In 2022, several large organizations—including the San Francisco 49ers, Cisco, Macmillan Publishers, Rackspace Technology and the Los Angeles Unified School District—were targets of successful ransomware attacks. In such attacks, hackers take advantage of weak security or user error to introduce malicious software that encrypts victims’ files and/or data, hoping their targets will pay to regain access.
Even though it’s the high-profile attacks that hit the headlines, no one should think they’re immune—if an organization has digital data, that organization is a potential target. Below, 20 members of Forbes Technology Council share essential considerations for organizations seeking to prepare for and respond to a potential ransomware attack.
1. Credentials And Cookies Exposed On The Dark Web
Enterprises often overlook employee credentials and authentication cookies that have been exposed on the dark Web through compromised, malware-infected devices. Malware-exfiltrated data can be sold and reused to infiltrate corporate networks and deploy ransomware. To protect their companies and users, security teams should proactively address malware-exfiltrated assets and reset exposed credentials. – Damon Fleury, SpyCloud
2. Offline Backups Of Critical Data
Businesses and organizations overlook having offline backups of critical data. These backups are crucial because they provide a reliable and independent source for data recovery in case of a ransomware incident. With offline backups, businesses can enhance their ability to recover from a ransomware attack, reduce the impact on operations and minimize the need for negotiation with threat actors. – Perry Menezes, MorganFranklin Consulting
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Layered Security Controls
Today, ransomware is a multistage, multichannel attack. Ransomware doesn’t just originate with a phishing email. The theft of user credentials often starts through mobile messaging or malicious browser extensions (thousands of rogue browser extensions lurk in official extension stores). Security controls must be layered and defend all channels used to launch ransomware—not just email. – Patrick Harr, SlashNext
4. Red Team Exercises And Cybersecurity Simulations
Many firms neglect regular red team exercises and cybersecurity tabletop simulations. Red team exercises test full-scope security measures under real-life attack simulations, while tabletop exercises simulate incidents to evaluate response capabilities. Both identify weaknesses and improve responses, forming essential preparation against ransomware attacks. – Giri Chodavarapu, Omnicell
5. An Incident Response Team
It’s essential to define an incident response team. Time is of the essence when responding to a ransomware attack, and having a clear understanding of roles and responsibilities will ensure critical time is not wasted determining who should be taking action. – Dustin Verdin, Zipline Logistics
6. Cloud Storage Vulnerability
Organizations should remember that their cloud storage is as attractive a target as on-premises servers or endpoints—and just as vulnerable. Since many types of cloud storage are designed to be accessible via the internet, you should take extra precautions to ensure your cloud storage is configured correctly and that there are several security controls in place to protect against data breaches. – Shai Morag, Ermetic
7. Prioritizing Systems And Data
Apart from having regular (preferably daily) backups that are contained off-site to aid in recovery, a business should categorize its systems and data in terms of their importance to the operation of the organization. Leaders should apply additional security countermeasures to harden such systems. Resilience is key to minimizing the impact of a breach, and layers of controls surrounding critical systems and data are vital. – Eoin Keary, Edgescan
8. Validating Restoration Procedures
Businesses frequently forget to keep routine data backups and test their restoration processes. By giving users access to clean data, backups lessen the impact of ransomware attacks, but validating the restoration procedure is essential to ensure their efficacy. Organizations will be able to spot problems early by confirming the accuracy and completeness of their backups. – Neelima Mangal, Spectrum North
9. Recording User And File Movement
Ransomware hackers are savvy and persistent, but they also bluff. Since it’s not a question of if but when an organization will be attacked, it is worth putting in place systems that record user and file movement within an organization. Then, if hackers pretend they have exfiltrated everything from the company, it will be possible to validate their claims before deciding on the best course of action. – Patrick Ostiguy, Accedian
10. Employee Training
One often-overlooked step is employee training. Employees often inadvertently enable attacks by clicking on malicious links or attachments. Regular training on recognizing and avoiding phishing attempts is crucial, as employees are the first line of defense against ransomware attacks. – Nolan Garrett, TorchLight
11. Response Roles
Organizations often overlook incident response plans and mistakenly assume they can simply pay the ransom and return to business as usual. In actuality, if a business decides to negotiate, paying the attacker is just the beginning. It’s essential to define the roles of both your technical and non-technical teams (such as legal counsel or a PR firm) before an attack. – Mike Lefebvre, SEI
12. Risk Management
Establishing risk management processes is often overlooked. Having a workflow everyone—including members of the C-suite—is trained on helps limit the complexities of ransomware attacks. When you’re attacked, it’s all about time, limitation and response. Too often, the process takes too long, with not enough limits and either an overreaction or underreaction to the situation. This allows ransomware attacks to be far more successful. – Tom Roberto, Core Technology Solutions
13. Financial Risk Tolerance
One of the most common steps businesses overlook when preparing for ransomware attacks is determining the level of financial risk they’re willing to tolerate in the event of an attack. If businesses come to a clear understanding of the amount of money they can risk, it will significantly reduce the burden of downstream decisions—such as recovery response—and minimize the impact of the event. – Almog Apirion, Cyolo
14. Time To Recover
One of the biggest costs associated with a ransomware attack is the cost of downtime while IT recovers the environment to a production-ready state. Depending on the type of data protection you have, downtime costs can significantly exceed all other costs. You should deploy technologies that focus on the time to recover to minimize disruption to your business when employees can’t access their data. – Russ Kennedy, Nasuni
15. Forensic Analysis
It’s important to plan for a forensic analysis. In many cases, your contracts with your customers will require you to conduct a post-incident analysis of how the attack happened and what systems and/or data were compromised. However, in the heat of dealing with an incident, you may delete or contaminate the data or systems needed for such analysis. I recommend finding a forensic investigation company before you need them. – Adam Sandman, Inflectra Corporation
16. Cyber Insurance
Organizations often see cyber insurance as a reactive risk-mitigation measure. But insurance providers have broad visibility into thousands of client environments, giving them valuable threat intelligence to keep your security program up to date. Build strong relationships with your provider, engaging in meaningful discussions to gain insights into threats specific to your location and industry. – Ilia Sotnikov, Netwrix
17. Air-Gapped Snapshots Of Local Data
It is impossible to prevent all types of ransomware attacks, since they are changing every hour, every day. One often-overlooked strategy is to make sure that edge sites have implemented an air-gapped approach to storing snapshots of all local data. This way, organizations can ignore the ransomware threats and quickly (within minutes) roll back in time and get up and running. – Bruce Kornfeld, StorMagic
18. Bare Metal Restoration Ability
When preparing against or responding to a ransomware attack, firms typically overlook their ability to perform a bare metal restoration of the impacted platform(s). This includes the ability to restore the base operating system, third-party software, the application code and the data. Not only is this critically important, but this ability needs to be tested on a regular basis. – Mark Schlesinger, Broadridge Financial Solutions
19. Software Modernization
It’s essential for businesses to regularly modernize their software. While it might not be obvious as a cybersecurity threat, outdated software is an open invitation for cybercriminals. Older software simply doesn’t have the necessary means to withstand newly invented ransomware. – Yuriy Berdnikov, Perpetio
20. Communication Plans
Board- and C-suite-level risk management and communication plans are often lacking. Cyberattacks have started to significantly impact companies’ bottom lines, customers and shareholders. At the same time, the Securities and Exchange Commission is bound to tighten security reporting requirements. Thus, solid, predetermined risk assessments and communication plans are essential to protect a company and its customers. – Kevin Korte, Univention