Best practice to limit ransomware damage
Ransomware attacks have become the world’s most pervasive cyberthreat, with severe consequences in 2021 for businesses ranging from one of the world’s largest meatpacking companies to the pipeline that provides much of the fuel for the eastern US.
The problems are worsened by the growing practice amongst attackers of extracting companies’ confidential data and storing it away before locking up a victim’s network. Victims that balk at paying the ransom are then threatened not only with being unable to access their data and systems but also with sitting by helplessly while their confidential files are released to the world — and rivals.
“Ransomware is now becoming a concept of double extortion,” said Allison Davis Ward, CPA, a partner with Capin Tech, a division of CapinCrouse LLP headquartered in Indianapolis, Indiana. “The implications of not having the controls in place to recover from it and prevent it are hugely impactful.”
Ward said the risks from ransomware attacks are spurring companies to beef up their cyber resilience, which she describes as the combination of prevention and detection controls that give companies the ability to quickly recover.
“Having management understand that is really the first step because they will be able to support IT and your cybersecurity group,” Ward said.
With so many cybercriminals concluding that computer crime does pay, businesses are under more pressure than ever to stay alert.
What’s more, the problem seems to be getting worse. IBM Corp. recently said that ransomware has become the worst malware threat for businesses, representing 23% of the attacks in their sample. For example, an attack that hit hundreds of businesses during the July Fourth holiday weekend in the US made a supply chain intrusion through software provided by Kaseya Ltd. The attack was the latest in a series of reminders of the growing risks from ransomware.
The global average cost to remediate a ransomware attack in 2020 was $761,106, according to a report by British IT security company Sophos.
“Organisations need to continue evaluating the true nature of the risk of a ransomware attack,” said Steven Ursillo Jr., CPA/CITP, CGMA, a partner with Cherry Bekaert LLP in West Warwick, Rhode Island.
The evaluation should start with a look at an organisation’s overall governance plan for its cybersecurity and then proceed to an examination of how computer networks and individual systems are protected from outside attacks. Organisations then need to look at the vulnerabilities in their technology supply chains and how they can respond to the weaknesses.
In addition, organisations need to assume that they are currently under attack and that an adversary has already breached the perimeter. They should have the systems and controls in place to identify any anomalies or indicators of compromise as attackers attempt to move laterally within the environment. Having a well-defined incident response plan will also be a key driver for successful recovery.
Businesses should also educate their staffs about the risks from phishing attacks.
“The access point of these attacks is invariably through some degree of social engineering or phishing email,” said Brian Lord, CEO of London-based cybersecurity consulting firm Protection Group International Ltd. “It’s always the case.”
The perpetrators of ransomware attacks are “very agile in the way in which they deploy the campaigns, and they’re looking for new and emerging ways to get in,” Ursillo said. The hackers’ resourcefulness means businesses must regularly review their information security environment, where data enters the systems, where and how it’s processed, and where the data goes.
Lord advised businesses to start securing their networks by reviewing their information technology architecture and then determining the systems that are the most valuable and in need of the most sophisticated protection. The next step consists of ensuring that there is a rigorous patching regime to ensure that updates from providers are quickly applied.
“You need to apply security updates to anything and everything you have tied to the internet,” Ward said.
Lord said that each time a vulnerability becomes known (through research or an attack) vendors are fairly quick in writing the updates and patches to their software to close the vulnerability that was exploited. Delayed patching leaves an open door for attackers; quick patching forces attackers to find new vulnerabilities.
Lord advised companies to focus their security efforts on their most valuable systems and data and not try to build massive, impenetrable barriers around every server and program.
“You identify the critical systems, or critical data, and you start protecting those incredibly well,” Lord said, explaining that in most cases, the more difficult a company makes it for a hacker to attack its systems, the more likely it is that the hacker will give up and move its focus to another network.
“Other than specifically targeted attacks, most cybercriminals are opportunists. If they find an organisation difficult to breach, they will move on,” Lord said, in reference to hackers’ efforts to breach individual networks. Cybercriminals have the entire world as their targets. There are enough unprotected/unpatched victims to exploit.
“The first time mainstream cybercriminals come across a company which has actually got some decent protection in place, it becomes too much hard work, and they will go somewhere else,” Lord said.
Ward said that contracting out a portion of an IT network to a third party doesn’t relieve executives and partners of the responsibility for supervising their systems. “You have to take ownership and responsibility of managing that relationship and ensuring they’re doing what they need to do,” Ward said.
Ursillo said businesses must understand how hackers can raid their systems, and he recommended that businesses make sure they’ve thought through their security architecture and require users to log on with multifactor authentication with least-privilege access control policies.
In addition, businesses must do more than rely strictly on the defences to their networks’ perimeters and must also review their threat-detection software. They then need to assess how they can retrieve data that’s been targeted in the attack and determine if they can retrieve it independently of the systems the attackers locked.
Lord said that critical data and systems should be backed up, protected, and segregated so that if a company’s production systems are disabled by a ransomware attack, the company can continue to operate. Hackers have become more sophisticated over the years and have learned how to encrypt nonsegregated, backed-up data as well as the live production systems.
Ward said businesses are being advised to configure backup systems to ensure they are segmented properly from their production environment, or air-gapped, as an extra measure of protection. That type of configuration will stop the attackers from blocking access to the backup data at the same time they shut down the production network.
“The reality is it’s a matter of when, not if,” a business will be hit by a ransomware attack, Ward said. “No industry is safe. We’ve seen time and time again that every industry can be targeted. So, it’s important for you to make the investment so that you can put yourself in a position to minimise the impact of an attack.”
Arguably one of the most difficult challenges any victim of a ransomware attack has to confront is whether it should pay the ransom. Law enforcement agencies such as the US Federal Bureau of Investigation and some of its foreign counterparts advise against it. In October 2020, the US Treasury Department’s Office of Foreign Assets Control issued an advisory that said victims of ransomware attacks could themselves have a legal liability if it’s determined that the ransom they paid winds up being used for criminal activity.
Lord said that while that was a correct principle, any organisation that has been hit still needs the freedom to make the decision that fits its situation.
“The challenge for management and directors, should the company’s leadership decide to pay, is to have a sound justification for their decision that can be presented to the general public, customers, suppliers, shareholders, and regulators,” Lord said. “We also ensure that our clients’ leadership test this aspect of incident response in scenario-based exercises because the first time an organisation considers the complexity of such issues shouldn’t be when it’s happening for real against a ticking clock.”
— Joseph Radigan is a financial writer based in the US. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, FM magazine’s editorial director, at Kenneth.Tysiac@aicpa-cima.com.