is best stopped at the door, and everyone with access to systems needs to be ready to perform their duties related to cybersecurity.
It’s most important to train employees to recognise unsafe links and avoid clicking on them or opening them. In fact, it may be best to avoid clicking any links that are sent to you, unless they are coming from a familiar source and you are expecting them. Other tips include:
- Insist that employees use their business email accounts for work-related purposes, as these should be better protected than their personal email accounts. They should also be suspicious of messages from vendors or business contacts that come from personal accounts rather than business
- Instruct employees to watch for misspellings, unusual punctuation, and poor grammar, as these may be clues that an email is coming from a nefarious source.
- Restrict online visits to websites that employees are familiar with and are known to be safe. Ransomware can be spread through a process known as “drive-by downloading”, which occurs when a user visits an infected website, according to the information security office at the University of
California at Berkeley.
- Require employees to notify the IT department promptly if they accidentally click on a hazardous link or otherwise suspect that they may have exposed the company to a breach. If an attack is identified quickly, IT may be able to minimise or reduce the damage.
— By Ken Tysiac
“Cyberattacks Stemming From Software on the Rise”, FM magazine
“Stay Vigilant Against These 5 Data Security Risks”, FM magazine
“Why CFOs Need More Cybersecurity Vigilance”, FM magazine
AICPA Cybersecurity Resource Center
CONFERENCE: Dec. 5–8, Nashville, Tennessee. Digital CPA is for practitioners curious about
technology and its impact on the accounting landscape. You’ll earn up to 19 CPE credits, network with peers, and get the content you need to be future-ready.
Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate
CPE SELF-STUDY: This certificate programme covers several cybersecurity topics to help you gain an understanding of the importance and impact of cybersecurity risks on your organisation or client, including an introduction to the AICPA’s cybersecurity risk management reporting framework.