Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?
April 29, 2021
The outbreak of COVID-19 and ensuing digital revolution has fuelled an outbreak of ransomware, a malicious software that infiltrates systems, encrypts data, and disables user access until a sum of money is paid to a threat actor. While ransomware events have been growing in size and significance for years, the effects of the coronavirus have elevated attacks to levels previously unseen.
Given the global conditions, companies facing financial strain may be tempted to lessen their protections, reduce their insurance coverage, and cut down on any seemingly unnecessary expenses. But in an increasingly digital world, security is a required cost of doing business. At this point, it’s not a matter if you’ll be hit with an attack, but when—and what you’ll do when it happens. Ultimately, organizations have a simple choice to make: prepare now or pay later.
To help you get started, we’ve outlined some preliminary technical steps to improve your system architecture and operational resiliency. Keep in mind though: this is just the tip of the cybersecurity iceberg. Be sure to seek expert advice for more extensive practices tailored to your organization.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal or insurance advice. For more guidance, please consult a lawyer, a cybersecurity specialist, and/or a licensed insurance representative.
1. Ensure all security protections are up-to-date.
Most companies don’t have the time, staff, or means to keep up with technology refresh cycles, but the timely application of security updates is crucial to close any vulnerabilities that could be manipulated by threat actors. Remember to:
- Ensure operating systems, software, VPNs, firewall configurations, and third-party apps are promptly and frequently patched with the newest updates when available.
- Disable any external remote access to your network when it’s not needed, with automatic account lockouts after periods of inactivity.
- Disable any unnecessary or vulnerable services, stale accounts, ports, and legacy authentication methods.
- Remove any software or firmware that is no longer supported by the developer (like Windows 7).
2. Strengthen endpoint threat detection protocols.
Use effective, multi-layered security solutions that enable you to identify and block malicious maneuvers at different stages. Early detection can give businesses even a small window of opportunity to neutralize a threat before data is exfiltrated or encrypted. Consider:
- Endpoint detection and response (EDR) solutions that monitor for malware or suspicious behaviour on all devices, including personal devices (if a BYOD policy is in place);
- End-to-end antivirus and malware scanning that begins at the endpoint and extends to any local network and cloud applications;
- Email threat filters and other phishing controls that flag emails external to the organization. If needed, use a COVID-19 community blocklist.
3. Adopt strong password policies across your enterprise.
Poor password habits are one of the biggest threats to organizational security since many employees re-use weak, common, and easily guessed passwords for multiple platforms. To avoid the risk of compromised credentials, use a password manager to centralize all login information and maintain encrypted passwords across business applications. Schedule forced password changes every 60-80 days. Remind employees not to share login credentials or use work passwords for personal use and to create passwords with 16+ characters and symbols.
4. Implement multi-factor authentication (MFA).
Deploy Multi-Factor Authentication or 2-Factor Authentication (2FA) on all business-critical services, including corporate email accounts, VPNs, financial accounts, and any other endpoint where sensitive information is stored or transmitted. MFA is an additional verification method that requires the user to input a 6-digit pin number once they’ve entered their username and password. The pin number is a unique, continually-changing key, and will automatically be sent to the account owner on a device that only they have access to. If the code is entered wrong, the user will be locked out.
5. Improve your backup strategy.
If ransomware is planted on even one device, attackers can spread laterally throughout your whole system. But with a clean backup, you can keep your options open for self-recovery without having to pay a ransom. Plus, a backup will come in handy if your hardware is ever damaged in a network outage or a natural disaster.
Backup your business data daily to a secure, offline location that isn’t connected to the Internet or any of your local networks; this is known as an “air gap”. If possible, automate your backups to avoid the risk of human error and test them regularly for full restorability.
6. Apply the principle of least privilege.
Restrict administrative privileges as much as you can; employees should only have the minimum amount of access needed to fulfill their job responsibilities. Ensure that all users are required to confirm any actions that need elevated rights.
7. Build a cyber-aware workforce.
Education and awareness matter—users are on the front lines and even the most advanced cybersecurity tools in the world won’t make up for poorly trained staff.
Everyone who is part of a network should know the basics on how to protect it. At minimum, security awareness training should be clear on:
- How to handle sensitive data and use software safely;
- What cyber threats your organization faces and how to identify them;
- How to spot a phishing scam and report suspected emails to IT;
- How to recognize and report signs of a data breach;
Run automated phishing simulations and random tests on a quarterly basis (at least) to ensure employee knowledge is accurate. Consider partnering with a cybersecurity firm to offer high-quality training.
8. Encourage good document handling practices.
Cybercriminals will look for obvious targets during the reconnaissance phase, so make sure that all documents containing sensitive data are:
- Password protected;
- Not shared through plaintext email;
- Not stored in your email mailbox for an extended period of time unless absolutely necessary;
- Not named in a way that announces their sensitive content (i.e. “All Organizational Payroll Information”).
9. Vet your vendors.
Establish a formal vendor management program that classifies each vendor’s type of data and level of access. Make sure all third-parties with access to your network operate with least privilege and have cybersecurity measures in place that are at least as good as your own. Perform annual audits to check if they meet your standards. Amend your contracts to clarify how data will be returned or destroyed at the end of an engagement and when.
10. Develop an incident response plan.
Every organization should have a formal incident response plan in case they fall victim to a ransomware attack. All plans should be clear on priority actions that need attention within the first 72 hours and who to contact for assistance (i.e. outside cyber first responders, law enforcement). If needed, refer to a cybersecurity expert and/or a law firm specializing in cybercrime for more guidance on ransom payment and tailored protocols.
11. Practice response drills.
Run simulated ransomware events on a routine basis and rehearse your recovery procedures. Continuous penetration testing will allow you to get a full view of your company’s cyber ecosystem and identify any weaknesses. This way, you can determine whether your controls are working properly, how long it would take to get back online, and where you can improve your incident response.
12. Invest in cyber insurance.
To be clear, both cybersecurity and cyber insurance are key to a strong risk management approach that will protect your organization from loss; cybersecurity can help you prevent and identify a breach and cyber insurance can help you respond and recover. Even with reduced ransomware coverage, a standalone cyber policy can still cover other expenses in the event of data exfiltration, including defence costs, forensic investigation, breach notification, credit monitoring, public relations consulting, and more.
Industries that transmit and store sensitive data on a daily basis, such as finance, staffing, and healthcare, may already be familiar with cyber-specific coverage and the dangers of a privacy breach. However, other sectors, like construction, transportation, manufacturing, as well as smaller professional offices, may be newly exposed to cyber threats and should strongly consider their cyber insurance and risk transfer options.
13. Work with your broker.
Brokers play an important role in the cyber risk management process. A licensed broker—like PROLINK—can help you become resilient in the face of a ransomware attack while you focus on managing your people, clients, and business.
With nearly 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. Our dedicated team of risk advisors will:
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Monitor cyber insurance rates and keep you up-to-date on market patterns;
- Identify cyber perils, attack scenarios, and any potential losses based on your unique operations and risks;
- Share what steps others in your industry are taking and advise you accordingly;
- Determine the scope of responsibilities for all incident management team members;
- Deliver you a specialized solution, tailor-made for a new era of cyber risk with clearly defined parameters of coverage.
To learn more about your exposures—and how you can protect yourself—connect with PROLINK today or visit our Cyber Security & Privacy Toolkit for more!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.