On June 2, Deputy National Security Advisor Anne Neuberger sent a memo from the White House to businesses around the country to take necessary steps to protect against ransomware attacks.
Ransomware attacks surged in 2020 and 2021 as more companies transitioned into remote work. This created a number of vulnerabilities and increased opportunity for bad actors. Just last year, Homeland Security estimates a whopping $350 million in ransomware payouts were conducted.
Notable ransomware attacks in 2021 include the Colonial Pipeline shutdown (which cut off gas to large parts of the Eastern Seaboard), the JBS S.A. attack (which halted a quarter of American beef operations for two days), and an attack on a water-treatment plant in Florida (which raised the lye in the drinking water to dangerous levels).
Make no mistake: ransomware attacks aren’t just costly and inconvenient; they can be deadly and disruptive. On June 15, NATO updated its stance on cyberattacks. Stating in a communique, NATO members may, on a case-by-case basis, consider some cyberattacks the as an armed attack. The political ramifications are dire.
Enter the Biden administration, in its latest efforts to encourage businesses to ramp up protections and stifle the growing cyber threats. In its June 2 memo, the administration claims that the Federal government is making headway to “disrupt and deter ransomware actors” around the globe. It also notes that the private sector has a critical responsibility in protecting against these threats, as well.
The memo also listed five best practices:
- Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
- Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
- Test your incident response plan: There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
- Check Your Security Team’s Work: Use a 3rd party penetration tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
- Segment your networks: There’s been a recent shift in ransomware attacks –from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
The best practices presented in the June 2 memo are necessary and beneficial steps that every business must take in order to mitigate and protect against cyber threats. However, they are the minimum of what must be done. In other words, these practices are, at best, non-exhaustive.
It doesn’t tell the whole story. We advise considering a full business continuity strategy to incorporate security standards. Keep in mind that no “best practices” list is perfect for your business. You must consider your own needs.
Consider the following three elements when assembling a list of necessary steps for your organization:
- Planning
- Security deployment
- Recovery
You must plan for a situation in which you are a victim of an attack. The disaster recovery cycle looks different from attack to attack, but the cost of such an attack is more than just the ransom paid in cash. There are days and potentially weeks of downtime without the right plan in place.
Your must also consider the configuration and availability of your systems. Yes, patching is important, but configuration is the first starting point. According to a report from Coveware, 45 precent of ransomwares source from RDP for organizations of 10,000 to 25,000 employees.
Also consider the password guidelines implemented by the National Institute of Standards and Technology to ensure you use safe passwords and that you never use repeat passwords. You should implement multifactor authentication (MFA). If you are going to rely on network segmentation, consider other tool and network audits to limit threat actors’ lateral movement.
For more information on these recommendations, and more, schedule an appointment and let’s talk!