Version française prochainement disponible
By Harish Soni
Ransomware attacks can devastate and disrupt any business, potentially inflicting financial losses in the millions.
While cyberattacks aren’t new, they’re becoming more pervasive and repetitive, particularly as bad actors evolve and refine their malicious techniques.
One recent study1 found 76% of global organizations experienced an attempted ransomware attack in the past year, 64% suffered a successful infection, and only half of those who made an initial ransomware payment regained access to their data. Over two-thirds of respondents experienced multiple, separate ransomware infections.
What’s more, an IDC report2 found 25% of ransomware victims experienced business disruptions lasting a week or longer.
It’s no surprise cyberattacks are on the rise—they’re easier and cheaper to pull off than in prior years. What surprises me is the lack of advanced planning to thwart the attacks. C-suite leaders often develop business continuity plans on the fly during or after an attack. By then, it could be too late. A successful attack can force even the most secure organizations to negotiate with ransomware threat actors.
The good news is it doesn’t have to be this way. These scenarios are largely avoidable when enterprises have smart cyber resiliency strategies in place. While even the most insulated companies can’t prevent every imminent ransomware attack, it’s possible to protect data and critical business processes well in advance, getting a step ahead of would-be bad actors and their demands.
It’s possible to protect data and critical business processes well in advance, getting a step ahead of would-be bad actors and their demands.
Start by identifying the minimum viable company
One of the keys to thwarting a cyberattack is anticipating risk early on and protecting your data against exposure and your backup for recovery.
The first step toward this level of preparedness is identifying the minimal viable company—the bare necessities your organization needs to run critical business processes, as well as key systems and data linked to them. Here’s how:
- Assess the criticality of the business unit to the organization, as well as the impact of downtime. Without a sound business impact analysis, organizations fail to respond correctly if compromised, or even plan adequate cyber insurance. Anticipating the impact helps build stronger resilience plans and identify the investments needed to protect the business..
- Identify critical stakeholders who will need to be involved if the organization is compromised. Plan to assign specific roles and responsibilities to teams—from finance and legal to IT and social media—that will be tapped if there’s a cyberattack.
- Determine what data needs to be protected, along with its location. Knowing your key data from every business unit and building a structure that controls access, location, and permissions will help avoid data leakage.
- Develop a plan to protect this data and determine how it will be recovered. Make sure the plan addresses immutability, isolation, analytics, and orchestration. Covering all these bases can help speed recovery time.
How to protect your data against exposure
Many enterprises underestimate the importance of keeping their confidential, proprietary, or otherwise regulated data separate and secure. In cases where this type of data was stored in a shared location that could be accessed by multiple business units, log analysis showed that as the company experienced a cyberattack, highly sensitive data was being sent outside of the organization, because the business unit targeted by attackers had access to the whole drive.
Once you identify what constitutes those types of information in your organization, the next steps are to apply the right data loss prevention policy, classify the data, and organize it. After that, you will put that data and its access points through vital procedures such as encryption, ID authentication with multifactor authentication, identifying who should be granted access and why.
We recently worked with a compromised customer in the manufacturing industry. When we asked the CISO about the possibility of data leakage, he was confident there was none—because the team had prepared for the worst. The organization had the right controls to access, share, transfer, and monitor critical assets—which ultimately provided confidence that the company’s data was safe from leakage. It was a textbook example of how identifying your key data and protecting it can drastically change the outcome of a ransomware attack.
How to protect your backups for recovery
Many organizations keep their backup servers within a virtual infrastructure that gets encrypted by an attacker. In such cases, the organizations can fail to recover data from the backups. As a result, they have to recover it from alternate sources, such as non-production environments, and then rebuild multiple servers from scratch.
It’s not an optimal situation.
Better if the critical systems or access points that are identified have backed-up copies in an air-gapped zone and are kept on WORM (write once, read many) storage. This precaution ensures access is isolated in that zone along with the copy. The data can be scanned and marked clean. Automated recovery can then proceed, and business functions can come back online.
These steps help ensure clean data recovery, especially when cyber-attackers target backup servers as well.
Bringing a cyber resiliency mindset to life
At a time when ransomware attacks are some of the biggest cyber threats to enterprises, much can be done to better integrate a “no-ransom” mindset into cyber resiliency plans. Enterprises need to invest more time on zero-trust architectures and better business continuity plans based on simulations of ransomware attacks before they occur.
There are multiple layers when it comes to protecting data. Companies need to cover the entire perimeter to ensure that data remains safe from unauthorized access, corruption, or theft.
However, many organizations still favor a siloed approach—addressing data classification, data access, encryption, masking, education, and awareness as standalone tactics, when it pays to view them holistically.
As the threat landscape continually evolves, better-prepared enterprises can get a step ahead of attackers, countering crippling data losses and business disruptions to maintain business as usual.
Harish Soni is the Cyber Resiliency Practice Leader at Kyndryl India.
1 2023 State of the Phish Report, Proofpoint, February 2023
2 IDC, Building Resilience in a Digital-First World, Doc #EUR149691722, October 2022