The pandemic has had a major impact on almost every aspect of our society and left many organizations susceptible to increasingly sophisticated ransomware attacks.
In this interview with Help Net Security, David Taylor, managing director, Incident Response, Technology Consulting at Protiviti, explains why ransomware attacks are so common and effective, what makes organizations vulnerable to such attacks and what they can do to better protect themselves.
Ransomware attacks have almost become a norm and are getting more sophisticated and disruptive. Why do you think this is so?
Ransomware and extortion attacks are economically rational crimes. This phenomenon exists because the attacker gets paid with little risk. The greater disruption and fear they cause, the more likely they are to monetize their effort.
We have seen attackers adapt to increasing security efforts. Once endpoint detection and response tools became more common among high-value targets, attackers shifted from autonomous malware to attacker-driven intrusion. From this move of necessity, they innovated to data theft and extortion.
As the ransomware ecosystem diversifies, groups are specializing in portions of the attack: finding identities to exploit for access; applying access to target companies; delivery of a sophisticated ransomware payload; and the auction of stolen data. Given that ransomware is so economically rational, it’s to be expected that the threat actors are hoarding data even if the ransom and/or extortion is paid.
When ransomware and extortion are no longer viable, there will be identity theft, fraud and second round extortion – especially for those who did not disclose the first event.
What can organizations do to better protect themselves from a ransomware attack or at least minimize the impact?
Look outside your organization to anticipate threats in the environment. Assess your own capabilities and adjust to the current threat. Reach broadly for intelligence sources including social media and the Dark Web. Be ready to redesign defenses within the business context to counter prioritized threats.
Consider focusing on properly implementing a best practice security framework (e.g., NIST CSF, ISO 2700X, CIS), perform regular security assessments, and practice organizational responses to ransomware via regular tabletop exercises. This can provide organizations with a cost-effective strategy for effective ransomware preparedness.
Budget is often a big hurdle when implementing a successful security program. How can security leaders make the C-suite understand its importance and the long-term benefits of such a program?
Involving the C-suite and the board in the security stance of a company is an important part of ensuring that security is not seen as only an IT problem. Company executives benefit from understanding the risks faced by the company, the tools required for a proper defense, and the personnel required to adequately staff security teams. Security program leaders can work to engage the C-suite in the following key activities:
- The risk assessment process – The C-suite should be included in the risk assessment process and review the results. With knowledge of key issues facing the company, better security program decisions, including funding, can be made.
- Acquisition of security tools – Ensure the C-suite is informed of the process for acquiring tools to address risks identified in the risk assessment process. Learn to explain the benefits of security tools and practices in terms of business risk and business operations. Enlisting the C-Suite and board can drive investment into reducing risk through rational investments tied to risk.
- Talent management – There is a war for security talent. It’s more expensive than ever for an organization to lose and then replace needed employees. Security professionals are in high demand and as a result it’s imperative for companies to keep their security teams intact. The C-suite should be involved in understanding the needs of security team professionals and ways the organization can recruit and retain talent.
Hybrid work has involuntarily (or not) opened many doors to cybercriminals. Could this have been prevented or was it too quick of a shift to take the necessary precautions in time?
A disruptive event like the COVID-19 pandemic, created a situation where many companies and their security teams had to change how they operated overnight. For companies that were not already supporting a predominantly remote workforce, the effort to address the new risk landscape was extensive.
Compounding the issue is a severe lack of skilled people to fill open cybersecurity vacancies at many companies. This scenario creates risk for companies and opportunity for cybercriminals.
How do you approach clients when suggesting a security program? What are their biggest concerns?
When building (or evolving) a security program for an organization, it’s important that the program be ‘fit for purpose.’ The security program should consider the following to drive the level of maturity and capability:
- What is the overall risk profile of the organization? One that is conservative and risk averse may require more investment and robust capabilities to manage relevant security risks.
- What are the organization’s relevant regulatory obligations? Those in more heavily related industries, or that handle sensitive information, will have stricter security and privacy requirements that will inform the approach to building an appropriate security program.
- Can security be a business differentiator? Companies may find a competitive advantage in developing robust security capabilities relative to their competitors.