Recent ransomware attacks on hospitals and medical centers should serve as a wake-up call for organizations of all shapes and sizes. Every business is at risk as hackers specifically look to disrupt business with the simple goal of extorting money.
The good news is that organizations are waking up to the danger. In my discussions with companies about their security infrastructure, this topic comes up again and again.
And while it is impossible to completely eliminate this vulnerability, here are six simple steps that any organization can take to reduce the risk of being victimized by ransomware, and hacking attacks in general.
1. Back up your critical data now -- and isolate those backups.
A number of affected hospitals restored their systems within a matter of days because they had a recent backup of their data. An equal number could not, and many of them thought they had an adequate backup and restore plan in place.
There has been a big focus recently on disc-to-disc replication, which allows you to shorten your recovery window. However, preparing for ransomware may require some type of air-gapped data, where the official "data of record" is backed up in a way that cannot be violated by a network-replicating worm. Having backups on a second server is not necessarily going to keep you safe if your network is compromised. A big lesson from the Sony attack: If your network is truly completely overrun, then everything on it is at risk.
2. Add tools to find and stop any threats on your network.
Implement a host-based intrusion prevention system (IPS) to identify and quarantine any malicious traffic launched on your system. In addition, a range of other technologies, from anti-virus to network-based intrusion prevention to file integrity monitoring, can help identify ransomware either as it is introduced onto the network or while it is trying to execute on a host.
3. Test users' security IQ.
An employee gets an email that appears to be from a coworker, containing a link to a great deal on airfares. He clicks the link and malware spreads across the network. It happens all the time. As long as you have people working for your company, you will be vulnerable to ransomware. But simulating phishing and spearphishing attacks can dramatically reduce the percentage of users who will click on a bad link. Test employees by sending an email that looks like it is from an illicit source. How many open it? How many click on the spurious link? How many enter their user name and password into a spoofed website? This gives a sense of the level of security IQ within your workforce.
Typically, one in five users will click on a bad link, enabling bad actors to install malware or a bot on the local system. Therefore, you must build your architecture assuming 20 percent of your workforce is likely to make a mistake at some point.
4. Cover all your bases with the right policies and processes.
A secure infrastructure is much more than just the right technology. It is also about maintaining strict and enforceable policies, such as configuration baselines, well-regimented patch management processes and strong password enforcement. It is ensuring that assets don't get missed by monitoring, anti-virus and anti-malware tools. It is monitoring inbound and outbound network traffic, and investigating any significant increase in volume. Decades of running our own data center environments, including shared services environments and cloud environments, have taught us that operations that run effectively, efficiently and consistently are the foundation of strict security processes.
5. Review your policies every year and as major changes are implemented.
Assume your processes and policies are going to degrade over time. Behaviors that aren't reinforced are forgotten. People start taking shortcuts. Things that once made sense are no longer relevant. It's important to go back and check your policies and processes. The frequency and the thoroughness of the reviews makes a difference as well and should be conducted at least annually and also whenever major changes occur.
6. Remember ransomware is only one piece of the security pie.
Ransomware is the topic du jour, but it is one of thousands of potential risks. Hardening your defenses requires a deep dive into understanding your "security maturity." What are your business priorities? What are the most likely attack vectors? What is your most critical business asset, and is it given the proper focus and funding in your business continuity plans? This exercise generates a prioritized list of near-term actions and an associated budget, opening a path to better security infrastructure.
Hybrid IT requires a new approach to security.
Most businesses are not where they want to be when it comes to security. A few decades ago, you could build a perimeter fence around the organization to protect yourself. Now, there is no clear perimeter. Everything is interconnected in a complex, hybrid environment with mobile users, APIs from business partners, data stored in the cloud or hosted in a SaaS provider's applications. The focus now is the data itself. Where is your data, who has access to it and how is it protected? Regardless of whether hackers get access to the network, the key assets that drive your business must remain protected.
Your user base serves as your first line of defense. Properly trained, they will be less likely to fall victim to phishing attacks. That alone can dramatically improve the security of your organization, even before spending any money on heavy infrastructure and security appliances.