Ransomware events quadrupled in 2016 with an average of 4,000 attacks occurring every day according to research from IBM Security. Adding to the pain are new varieties of ransomware that have continued to emerge and evolve using more sophisticated techniques. Kaspersky Lab found 62 new variants of ransomware in 2016, and we expect this trend to continue in 2017.
Here are three things you can (and should) do to mitigate your company’s risk of a devastating ransomware attack in 2017.
Review your technical controls. A comprehensive technical controls review will help your company answer a host of crucial questions. Where is our most important data located? Do we have visibility into which users access which files and when? Do we know what permissions and privileges users have? Is that information being fed into a centralized logging and monitoring system?
A good guide for reviewing technical controls is the CIS Top 20. Reviewing your standing against the CIS Top 20 includes auditing your authorized and unauthorized devices, authorized and unauthorized software, and revisiting your security configurations.
The controls that are particularly important when it comes to ransomware are CSC 10: Data Recovery Capability, which pertains directly to business continuity, disaster recovery, and emergency response planning; CSC 8, which is about malware defenses; and CSC 19: Incident Response and Monitoring.
Develop an incident response plan. Once you’ve reviewed your technical controls and are confident that they are designed well, it’s time to invest energy in incident response and data recovery. Ask your IT and cybersecurity leaders some pointed questions. Who is responsible for incident response at the organization? And more specifically, who is on call? Who is responsible for what aspect? Do they have a documented plan specific to dealing with ransomware? How long will it take to recover backups in the event of a catastrophic ransomware attack?
If you arrive at work and find all your files encrypted or an employee has opened a malware-infected email, it will be absolutely critical to have both a generic and attack-specific incident response plan ready to go. In addition to knowing who is responsible for IT disaster recovery and incident response, you’ll want to ensure that your company’s ability to recover data and files is relatively simple and painless, because a frequent prescription against ransomware is data backups. Assuming you already do this, the logical next step is to demonstrate how quickly you can restore these files. Many companies routinely back up their data, but few test that data backups really do work or are effective.
Simulate an attack. Now it’s time to take action – after all, how do you know your preparedness unless you actually test it? The fact is most organizations do not know what would happen until they experience real-world ransomware.