Over the last months I have written several blogs concerning the burgeoning problem of ransomware attacks. Ransomware has been evolving rapidly of late and is liable to explode. According to Kapersky’s predictions for cybercrime in 2021, “cybercrime is set to evolve, with extortion practices becoming more widespread, ransomware gangs consolidating and advanced exploits being used to target victims.” When you add to this such problems as rising business email compromise problems and the difficulties of information security in the age of Covid, you can picture a pretty bleak outlook for data breaches and ransomware attacks next year.
Unfortunately, compromised business email information, weak remote working security practices and advanced vulnerability exploits can all be employed by organized gangs of cybercriminals to perpetrate ransomware; a type of attack that can present businesses with no-win solutions. If you pay the ransom, what is to keep the cybercriminals from revealing your stolen information publicly anyway, or coming back to you again with additional demands for money? If you pay, you can also possibly be in violation of U.S. laws and regulations. If you don’t pay, your private client information could be exposed publicly, possibly exposing you to regulatory sanctions and legal actions.
Of course, the best protection possible is to harden your business and personnel against successful social engineering attacks and cyber exploits. The problem is, no matter how good your information security program, you still may be compromised. To protect your business responsibly in this environment, you need to embrace all aspects of a good information security program: identify, protect, detect, respond and recover. These activities make up the framework core of the NIST Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov).
Identify basically refers to knowing your business. It includes asset management (i.e. software and hardware inventories), examining the business environment, identifying risk, coming up with a risk management and governance strategy and examining supply chain and third-party risk. If you don’t know your business deeply and exactly, you have little chance of protecting it properly.
Protect refers to all those programs you put in place to prevent cybercriminals from compromising your systems and information in the first place. These functions include access controls, data security measures (i.e. protection for data at rest and in transit), information protection processes and procedures (i.e. configuration and change management control, security policies and procedures, etc.), protective technologies (i.e. email security systems, SIEM, etc.), security maintenance (i.e. patching and updating), and the ever-important security awareness and training.
This leads into the “detect” part of the framework. As we have pointed out in past blogs, all the security systems in the world won’t keep you safe if you don’t actually monitor them and leverage their output to detect anomalies when they occur. And to perform this function properly, you need to involve humans. The human mind remains the most effective detection tool there is.
The last two parts of the framework core are “respond” and “recover”. These basically refer to your incident response and business continuity/disaster recovery programs. As was stated earlier, no matter how good your program is, there is always the possibility of compromise. That is why responding quickly and effectively is so important. This entails both planning and practice. As does business continuity/disaster recovery. Proper planning and realistic testing programs are essential.
Cybercriminals are looking forward to their best year ever in 2021. Do what you can to thwart their ambitions. A good, well rounded information security program is the best you can do in this respect. We recommend embracing the paradigms included in the NIST Cybersecurity Framework in this effort for their clarity, effectiveness and relative ease of implementation.