Modern ransomware attacks are becoming increasingly complex and can have catastrophic effects on organisations. Knowing how to protect your business from ransomware – and other forms of attack – before one takes place, will help you to mitigate the dangers.
Following on from his first blog exploring today’s evolving ransomware threats, Adam Thompson, our Team Lead for Governance, Risk and Compliance, looks here at what your organisation can do in terms of cyber-attack mitigation strategies.
The simple truth is that there is no one way to completely mitigate the threat of any kind of malware (malicious software). Good information security and cyber security requires the design and implementation of risk-based controls that apply across people, process, and technology.
With the increased complexity of modern businesses, including technical and structural setups, this means that organisations need to first understand their inner workings before they can start applying controls to make their security effective.
Given that it’s so difficult to completely protect your organisation from ransomware cyber-attacks, the advice from the UK’s National Cyber Security Centre (NCSC), and from us at Content+Cloud and Perspective Risk, is to adopt a ‘defence-in-depth’ approach. This involves layering your defence with incident mitigation in mind at every level – whether people-based, process-based, or technology-based.
It has long been a security proverb that cyber-attacks are no longer a question of if, but when. The defence-in-depth approach can help organisations ensure they are taking steps to limit the breadth and depth of the impact of a ransomware attack and speed up their response.
Steps you can take to protect your business from ransomware
The good news is that you don’t have to start with a blank page, as there are good practices that you can follow. At Content+Cloud and Perspective Risk, we recommend a phased approach to implementing controls to mitigate the threat of malware. This approach is based on guidance from not only the NCSC, but also the National Institute of Standards and Technology (NIST) in the US.
In its Cyber Security Framework, NIST identifies five functions for organisations to follow – Identify, Protect, Detect, Respond and Recover. Read on to find out how this cyber security framework can help you mitigate the threat of an attack.
Identify: understanding information and cyber security risk
Identify is the most important aspect of these five phases, as you cannot protect what you do not know about. At the very beginning, you need to develop an understanding of how to manage the risk to people, data, systems, assets and capabilities across your organisation. There are a number of steps that are essential for your organisation to take if you want to effectively identify these risks.
- Develop an understanding of your organisation’s business context (i.e. what it does, the business objectives, core functions) and the information assets that support this.
- Identify the related information security risks so your organisation can focus and prioritise remediation efforts.
- Improve security in line with a risk management strategy and your business needs.
- Manage supply chain risks, including potential ingress routes for ransomware, and ensure response and recovery planning is carried out with suppliers and third-party providers.
This is just the first step of the Cyber Security Framework. Once you’ve identified the risks, it’s time to start thinking about how you can deal with them.
Protect: creating cyber security safeguards
The Cyber Security Framework’s Protect function directs organisations to develop and implement appropriate safeguards that will ensure delivery of critical services. This function helps them to limit or contain the impact of a potential cyber security attack. The key actions your organisation can take are as follows:
- Review and secure identity and access management (IAM) mechanisms.
- Implement security processes and procedures by creating end-to-end workflows and reviewing the controls along these elements.
- Securely design, implement and configure protective technologies (across IAM, networks, endpoints, cloud environments and communications).
- Develop and run security awareness, education and training programmes across your organisation to improve your ‘first line of defence’ – your people.
- Maintain information assets with planning, approval and logging processes that are carried out securely.
There are of course many specific controls that can be considered to support the above areas, but by utilising intelligent protection strategies, your organisation will be in a good place to protect your operations from a cyber attack. You’ll also need, however, to be well positioned to identify one when it occurs.
Detect: identify a cyber security attack
The Detect function helps your organisation develop and implement strategies to identify when a cyber security attack is occurring or has occurred. By improving the ‘time-to-detect’ and ‘time-to-respond’, organisations can be in a much stronger position to mitigate the impacts of cyber security incidents, ensuring they’re able to detect a cyber security event as early as possible. The steps include the following:
- Design, implement and review your continuous security monitoring capabilities, including being able to identify anomalous user (especially administrative) and system activities, and employ vulnerability scanning and anti-malware alerting.
- Apply operational (daily business as usual) security activities for reviewing anomaly and event alerts from secure monitoring capabilities, ensuring controls can identify potential security issues.
- Clearly define and assign roles and responsibilities for detection processes, including what happens next once adverse events are detected – or suspected.
Being able to quickly identify when a cyber-attack has occurred is critical. It may not always be clear immediately – but you also need to know what next steps to take in response.
Respond: create a plan of action in your cyber security framework
The Respond function is all about enabling your organisation to orchestrate the appropriate course of action when a cyber security attack is detected.
Your response should be able to investigate, triage and contain the impact of a potential cyber security threat. So how does the framework suggest you do this?
- Define and implement an incident response plan across the organisation, detailing the stages and subsequent activities to take that will reduce the impact of a cyber security attack.
- Define your response team – including roles for technical response, incident coordination, internal and external communications stakeholders, vectors, and information subjects – ahead of time.
- Ensure analysis functions are understood and related activities are conducted to ensure incidents are contained and mitigated.
A strong response strategy will ensure your organisation is not left scrambling in the dark in the event of a cyber security attack. It’s the key proactive step in your cyber-attack mitigation strategy. But what about getting your systems back online in the wake of an attack?
Recover: resiliency to help your organisation restore operations
The goal of the Recover function is to ensure your organisation can maintain and invoke resiliency capabilities for services that were affected by a cyber security attack. Much of this will naturally be surfaced in the Identify stage, where control requirements will have been discovered and then applied (during Protect) to appropriately manage risks.
Your organisation should be able to carry out timely recovery actions to return to normal operations, reducing the impact of a cyber security event. Here are some of the ways you can support this:
- Plan your recovery tactics ahead of time, including implementing and running regular backups – both to live (cloud or physical) and offline systems. Test these often for integrity, but also for the efficiency of the process to ensure this works when you most need it.
- Develop communications to manage public relations, repair reputational damage, and update internal and external stakeholders.
- Perhaps most importantly, incorporate the lessons learned from cyber security incidents – and near-misses – into information and cyber security strategies to prevent a repeat event, and continuously improve by doing so.
By following the stages outlined in the NIST Cyber Security Framework when planning your cyber-attack mitigation strategies, your organisation will have good practices in place for when – not if – an attack takes place. At Content+Cloud and Perspective Risk, we have a depth of expertise in helping organisations take the right action to plan their strategies for mitigating the risks of cyber-attacks.