Ransomware is Harming Cybersecurity Strategy: What Can Organizations Do?
When it comes to cyber-threats, ransomware is increasingly the only show in town. It dominated headlines during 2020 and continues to do so this year, thanks to big-name compromises and growing geopolitical confrontation. Now boardrooms are getting the message. In fact, many are going all out to make sure it doesn’t happen to them. But a myopic focus on ransomware mitigation is not necessarily best for organizations and their customers.
There is no silver bullet solution to the problem, despite what many security vendors will have you believe. Additionally, cyber-insurance policies increasingly come with a lengthy list of conditions. As a result, organizations must instead work the problem from the ground up, with cyber-hygiene and best practices coming first and layered security controls underpinned by unified threat intelligence.
A Blinkered View
Evidence varies, but some estimates claim that ransomware attacks grew year on year by as much as 485% in 2020. We saw major outages cause East Cost fuel shortages, disruption to the meat supply chain and disarray for thousands of global MSP customers—from Swedish supermarkets to New Zealand schools. G7 leaders and NATO raised ransomware as a serious threat. The White House warned Russia that it might take unilateral action against the cybercrime groups said to be given safe harbor by the Putin regime.
Boardrooms are getting the message. They’ve seen time and again the damage ransomware can do to corporate reputation and the bottom line. This goes beyond the ransom itself to include business downtime, customer churn and sapping consumer confidence, lost sales, IT overtime, legal costs, regulatory fines and much more.
What are these issues? They are unpatched vulnerabilities in VPNs, exchange servers, remote workers’ endpoints and other technologies you rely on. They are weak passwords that allow hijacking of corporate accounts and Remote Desktop Protocol (RDP) endpoints without multi-factor authentication. They are the distracted employees that fall for phishing attacks. And they are unvetted third-party relationships and digital supply chains that allow attackers to gain a foothold in corporate networks.
Senior business leaders are, of course, correct to be concerned about the ransomware threat. But they must also think of the bigger picture. Failure in this area is a symptom of cyber-boardroom misalignment that has long been a problem for CISOs.
One positive to emerge in recent months is an honest debate about the role cyber-insurance should play in mitigating ransomware risk. AXA famously pledged to stop reimbursing its French clients for payments made to cyber-criminals. In the UK, a leading think tank suggested the government consider banning such payments.
Rising premiums may force business leaders to reconsider how they view cyber insurance. It’s no longer a get-out-of-jail-free card. In fact, as insurers become more prescriptive about policyholder environments, the industry could help improve baseline security among a broad sweep of organizations.
Cyber hygiene and best practices are obviously critical, but so is choosing the right technology approach. If there’s no such thing as a silver bullet, where should CISOs focus their extra budgets? Let’s be honest, many are currently flailing at the ransomware “piñata” blindfold, with one arm tied behind their back. They don’t know how the bad guys will enter networks or what other tactics they can pivot to if a specific attack vector is blocked.
The answer is to layer up best-in-class protection across endpoints, servers, cloud platforms, web and email gateways, and networks. But the secret sauce in all this must be intelligence. It should help organizations understand where their highest risk vulnerabilities are internally. It can also drive visibility into broader threat activity outside the corporate perimeter—whether it’s chatter on dark web forums or new registrations of phishing sites.
With open APIs and automation, organizations can integrate this intelligence seamlessly into their best-of-breed security environment, freeing up analysts to focus on high-value tasks and accelerating detection and response times. For example, a new phishing site IP address could be blocked in minutes before the group behind it has even been able to send your employees scam emails. Likewise, intelligence on new ransomware IOCs could be fed into intrusion prevention tools to enhance resilience before you’re even attacked. The right threat intel can also help red teams probe for weaknesses and proactively build stronger defenses.
The bottom line is that ransomware remains an active threat and will be for the foreseeable future. As long as organizations continue to pay, current threat actor TTPs work and affiliate gangs continue to be sheltered by hostile states, the threat will remain acute. But with smarter use of intelligence, you can raise the cost for adversaries and force them to re-pivot or move on to easier targets. In the world of risk mitigation, this counts as a win.