By now, you’ve almost certainly heard about ransomware — a form of cyber-attack in which hackers encrypt systems, steal data then demand a ransom payment to end the attack. While ransomware has been around for a while now, attackers have started setting their sights on bigger and bigger targets, gaining international media attention in the process.
But the reason businesses should be paying attention to ransomware is not because big corporations are shelling out millions of dollars in ransom payments. Instead, when you look at the bigger picture, small businesses are the ones who will continue to bear the brunt of these attacks. According to the Secretary of Homeland Security Alejandro Mayorkas, there has been a 300% increase in ransomware attacks in the past year and 50-70% of those attacks were directed against small and medium sized businesses. And while a cyberattack is tough for any businesses to recover from, the threat ransomware poses to small businesses is existential, with 60% of small businesses failing within 6 months of a cyber-attack.
Because the threat is so big and the stakes are so high, governing ransomware risk needs to be a top priority for small businesses. And in order to protect your organization, there are two vital areas that need to be focused on: systems controls and organizational culture.
1. Endpoint detection and response
Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops and other devices in order to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today in order to stay on top of potential threats and put a stop to them before they can cause any damage.
2. Hardening your RDP Ports
Remote Desktop protocol is a tool that allows someone to connect to a computer remotely. This can be useful, but more and more ransomware attackers are using RDP ports to gain access to victims’ systems. Organization that do not actively use RDP should therefore consider disabling the feature or limiting to users and devices that are not connected to public internet.
Having a back-up of your systems could allow you to regain access to your data without having to pay the ransom. However, it’s essential to have an effective back up strategy in order to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your back-up. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.
Lastly, using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. At minimum, any user accessing your network should be using MFA. In addition, all users with administrative privileges need to use MFA, whether they are accessing your network remotely or on premise.
Don’t Forget Culture
When it comes to governing ransomware risk, the best way to prevent attacks is to focus on creating a culture that incorporates cyber-secure behaviors into every day practices. However, the biggest issue many organizations face when creating a cybersecure culture is sustaining those behaviors overtime. In order to properly govern ransomware risk, behavior change requires 4 essential elements:
1. Consistent Communication
We get it, cybersecurity can be confusing. And as the threat landscape changes, so do our cybersecurity policies. That’s why it’s so important that business leadership consistently communicate with their employees about the behaviors you want to see.
2. Make it Easy
When thinking about the behaviors you want employees to adopt, it’s vital you make these behaviors as easy as possible to do. Everyone is being pulled in a million different directions at once, so if an employee has to take 10 minutes out of their day to figure out how to report a phish, they aren’t going to follow through. If, however, you provide a simple and easy-to-use process, you’re going to have a much easier time getting employees to adopt new behaviors.
3. Help People feel Successful
People want to feel like the work they are doing is making a difference. If they feel like what they are doing just doesn’t really matter all that much, there isn’t going to be much motivation to continue doing it. That’s why it’s so important to help people feel successful when they follow through on the behaviors you want to see. Providing positive feedback, for example, can go a long way towards creating behavior change. If your employees know their work is being recognized and feel it makes a difference, they will be much more likely to keep it up.
4.Walking the Walk
The above three elements for creating sustained behavior change have one thing in common: you. A leadership team can’t simply talk the talk. Change starts at the top and requires you and your leadership team take an active role ensuring these behaviors become a part of the organizational culture and value structure.
There’s no doubt that ransomware poses a big threat to small businesses, and the best thing you can do govern the risks of attack is focusing on creating a culture in which cybersecurity is valued and acted upon every single day.
Recently, we wrote about a study showing a connection between an increase in death rates and cybersecurity policies implemented after a data breach in the healthcare industry. We talked about the importance of ensuring that cybersecurity and operational interests are aligned. However, that study raises another, equally important point: hospitals shouldn’t wait for a breach to occur before implementing appropriate cybersecurity controls. This is a lesson that every industry should learn and is one of the main principles behind cyber resiliency: instead of just trying to prevent the worst from happening, we need to create a risk culture that assumes the worse will happen, then take steps to minimize its impact on essential operations.
And when it comes to the importance of cybersecurity and resiliency for our healthcare industry, the stakes couldn’t be higher. Within a period of two months in 2017, the healthcare industry across the globe was brought to its knees by two unrelated ransomware attacks. Strangely, neither of these attacks intended to target healthcare organizations. Instead, each attack contained a self-replicating virus that accidentally spread beyond their intended targets. But no matter the intentions, these attacks caused hundreds of millions of dollars in damage and affected 40% of healthcare delivery in the U.K.
Fast forward today and the potential consequences of such an attack—intentional or otherwise—on our healthcare system are clearer than ever. In his opening remarks at the CISA National Cybersecurity Summit, Josh Corman, visiting researcher at CISA and founder of I am the Calvary, put the stakes of healthcare cybersecurity into perspective. “In areas affecting the brain, the hearth, the lungs, where time matters, where minutes or hours could be the difference between life and death, mortality rates are affected if you can’t give time-sensitive health care.”
Corman joined CISA this spring to help assure the security of Operation Warp Speed, the U.S.’s initiative to rapidly develop and distribute vaccines, therapeutics, and diagnostics for COVID-19. “Now we need healthcare delivery more than we ever have,” Corman said, “Now an attack during a peak surge in traffic would be absolutely devastating.” And such attacks aren’t just hypothetical. According to one report, U.S. officials have already notified a number of healthcare companies about targeted threats. In particular, the biotech company Moderna, now in stage 3 of COVID-19 vaccine trails, has been targeted by hackers.
These examples drive home the potentially life and death implications of cyber resiliency. We can and should try and prevent attacks from happening, but the reality is that’s not enough. In his talk, Corman lamented a culture within healthcare cybersecurity to wait for “proof of harm” before taking corrective actions. Instead of waiting for harm to occur, Corman argued, a clear, “unmitigated pathway to harm” should be enough to trigger corrective action. This is a lesson that extends far beyond the healthcare industry. All organizations need to create a risk culture that acknowledges and prepares for the harsh reality that, in some shape or form, cyber incidents are going to happen. To prepare for this, Corman outlined a number of key questions every organizations should consider:
How do you avoid failure?
How do you capture, study, and learn from failure?
How do you have a prompt and agile response to failure?
How do you contain and isolate failure?
Today, attempts to hack, steal, and disrupt systems are not hypotheticals. They are the new normal. Alongside efforts to prevent cyber attacks, organizations needs to be prepared to minimize the impact these attacks will have on essential business and operations.
Today business leaders are rightfully concerned about mitigating their organization’s cyber risks. To address this concern, many businesses have begun to hire individfuals responsible for cybersecurity and even hiring Chief Information Security Officers (CISOs) to provide security leadership at the executive level. But unfortunately, old habits die hard. Instead of integrating the cybersecurity team or the CISO into both cybersecurity and business conversations, many of these security leaders have become siloed from broader business strategy and goals. Of course, this also leaves the executive team under-informed about the nature and scope of their organization’s cyber risk profile.
One of the main tenants of a new security principle, cyber resiliency, stresses the need to integrate approaches to security and business in order for either side to succeed. In fact, organizations should even stop thinking of business and security as two opposing side of an equation and instead learn to see and promote the integration of each with the other. However, this will require both security experts and businesses leaders to put in some work.
Business-Aligned Security Leaders
A recent report by Forrester found that just four out of ten security leaders can answer the question, “How secure/at risk are we?” and less than half frequently consult business leaders before developing security strategies. This, to put it lightly, is a big problem. If security leaders are just focused on implementing and maintaining technical controls, they end up missing the bigger picture of the risk culture that surrounds those controls. It is vitally important for security teams to understand an organization’s business-critical assets and work with leadership to develop a risk mitigation plan that prioritizes those assets.
Cybersecurity teams also need to be able to communicate their needs to business leadership. According to the Forrester report, more than half of security leaders lack adequate skills in benchmarking their security programs. In order to integrate cybersecurity and business needs, security teams need to develop benchmarking and risk reports that they can properly communicate to business executives. Taking a more business-oriented approach to security can also help security leaders advocate for the funds they need to reduce risk.
Cyber-Aligned Business Leaders
Of course, in order for security leaders to effectively integrate business strategy into overall cybersecurity goals, the business executives and board members need to regularly meet and communicate with their security team. To ensure this happens, it’s important for board members to assume ultimate responsibility for oversight of the organization’s security and to integrate cybersecurity discussions into the overall business strategy, risk management, and budgeting. It may even be a good idea to require cybersecurity training for all board members to ensure everyone has a proper understanding of the current threat landscape and regulations.
With a focus on outcomes, training, and a security team able to communicate benchmarks and risk reports, board members will be in a position to properly define the organization’s cyber risk tolerance that is consistent with business strategy andcurrent cybersecurity controls. Board members and executives teams must ensure the organization’s risk appetite is communicated throughout all levels of the organization and that they create a culture that reflects the cybersecurity and business interests of the organization. Many of these recommendations are included in a white paper from the World Economic Forum that details 10 essential principles and tools for boards to better integrate cyber resiliency with overall business strategy.
Today, most organizations understand the importance of maintaining an effective cybersecurity program. However, not many businesses are recognizing the interdependence of cybersecurity and business interests. And it’s a two way street. Both cybersecurity leaders and business executive and board members need to be mindful about taking a more holistic approach to cybersecurity and business for either to be effective.
When we think of risk — especially in cybersecurity — we usually think about the things we do that can hurt us: clicking on that phish, accidentally forwarding an email to the wrong party, wiring money to the wrong (or fraudulent) bank account.
However, we should also pay attention to what we don’t do, such as failing to patch the system as soon as an update is available, failing to act on findings in a vulnerability scan, failing to change or strengthen our passwords, failing to add multi-factor authentication, or failing to review logs. Sometimes, our ability to accept “passive risk,” such as putting off taking an action to another day can be more pernicious than active risk. In fact, misconfigurations — a form of passive risk — is a top threat factor, according to Verizon’s 2020 Data Breach Investigations Report.
A recent paper describes a series of studies conducted that assess employees’ level of passive risk. According to the results, those that stated that their tolerance for passive risk was high also exhibited those passive risk cybersecurity behaviors. Interestingly, however, the study did not find the same correlation between active risk assessments and active risk behaviors.
So, how can you address passive risk? Design the behaviors that you would like to see and test changes in processes with the staff that seems most prevalent to passive risk. One example is to facilitate the automation of patching so that it makes it easy for the IT staff to perform. Another option is to take the time to fine tune log alerts so that the team does not have to deal with a lot of false positives. The paper also suggests changing the wording of certain security features to highlight the consequence of passive risk behavior. For example, instead of referring to passwords as “strong” or “weak,” using phrases such as “low risk” or “high risk” passwords can help drive home the potential consequence of poor credential management.
Whatever methods you use, In today’s remote environment, it’s always important to take the time to get together with your team and bond with them. Having a better relationship with your team can help generate the cohesion that is necessary for a risk-aware culture.
Regardless of your business or your personal situation, it is hard to imagine that you have not been impacted by COVID. Among other things, it has exposed how vulnerable we are personally. How vulnerable our company is. How vulnerable our communities are.
And these vulnerabilities can create a sense of anxiety, which can build on itself, leaving feeling us helpless.
Perhaps the single most important thing we can do when we are vulnerable is to connect. To communicate. To reach out to others. If we do nothing but isolate, the vulnerabilities expose and consume us.
Cybersecurity professionals deal with vulnerabilities all the time. Often these individuals work as a group separately or perhaps communicating with other IT members. Unfortunately, apart from compliance audit reports or token security awareness programming, cybersecurity is rarely communicated and integrated into the overall culture of the business. How many times do security professionals say of corporate users and leadership, “They just don’t understand” and c-suite, marketing or other department users say with regards to cybersecurity, “They just don’t understand.” Imagine the understanding that could occur if everyone began to lean in and communicate about these issues as one team.
Just as during these times, a key way to address vulnerabilities in your systems is by connecting and communicating across channels. The more the IT and cybersecurity team is engaging with business leaders and staff and other stakeholders, the stronger the organizational culture will be to mitigate vulnerabilities and build resilience.