By James Holton, Trustmarque’s Cyber Security lead.
Ransomware is back in the news, which is bad news. But the good news is, you can significantly reduce your risk by following some straightforward ransomware guidance. Unfortunately, there is no silver bullet, and relying on one single solution is likely to leave you at risk. A measured approach, delivered in depth is the guidance given by Trustmarque, Capita, and the NCSC.
Very simply speaking ransomware is a type of malware that holds your data for ransom and demands a payment (normally in a crypto currency like bitcoin). It can affect anything from a single isolated laptop, where the inconvenience is minimal, to a mission critical server which holds sensitive data, and if it does then the criminals ransomware demands can jump from the hundreds to tens of thousands and the organisation is left crippled.
When data is the new gold, ransoming that data is big business.
It’s big news and it’s big business. This could explain why we’re seeing a rise in enterprise ransomware against an overall decreasing number. The average organisational ransom in 2019 was between £10,000 and £28,000.
One of the most infamous examples is WannaCry in the NHS – the Department of Health and Social Care has put the cost of WannaCry in the NHS at a cost of £92m in direct costs and lost output and it affected at one-third of NHS trusts and approximately 8% of GP practices in England.
Our strong advice to our clients is not to knee jerk and buy a single technology thinking it will solve the threat in one fell swoop. It’s likely that approach and overconfidence will leave you more exposed than before. Here we’ll provide some guidance on how to balance your approach and how you can deliver that security in depth with your vendors and partners.
Defence in depth and what that depth should look like
Defence in depth simply means that you’ll have more opportunities to spot an attack and stop it. Being overly reliant on a single technology can leave you exposed to that vendor’s effectiveness. No solution has 100% coverage all the time, there are the occasional dips. There is additional risk too if that technology isn’t deployed 100% of the time on every device in the organisation.
Prevent malware being delivered
- Email scanning – 92% of ransomware was delivered by email. Use the best you can afford and make sure that that it is scanning both links and attachments.
- Web filtering – 7% of the rest of the threats is “drive by downloading” when visiting malicious sites. Prevent both these and the “call to action” by using good quality web filtering.
- Strong Identity and Access Management – use Multi-Factor Authentication (MFA) and prevent Remote Desktop Protocol (RDP) if possible. An attacker will move around your network trying to find where they can do the most damage.
- Detecting lateral movement – suspicious behaviour not malicious can be difficult to detect but there are solutions that can monitor lateral movement before a big attack.
Your last line of defence – make it good
- Endpoint security. Ensuring you use the best you can afford and an up to date endpoint suite should prevent both known and unknown attacks (using Machine Learning) as well as exploit prevention. Advancements in Endpoint Detection and Response (EDR) can also give you invaluable information in understanding the lateral movement and suspicious behaviour in your organisation.
- Patch or virtually patch. Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks. NHS WannaCry is an example that could have been avoided by deploying a patch that had been readily available for some time.
- Train your users. Often completely overlooked, but most ransomware exploit unaware users and fool them into submitting details or clicking a link. Your users must be front and centre of your ransomware defence, ensuring they can report rather detonate the attack.
Your ransomware disaster recovery plan should cover how you’re backing up critical data and how you ensure that the ransomware can’t also encrypt your backups. Watch our latest webinar ‘Data in an on-Demand world’ and find out how to keep up with the demands of users and customers and stay ahead of the curve with compliance.
Create a culture of quick response
Encourage a culture of awareness and quick response by providing communication methods are there to report an incident. How are you going to handle the forensics and the clean-up, do you want to have an internal team or an outsourced team on retainer?
Trustmarque can help you get IT right
Our cyber security team is available to assit you with your anti-ransomware and wider cyber security solutions. We work with over 55 security vendors and are accredited to deliver Microsoft Security, as such are perfectly placed to give you the best guidance for your organisation’s particular requirements. They will help you understand which vendors are the best fit for you and what can be delivered by Microsoft.
If you’ve found this ransomware guidance useful and want to learn more, we are holding a webinar dedicated to combatting ransomware. Register to learn more about how you can protect your organisation.
However, if you want more immediate help then you can speak to your Trustmarque Account manager or book a cyber security workshop that provides expertise acorss a number of areas, including ransomware protection, and helps you understand your cyber security challenges and solutions.