How to Prevent Ransomware and Cyberattacks

Friday, July 14, 2017

Steven Minsky


The impacts of ransomware and other breaches, which exploit failures in risk management, are preventable. The WannaCry ransomware attack was the most widespread of its kind in history. It took advantage of a Windows vulnerability – one detected and resolved months ago – encrypting victims’ data and demanding a ransom payment for un-encryption.

More recently, many organizations in Europe and the US have been crippled by a second ransomware attack, known as “NotPetya” or “GoldenEye.” NotPetya was a malicious, destructive attack disguised as ransomware.

The scope and speed of these new attacks are major wakeup calls for organizations around the globe; an attack can come at any time, and failing to implement a strong prevention strategy is a recipe for disaster. Often, when a cyberattack is resolved (or even while it’s still ongoing), unaffected organizations may instinctively dismiss its significance, assuming the dangerous mindset that their business’ operations are different and won’t be affected. This frame of mind fails to acknowledge that mistakes made by cyberattack victims are typically shared by many others.

Consider the ever-increasing capabilities of cyberattackers. Constantly improving technologies allow attackers to evolve their strategies, find new points of entry, and make themselves harder to detect. Your security and business continuity programs must stay one step ahead of this evolution, a process that requires implementation across departments and levels.

Cyberattacks – alongside all risk management failures – are entirely preventable with good governance and integrated risk management processes. The standardization and automation of these components does not require a revolution in your operational structure. They are achieved by using centralized monitoring and policy operationalization, making sure you adhere to best practices without exception. Senior leadership can then use the information gathered to make informed strategic decisions.

The traditional understanding of departmental interaction – namely that each department conducts its own operations and is most qualified to evaluate its own risk profile – creates cracks through which incidents and attacks can slip. A truly integrated approach, requiring strong governance and board oversight, illuminates vulnerabilities shared by departments. This allows for efficiency (and efficacy) through collaboration and allocation of responsibilities.

Poor governance and operationalization have led to risk management failures including those seen at Target, Ashley Madison, Dwolla, and Wendy’s. These breaches would have been prevented not with complex, expensive technology, but with improved governance processes.

Strengthening Cybersecurity and Preventing Surprises with Good Governance

Enterprise risk management accomplishes more than simply identifying new risks and to-do items. By revealing the interdependencies and interactions between departments, applications, vendors, and other resources, it closes the gap between policies and everyday operations. This makes it easier to resolve known issues and prevent scandals. For example, which applications contain sensitive data that might have a material impact on your reputation? Which departments use those applications, and which policies and controls (if any) currently address those weaknesses? Are these policies and other mitigation activities effective in addressing this risk?

Going back to WannaCry, prevention would have been as simple as automated alerts. Alerts would have prompted verification that appropriate Windows patches were implemented, followed by a report of all critical systems not covered by patch deployments. This is a good example of the importance of governance over existing processes, as opposed to the wasteful alternative of expensive technology solutions that may not even address future issues.

It’s a known fact in the security community that, due to human or technology errors, 10-15% of authorized, scheduled patches are not implemented. Resulting vulnerabilities are often detected by the “right” people (in this case, Windows itself) before they are by the “wrong” people, but when fixes aren’t implemented punctually, the risk remains. Notifications remove the possibility that risk goes unaddressed.

Mitigating risks presented by any cyberattack can take place at your organization today. If necessary, the following steps can be performed on a manual basis, but for long-term sustainability, use a centrally managed, risk-based approach.

Off-site backups are your first and most basic line of defense. Frequency and scope will be different for each organization; your security team should collaborate with senior leadership to determine minimum standards. Has a restoration test been performed, ensuring that your infrastructure and applications infrastructure can be restored? Can back-up data actually be used within your stated recovery time objective (RTO)? Your RTO is the maximum “downtime” window that can be tolerated for a particular process before financial, reputational, or legal damage occurs.

Most organizations have formal internal policies, but few identify the risks associated with these policies. After risks are identified, regularized tests and notifications verify these risks are mitigated. Backups take time, and without using a risk-based approach to prioritize data and the application infrastructure, much existing activity is wasted. The relationships between your people and resources, once identified, reveals what is integral to critical functions.

Backups will compose a piece of your overall business continuity and disaster recovery (BC/DR) plan. The BC/DR plan needs not just be created, but tested regularly. Most back-up systems only preserve data, not the application infrastructure. Doing so requires a second level of testing; can the applications and infrastructure be reestablished, and will they be compatible with restored data? Test your organization’s ability to implement a “clean recovery,” or total restoration of all data. The program cannot be made fully operational until those regular tests are implemented. Without an operationalized BC/DR program, it’s difficult to impossible to recover from an attack within the required timeframe.

Most organizations also understand access rights from a policy point of view. However, are access rights managed effectively by all the users? The principle of least privilege, by which a company grants employees only the access they need to perform their duties, limits vulnerability without compromising efficiency. Begin this process by implementing and enforcing password complexity/change requirements. Rights then need to be defined and updated regularly by engaging front-line managers. Ransomware and breaches target the weakest links in an organization, often through vendors and supply chains.

With an ERM solution, you can maintain an effective asset management process by determining which applications, devices, and other resources require access rights protection. The next step is to create transparency into how effective policies are over these processes.

Through good governance, you can make sure everyday activities are aligned with leadership’s strategic goals. An integrated risk management approach reduces overall exposure and allows the organization to better leverage existing assets and prevent potentially disastrous disruptions like the WannaCry attack – without using additional budget to security technologies.

About the author: Steven Minsky is the CEO of LogicManager, the leading provider of ERM solutions. Steven is also the author of the popular Risk Maturity Model, RIMS State of ERM Report, a frequent contributor to blogs and press, as well as an instructor on many risk management topics.

