Contributed ArticleWe all know ransomware attacks pose a serious – sometimes even fatal – threat to businesses. Big name attacks have dominated headlines, but the scale and depth of the problem is perhaps less clear to some.
In a major survey of 2,200 IT decision-makers, CrowdStrike discovered that more businesses than ever – 32% of all those surveyed – were attacked multiple times in 2021 alone, with a further 25% having been attacked just once in the same period. Only 23% said they have not yet experienced a ransomware attack. This untouched proportion is down a massive 10% since the same questions were asked in 2020.
Disaster response and recovery needs to be tested rigorously, emulating conditions likely after an attack
Industry pundits are often quick to blame Covid-19 – emergency changes to protocols, ungoverned devices and remote working – for the ransomware crime wave. That made sense 12 months ago, comparing 2020 with 2019 and indeed bore some responsibility for the cyber-crimewave in that period. But the difference in working conditions between 2020 and 2021 were relatively small. One would expect businesses to have achieved some maturity in dealing with remote connections and offsite security.
In fact, the pandemic did provide an opportunity for cybercriminals to grow in experience and sophistication. That growth has led to continued confidence and development in criminals’ tradecraft moving forward. Thus, acceleration in cybercrime has become decoupled from the pandemic, having achieved its initial boost. Meanwhile, organisations have frequently failed to catch-up, and the range of threats has expanded.
A plethora of notifications from different solutions will not improve an organisations’ security posture, but rather compromise it
This increased confidence is reflected in the size of the ransoms asked, which has increased by 63% in a single year to an average of $1.79 million, according to the survey. Similarly, the likelihood of multiple attacks against the same targets has increased, either through separate breaches, or further extortion attempts beyond the initial ransom.
Paying up the ransom might sometimes seem the only available option: but it is almost always the wrong choice – 96% of organisations that pay an initial ransom are extorted for further sums equating to $792,493 each, on average. New forms of attack – particularly those conducted through third-party software and its components – supply chain attacks – have become more and more prevalent, thanks to the efficacy with which it has often managed to side-step conventional defences.
So how should businesses respond in this ever-bleaker threat landscape?
Paying up the ransom might sometimes seem the only available option: but it is almost always the wrong choice
The first part of the response should be a reassessment of the company’s technology armoury. Old school, signature-based antivirus applications have not been a viable countermeasure for some time. It is entirely ineffective against the targeted, malware-free types of attack that have become most prevalent in recent years.
Next-generation tools will still detect these types of attacks, but the focus has moved on to detecting characteristics, behaviours and mining vast amounts of data in the cloud for anomalies and spreading events.
96% of organisations that pay an initial ransom are extorted for further sums equating to $792,493 on average
Alongside endpoint detection and response tools, organisations need to deploy a suite of connected tools that complement these and fill in the gaps in their capabilities. We know, for example, that many attacks begin with legitimate, but stolen, credentials and are undetectable as hostile using conventional means. Thus, authorisation based on usernames and passwords are inherently suspect.
Companies should thus be investing in MFA and taking this further with Zero Trust architectures and solutions. Every user and agent on the network remains under scrutiny even after initial authentication. A bad actor with stolen passwords might lie low for months after gaining access, but systems need to be ready to react immediately when they break cover.
New forms of attack have become more and more prevalent, thanks to the efficacy with which it has often managed to side-step conventional defences
Similarly, endpoint detection and response needs to be extended to cover everything that is not an endpoint – cloud servers, connected printers and screens, mobile devices and so forth. This calls for both cloud-specific security solutions and an implementation of eXtended Detection and Response XDR. But these added technologies need to work together. A plethora of notifications and reports from different solutions will not improve an organisations’ security posture, but rather compromise it because it becomes too hard to see the one, truly vital alert that needs urgent action from a human administrator.
And finally, speaking of humans, we should never disregard their importance in maintaining cybersecurity and creating resilience in organisations. The current state of advanced cybersecurity technology is largely very good, and considerable automation is available. But, even as a technology supplier, we are honour-bound to say over-reliance on technology is always a mistake.
Old school, signature-based antivirus applications have not been a viable countermeasure for some time
But the survey shows organisations are becoming slower to respond to threats than has historically been the case. It seems that this over-reliance on technology, creating an expectation that nothing bad will happen, is to blame here – but it is turning serious security issues and events, which should be manageable, into full-blown crises.
Trained and experienced people still underpin everything. On the vendor side, human experts continually feed and refine artificial intelligence models, conduct threat intelligence analysis, respond in person to events and test systems for their vulnerabilities. At organisations, people-driven policies and processes are still vital to avoiding and surviving attacks: passwords need to be safe and secured; devices need to be physically secured; disaster response and recovery need to be tested rigorously, emulating the conditions likely after an attack.
Truly vital alerts need urgent action from a human administrator
While cybercrime has evolved and become stronger, so have our range of defences: but the full range of security and resiliency practices need to be rigorously and proactively implemented by organisations for it to be effective.
People-driven policies are still vital to surviving attacks, passwords need to be safe and secured, devices need to be physically secured.
