The battle against ransomware: Why companies must never let their guard down

Cyber criminals are waging a war against the world. Companies, banks, hospitals, governments and even high profile individuals are under threat.

In the UK, crime is now statistically most likely to be online, with nearly six million cybercrimes committed in England and Wales during the last year alone. Online criminal gangs are flexible and innovative, and have so far been able to stay one step ahead of the law.

However, researchers in Florida have made real progress in the battle against digital criminals. They say they have created software that can stop ransomware - one of, if not the most prolific form of online abuse - in its tracks.

The solution, titled CryptoDrop, is able to detect ransomware and halt its progress before it has locked down more than just a few files; meaning minimal losses and the ability to avoid a costly ransom.

Of course, this is good news for everyone other than the sophisticated gangs that consider ransomware their bread and butter. But despite the progress made by these researchers, this is not the ultimate fix.

Such are the levels of organised crime involved in developing ransomware, new programmes and variants are developed practically on a daily basis. As one cure is discovered, ten new variants of the virus have already been deployed in the wild. It is a never-ending cycle and while any form of progress is of course a success, companies need to ensure they are still covering the basics when it comes to protecting themselves.

Even as security begins to catch up with the criminals, companies can never rest on their laurels. With this in mind, what should companies do to ensure they have the best wall of defence against a cyber attack?

The first step is education

First and foremost, companies need to invest in education. While it is extremely difficult to block every form of ransomware from breaching your network, education can be the difference, stopping ransomware before its even had a chance to infiltrate a company. This is because employees are the security weak link, the chink in the armour. Cyber criminals understand this and therefore often target unsuspecting employees.

Hackers know the environment they are attacking and capitalise on the fact that the majority of people will not ignore an innocent looking email from a colleague. After all, would you ignore an email labelled urgent from your CEO? Probably not.

In order to minimise this risk, companies should provide informative education materials and awareness courses on how to spot a phishing email, who to contact in such a situation and ultimately how to avoid playing in to the hands of a criminal. This way, if an employee does find a suspect email in their inbox, they are equipped to deal with the situation.

Creating a culture of security

There is also a dangerous mindset within many businesses in the UK: the idea that cyber crime won’t affect them personally. Many businesses historically did not have to worry about cyber crime. It was an issue that effected huge conglomerates, banks and government department. But that is no longer the case. In 2015 the Government Security Breaches Survey found that nearly three-quarters (74 per cent) of small UK organisations had reported a security breach that year while two thirds of Britain’s large businesses suffered an attack or breach. All UK businesses are under threat, and all should take it seriously.

With this in mind, businesses need to adopt proven technology approaches to secure themselves. Firstly, in order to prevent an attack, companies have to properly blacklist and whitelist certain applications and employ techniques such as permission-based access, read-only blanketing and automated revocation of access. By strictly controlling access, the risk of a threat can be greatly reduced thanks to the blockage of ransomware. As ransomware is spread largely through opportunistic phishing emails, implementing stringent control and access should minimise the chance of an attack sneaking in.

Secondly, companies need to automate the employee life cycle to close any security gaps. This can be done by implementing or refining onboarding and offboarding procedures and making sure that these processes are automated to mitigate risks. New joiners should be granted the correct access, and leavers should be stripped of access entirely. If companies secure the lifecycle, new joiners and those exiting the company will not expose an access point leaving open the door to an opportunistic cyber criminal.

If the user lifecycle isn’t monitored, it can create IT shadows as the IT department loses insight into access and security. IT shadows are formed when employees introduce their own apps and services to the workplace. As more and more workers adopt differing apps and services, and grant various forms of access, the IT department steadily loses visibility. This can, in time, make security extremely difficult.

In order to avoid this, companies can introduce a number of processes and solutions. Limiting employees to a strict list of approved apps and solutions does provide more control, though employees will have their own preferences and may create IT shadows by seeking these out. Instead, businesses should consider self-service capabilities. By providing a central point where workers can request access to apps and services that can then be automatically delivered once they are checked, the IT department can have complete oversight on technology. Coupling this with context-aware controls so apps approved via self-service can only be accessed from secure locations is an effective security measure.

Tip of the iceberg

The progress made by the Florida researchers is an encouraging breakthrough and a step towards stamping out ransomware criminals entirely. But, until that happens, the developed world must still remain vigilant, as a ransomware attack can happen to anyone, at any time.

Companies need to formalise the employee lifecycle and adopt the security controls outlined above to reduce the IT shadow and keep a tight grip on security.

Ultimately, companies will need to be prepared for when, not if, an attack happens.

Andy Buchanan,Area Vice President, UK and Ireland, RES

Image Credit: Tolga TEZCAN / Shutterstock