The moment a ransomware attack hits, businesses need to act fast. Failure to move quickly can have a detrimental impact on the reputation and profitability of an organization; files will be inaccessible for longer, more devices will be infiltrated, and more money will be lost. The first hour after a business is compromised is referred to as the ‘golden hour’. For the response to an attack to be well coordinated it requires quality training and preparedness well ahead of any breach.
Hackers are constantly evolving their techniques and approach to ensure their attacks become increasingly infectious and harmful. This is having a big impact on those they are attacking, with the average breach costing businesses more than £100,000, as well as a lasting impact on brand reputation. For example, 40 percent of consumers consider CEOs to be personally liable for ransomware breaches, and 44 percent would stop using a company’s services if it fell victim to an attack. Compounding the risks, 20 percent of paying victims never have their stolen data returned.
In order to ensure as little damage is done, businesses must invest in training and software to rapidly detect and contain ransomware. Time is money when an attack hits, and the only way to mitigate the impact is for businesses to be prepared and have total data visibility.
Fail to prepare, prepare to fail
Much of the most important work that goes into resolving a ransomware attack happens long before it’s first detected. You can’t treat a patient without the right medical kit, and a company can’t fight a ransomware infection without detection capabilities and a strong data backup and recovery strategy.
Mission-critical data is the chief target of any attack. As a company’s most precious asset, its loss or theft can bring operations to a shuddering halt. To avoid this, organizations must bring their data estate under control.
Performing or commissioning a data audit will give a business a much better idea of what data it holds and where it is located within its infrastructure. Yet it can only be a first step. To guard from ransomware, employees need to be able to spot the symptoms, but this is only possible when they have constant visibility over company data.
In modern organizations, data is spread out over multiple – often disconnected – on-premise systems and cloud environments. Ransomware attacks thrive in fragmented systems, where security policies are inconsistent and the initial attack vector often goes unnoticed. Harmful malware can spread unimpeded, capturing crucial data before it’s eventually detected.
Organizations should leverage tools that help connect their dispersed data assets and ensure security policies can be rolled out across all environments. At all times, employees should be able to tell what data the company has, what environment it is being held in, and know what measures are protecting it.
Alongside a strong and secure data foundation, a ransomware defense strategy must deliver protection at all levels. You should have a strategy to proactively search for and fix system vulnerabilities, and deploy solutions for network monitoring, threat intelligence, and endpoint detection.
Crucially, businesses should also have a backup strategy in place, to ensure encrypted data isn’t lost forever. Needs will differ between organizations, but the 3-2-1 rule is a useful guideline. This means keeping at least three copies of data, on at least two devices, with at least one copy offsite. It’s important to ensure these copies are sufficiently isolated so that invasive ransomware can’t jump between them, rendering them redundant. It is also important that the recovery is regularly rehearsed and tested so that you know you can recover your critical data, and you can respond quickly and efficiently when disaster strikes.
A speedy recovery
When the right steps have been taken in preparation, it’s much easier for a business to respond quickly and effectively to a ransomware attack. However, organizations still need to have a response plan in place to contain the infection once contact has been made.
Once an attack has been reported or detected, the security team should move in to ensure the affected end-users and systems are isolated from the wider network. The end-users should then be interviewed for their insight into the attack, but data management tools can also quickly help understand what data these users normally access. This information should then be scanned to determine what has been infected and lost. So long as the company’s data backups have been properly protected, this data can be restored without causing disruption or having to pay the ransom.
Proper education is crucial for this system to run smoothly. Ransomware awareness training is doing much to help staff recognize social engineering attempts and prevent potential attacks. However, organizations now need to take education a step further.
It’s no longer enough simply to recognize ransomware; employees have to be able to respond once an attack has, inevitably, succeeded. For a strong response during the first hour of an attack, employees should be educated to disconnect their machine from the network and any external drives. Going offline helps stop the ransomware from spreading. Then they should use a phone or camera to take a picture of the ransom message received before shutting down their machine. The final step should be to notify their IT department and share any information they have about the attack.
More often than not ransomware training is focused around scaremongering and worst-case scenarios. Whilst it’s important that staff are prepared for an attack, organizations don’t want to instill a culture of fear when it comes to reporting ransomware attacks. If staff believe their ‘wrong click’ has caused earth-shattering damage to the business, they may delay coming forward. Instead, businesses should look to create a culture of trust and transparency. No one should be afraid to report suspect activity.
The most effective way of ensuring that employees aren’t intimated when reporting a breach is to run regular recovery and response drills. This means that employees are aware of the systems and how to use them should an attack happen in real life. It also means that any flaws in the system can be identified and addressed in a controlled situation rather than a high-pressure scenario. Doing so gives you the peace of mind to know your business can survive an attack when it hits.
An organization’s attitude towards ransomware shouldn’t be ‘let’s hope we’re one of the lucky ones and don’t get hit’, but instead an expectation that an attack will hit at any given moment. Hackers are constantly advancing their tactics, making it increasingly difficult for staff to spot when they have been breached. One click on the wrong email and the entire organization is compromised. Respectively, the line of defense shouldn’t be focused purely on preventative measures, but also on practices and software that can help businesses bounce back as quickly as possible. To be ransomware resilient, the workforce must be prepared, must be trained on the appropriate processes, and must have access to the tools that allow full data visibility and control.
Simon Jelley, VP, Product Management, Veritas Technologies