[BreachExchange] How to Mitigate the Threat of Ransomware
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Aug 31 19:47:36 EDT 2016
http://ww2.cfo.com/risk-management/2016/08/mitigate-threat-ransomware/
All too often, companies’ focus after being victimized by a ransomware
attack is on the ransom paid, which is generally the most trivial outcome
of the incident. From the perspective of a CFO, what goes unaccounted for
in any meaningful way is the lost productivity, lost profits, harm to
business reputation, cost of reconstructing data, and other damages that
flow from these attacks.
While state and federal laws may require breaches of privacy to be
reported, that’s not the case with ransomware attacks. As such, a
significant number go completely unreported and unpublicized, so the true
extent of the damages caused remains a mystery. In some cases the
ransomware attack is just one prong in a multi-pronged attack on an
organization’s infrastructure, making it almost impossible for even the
victim company to determine the specific impact of the ransomware.
So, in short, CFOs are struggling to understand the financial impact of
these attacks. To help them better understand, and to mitigate the impact,
this article discuss the types of harm and damages and makes specific
recommendations for better controlling security risks, including the use of
cyber-liability insurance.
Types of Damages and Harm
Ransomware typically targets an organization’s most valued information. But
it could reach almost any information, including marketing materials,
payroll data, intellectual property, financial transactions, and health
records.
Hiring an expert who is able to decrypt the information is often more
expensive and time-consuming than paying the ransom to get the information
restored. And sometimes data restored by a recovery service is incomplete,
with full recovery requiring the decryption key. However, by the time an
organization discovers that the recovery is incomplete, the attacker likely
has already destroyed the key and moved on, making full recovery an
impossibility.
If the ransomware hits certain servers, it may be distributed throughout an
organization to all users and potentially to third-party users connecting
to those servers or other infected user devices. It can also infect the
organization’s backup media, meaning that if the target tries to restore
data from its backups, it could re-infect its systems and data.
These attacks can take hostage and threaten to or actually disclose
confidential or proprietary information to the public or, even worse, the
highest bidder. The fear of such disclosure a motivating factor for victims
and gives them little time to think rationally about their options.
Controlling Risk
An overall approach to addressing the threat of ransomware could include
the following practices:
Train and educate personnel on an ongoing basis.
Specifically address and plan for ransomware in the business’ disaster
recovery and business continuity plans, including testing of those plans.
Ensure that all anti-virus and other security software is properly updated.
Many forms of ransomware can be detected and avoided using this simple step.
Engage a third-party expert security vendor to assess your organization’s
systems and procedures.
In the event of an attack:
Identify and isolate infected and potentially infected systems.
Disable shared network drives connected to the infected systems.
Consider suspending ordinary-course backups of those systems to prevent
further propagation of the virus.
Engage an information security consulting firm that specializes in
assessing and mitigating these sorts of attacks.
Circulate a warning to all other organization personnel advising them of
the threat and cautioning them not open email and attachments from
suspicious sources.
Insurance as a Path to Mitigation
CFOs have traditionally looked to insurance as a key means of mitigating
risk. In the security context, a wide range of cyber-liability policies are
now readily available.
Cyber insurance policies are an important tool for CFOs in managing the
impacts of cyber and other information-breach incidents. Some policies
include the payment of a ransom, while others expressly exclude it due to
the “moral hazard” of such coverage. Where such policies do exist, many are
limited and may have coverage exclusions.
For organizations that have such policies, working with the broker and
insurers to understand the policy and the procedures for filing a claim is
crucial to payment under the policy. Often the policies are tightly drafted
to mitigate the impact of cyber fraud and require the policyholder to
educate its workforce and implement appropriate means, such as business
continuity and disaster recovery procedures, to prevent the ransomware
intrusion and mitigate the impacts of an incident.
Conclusion
Unfortunately, incidents of ransomware are increasing daily and there
appears to be no end in sight. With every payment to an attacker, we only
embolden and incentivize attackers to continue and encourage others to join
the ransomware community. Presently, there is no panacea for preventing
these attacks. No one is immune.
Given the difficulty of preventing ransomware infection, companies should
focus on personnel training and awareness, which has one of the best
returns on investment in preventing these attacks. Following closely behind
training in effectiveness is the deployment and testing of business
continuity and data backup procedures designed with attacks like ransomware
in mind.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160831/031da02c/attachment.html>
More information about the BreachExchange
mailing list