It’s not a matter of will it happen, it’s about when will it happen
What would happen if suddenly and without warning, your customer’s organization couldn’t access their data because it had been encrypted by a criminal organization? Could they survive relying on pen and paper for a while? Would they go out of business if the data was never fully retrievable? Even if they could restore their systems and data, what would it mean to their annual profitability? How would they reassure their customers and regulators their data is safe if they can’t access it themselves?
The sad truth is, Ransomware has become one of the top 5 cyber threats for small to medium enterprises according to Verizon. Organizations of this size tend to have lots of valuable data, especially if they are in retail or healthcare, but often lack the IT budgets and resources of a large enterprise. This makes them the perfect target for criminal organizations. With every day that passes, these criminal organizations are becoming more active and sophisticated. Experts have estimated a ransomware attack occurs every 40 seconds worldwide. 47% of businesses have been affected by ransomware and infection rates are growing steadily. Therefore, if an organization isn’t already taking steps to protect themselves against ransomware, it is only a matter of time before they will be forced to react to a breach. Studies have shown that 50% of companies that lost their data for 10 or more days filed for bankruptcy immediately and a further 43% filed for bankruptcy within one year.
Knowing your enemy is half the battle
Ransomware is a form of malware. Malware is harmful to an organisation because it:
- Causes devices to become locked or unusable.
- Steals, deletes or encrypts data.
- Takes control of devices to attack other organisations.
- Obtains credentials to access an organisation’s sensitive systems and services for amongst other things ‘mining’ cryptocurrency.
- Tries to spread to other machines on the network, such as the Wannacry malware that impcated the NHS in may 2017.
Ransomware relies on delivering an initial payload. Usually victims are tricked into opening an infected email attachment or clicking on a link. This triggers the rogue software to start installing itself and encrypting data. Ransomware doesn’t care if the victim is using their own encryption software to protect their data. It will happily encrypt data that has been lawfully encrypted, making it unusable for the victims.
With the data encrypted or access to the device locked, ransomware will then demand the victim pays a ransom (in the form of a cryptocurrency such as Bitcoin) to return things back to normal. Sometimes the cyber criminals behind the ransomware will even threaten to publish or delete the data if payment is not forthcoming.
The reasons why ransomware is challenging for your customers
Denial / It won’t happen to me syndrome.
One of the first challenges organisations have, is understanding just how vulnerable they are to ransomware. This is where you can make a huge difference. By guiding, explaining and educating organisations, you can become a trusted advisor for combatting ransomware.
Ransomware is continually evolving.
There isn’t just one type of ransomware. So, even if you implement a ransomware solution, it is not a case of walking away and thinking the job is done. Again, this is another area where you can step in and provide your expertise in the form of managed services to help organisations maintain a strong cyber posture against ransomware.
Ransomware is driven by criminal organisations with lots of resources.
Cyber criminals often conduct their activities like professional organisations with common goals and objectives. They are well resourced and highly motivated with access to exceedingly skilled criminal experts.
Organisations have many more attack surfaces.
Mobile devices, IoT sensors, connected devices, smart screens, mobile field units, etc. For a cybercriminal, each device could have an exploitable vulnerability and therefore represents a way into the organisation. You can play an important role in firstly identifying the devices an organisation has interacting with its IT estate. Secondly, it’s about closing the door on vulnerabilities and making devices much harder to exploit.
Combatting ransomware requires a cultural change in most organisations.
Employees need a constant programme of education and reinforcement, so they can better identify cyberthreats.
Ransomware detection is hard.
Cyber criminals deliberately designed their ransomware attacks so that the deployment of the payload won’t be detected. This is where the right cybersecurity tools play a critical role.
The methodology for combating ransomware
Every battle is won before it is fought
To start building your own capability around ransomware, you first need to follow a sound methodology and framework. This gives you a structure to assess an organisation and develop a clear understanding of how vulnerable the organisation is to a ransomware attack. It is only when you have done a detailed assessment, you can start to deploy technology to prevent detect and remediate against ransomware. TD SYNNEX recommends adopting the NSCS methodology.
How to develop a ransomware solution for your customers
To prevent attacks from happening, you first need to understand your risks, attack surface and weak spots. In this phase, defensive solutions are deployed to harden infrastructure and reduce its attack surface. Security software is deployed, vulnerabilities are patched, employees are trained, and the security culture of an organisation is generally improved.
Cyber criminals can cause more damage the longer it takes to detect them. When an incident occurs, you need to be able to quickly recognise, isolate and contain it. The infrastructure needs to be carefully monitored for signs of intrusion or other suspicious behaviour.
Once you’ve detected and responded to a security incident, it’s time to mitigate the damage, analyse and learn. Forensic evidence is examined to determine how the breach happened and what impact it had on systems, data and infrastructure. An incident response process is initiated to restore the environment to a known-good state and to fix any security problems found. The findings of this phase are, in turn, fed back into the next plan phase, and the cycle continues.