Ransomware: Five questions you need to ask about your defences, before you get attacked

Ransomware is one of the most dangerous cybersecurity threats facing organisations today, yet many are still under prepared when it comes to protecting networks from attacks, and about what to do if ransomware causes disruption.

High-profile and highly disruptive ransomware attacks have recently hit Colonial Pipeline, Ireland's HSE health service and global food producer JBS. In the case of Colonial Pipeline, the organisation paid a ransom of over $4 million in Bitcoin for the key required to restore the affected IT network.

A ransomware attack can, therefore, be highly damaging when it comes to providing services, it can damage the reputation of the organisation and it can cost a lot of money, both in terms of paying the ransom – if the victim chooses to pay, despite warnings it just funds and encourages criminality – and for restoring and securing the network after an incident.

It's vital that the CEO and the rest of the board are fully equipped with the knowledge to deal with the prospect of a ransomware attack hitting their organisation and are doing as much as possible to ensure this doesn't happen. And in the unwanted event of an incident, they need to be ready with a plan to restore the network, preferably without paying a ransom.

In an effort to provide guidance to CEOs, the UK's National Cyber Security Centre (NCSC) has detailed five key questions for board members to ask about ransomware. 

1. As an organisation and as board members, how would we know when an incident occurred?

One of the reasons why ransomware attacks have become so successful is because the attackers are able to lurk within the network for a long time without being discovered.

Organisations should, therefore, know what their IT infrastructure looks like, what monitoring is in place on their network – especially with regards to critical assets – and be able to identify when something is potentially suspicious, as well as having mechanisms for reporting and investigating that malicious activity.

By identifying potentially suspicious activity on the network, organisations can go a long way to cutting off ransomware attacks before an intruder has had the time to move around the network.

2. As an organisation, what measures do we take to minimise the damage an attacker could do inside our network?

One of the key aims of a ransomware attack is to encrypt as much of the network as possible, so organisations should examine what they can do to slow down or stop ransomware from spreading through systems.

In order to help make it more difficult for malicious intruders to move around the network, organisations can segment networks, preventing the whole network from being compromised by an attacker gaining access to just one device.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Organisations should also look to implement two-factor authentication across the network as an additional line of defence that makes it harder for malicious intruders to move around the network.

3. As an organisation, do we have an incident management plan for cyber incidents and how do we ensure it is effective?

"Organisations should think in terms of 'when' rather than 'if' they experience a significant cyber incident," warned the NCSC blog post, so it's essential to plan incident response carefully and to practice for it.

SEE: This company was hit by ransomware. Here's what they did next, and why they didn't pay up

The NCSC's recommendations for an incident management plan include identifying the key contacts who need to know about it, clear allocation of responsibility, a conference number for emergency incident calls, as well as contingency measures for critical functions.

4.  Does our incident management plan meet the particular challenges of ransomware attacks?

Some ransomware attacks simply encrypt data and demand a ransom in return for the key. But increasingly, ransomware gangs are engaging in double extortion techniques where they'll steal sensitive data and threaten to release it if they're not paid.

Situations like this might not be in the incident response plan, so it's recommended that plans are made for what would happen in the event that data is stolen – and what a recovery looks like when stolen information, potentially including sensitive data about customers, is published online.

5. How is data backed up, and are we confident that backups would remain unaffected by a ransomware infection?

One of the key things an organisation can do to help protect against the impact of a ransomware attack is to store backups and to regularly update them, as this provides a method of restoring the network relatively quickly without giving into the ransom demand.

However, the board should also seek assurances over what data is deemed critical, how frequently it's backed up and how the backups are stored. Some ransomware attacks will target backups, so it's important to make sure the backups are stored offline and on a separate network to the rest of the organisation.

By asking questions like the above, the boardroom can help make sure that the organisation is as resilient against the growing threat of ransomware attacks as possible.

"Cybersecurity is a board-level responsibility, and board members should be specifically asking about ransomware as these attacks are becoming both more frequent and more sophisticated," said the NCSC guide.

MORE ON CYBERSECURITY

• Ransomware: Dramatic increase in attacks is causing harm on a significant scale
• Ransomware attacks are not a matter of if, but when
• Ransomware: How the NHS learned the lessons of WannaCry to protect hospitals from attack
• Colonial Pipeline CEO confirms $4.4 million ransomware payment
• Ransomware is now a national security risk. This group thinks it knows how to defeat it