Thinking about having to make a choice between paying the ransom—seemingly easy, but a way to make you the target the next go-around and risking data compromise—or recovering from an attack—which may take weeks to completely get you back running as usual—turns our stomachs (as I imagine could turn yours, too).
The average recovery effort will cost you just over three-quarters of a million dollars all in (that is, for a clinic). An entire hospital system will likely be much more, even if you decide to pay the ransom. That number will also increase the longer your team cannot work or you cannot deliver exceptional care.
Those costs are likely to rise.
Comparing ransomware attack aftermaths across the past couple years, several experts are seeing recovery costs increasing. Attackers are demanding payments of or above 13 Bitcoin (equivalent to over $75,000) for each computer affected by an attack to regain access, which previously had been just under $13K.
Data recovery efforts have been complicated in most cases because backups either are not working or can be compromised with the rest of the network during ransomware attacks. Many businesses put in the spot light have had to roll the dice and pay the attackers simply because their backups were insufficient or entirely encrypted during their recovery period.
My message to you: You Do NOT Have To Be A Victim.
Regardless of how bleak the headlines seem today, your organization can take very effective paths to defend yourself against ransomware. It actually starts by using some best practices to proactively prevent as many attacks as possible, followed by taking some additional precautions that can limit or minimize the success of an attack in the even an attack took place.
10 Things You Can Do Right NOW:
Here are 10 steps your organization can start now to ensure you are better suited for the current threat landscape:
Map your attack surface—you won’t be able to protect what you don’t know needs protecting. Experts recommend to start your journey to security proactivity by identity everything on your network—all of your systems, devices and services currently in your environment. This process will not only help you identify vulnerabilities and current targets, but should also help you map out your network for an effective recovery in the event something ever happened—including natural disasters.
Patches and upgrades—I’d bet you a hundred bucks that you probably have at least a couple devices lingering out there in your environment that have exploitable vulnerabilities (that is, vulnerabilities that criminals have used to break into your network). Your technical team should be identifying all possible patches and upgrades, testing those fixes and deploying them throughout your environment. If there are special cases where critical machines cannot be patched, you should ensure that they are segmented off of your main network if possible.
Update your security systems—in addition to patches, security systems need to be updated constantly. This is critical for your email filters and firewalls. Since most ransomware enters your organization through phishing emails today, make sure you have updated controls in place to detect and prevent ‘bad’ traffic from getting onto your site. Your technical team should be thinking about how organizations are being attacked in an effort to design or implement security solutions that address those specific ‘how’s.
Segment your network—the last time you went to the doctor’s office, were your medical records on tables in the waiting room? Where would you expect paper files (if there were any)? They are probably in a locked room or closet segmented from normal traffic. The same goes for sensitive data on your network. Instead of just keeping everything accessible, consider implementing segmentation to separate and segregate important information that doesn’t need to be accessed regularly (this will make things harder for both staff and criminals from getting to places they shouldn’t have access to).
Secure any remote locations—remote sites are often overlooked or downplayed when it comes to security infrastructure and support. Take time to review your connections from your main location to other sites to make sure your people are taking security measures seriously in connecting. Just as an example, a remote working at Avast antivirus software caused a major network breach earlier this month as a result of a user connecting VPN with a compromised password. This led to a multi-million dollar investigation and recovery effort. Make sure to alert those partners to any issues you may discover, especially related to malicious content being accessed or shared.
Isolate your recovery systems and backups—I cannot stress this enough! If you keep your backups accessible to your network, ransomware WILL get in AND destroy your backups. Make sure that your backups and recovery system are isolated away from your network, including separate passwords to access that network segment.
Recovery drills—practicing what you preach in terms of security restoration and recovery has become a critical component to making sure in the event an attack pops up (they always are entirely unexpected), you have clear expectations with your team as to when and how you will recover. Any issues that arise in a drill can be addressed, documented and fixed before the real deal event comes.
Seek opinions from experts—I cannot stress this enough if you are planning on a do-it-yourself approach to security. If you do not have a team focused on cybersecurity—one that would be familiar with all new attacks and their signatures, please seek some advice. Your organization should be able to immediately identify and report an incident (this should be part of your drill). Consider a network security assessment to at least find out where problems lie on your network.
Pay attention to what’s going on—make sure you are on top of the latest ransomware news. You might subscribe to our blog, among other cybersecurity blogs, to get a good sense of what is being attacked and how. Make sure to apply your findings and lessons to your own environment.
Educate your team—employees are your weakest link to securing your network. Make sure they understand that they are the first line of defense. Ransomware usually starts with a phishing attack (over 90% of the time). It’s imperative you know how to get your folks to learn from their mistakes. Get them to click on links and explain why they need to be more suspicious of emails. You may even consider getting your new hires up on security training before they have access to their email (would you let a new factory worker hop on a welding machine before explaining how to use it?).
Share Advice Like This!
When it comes to cybersecurity, we all have to work together. Make sure that others on your team—and in other organizations understand what they can do to prevent the next attack. Getting everyone aware and involved will pay off dividends in the long run for a securer cybersecurity approach.
