10 Quick Wins for Protecting Against Ransomware in 2022

 Unfortunately, ransomware isn't the type of online threat that only impacts big corporations and government entities. In the global digital supply chain, anyone connected to the internet could be vulnerable to a cyber attack of this nature.

 Making real, fundamental change to better protect against ransomware attacks takes time. But let's say you want to implement some fast strategies now. What are some quick wins?

In this article we'll discuss:

1. Maintaining best practice identity and access management
2. Keeping your systems backed up
3. Writing modern software restriction policies
4. Keeping privileged accounts secure
5. Regularly patching company devices
6. Regularly updating company antivirus solutions
7. Promoting cyber awareness throughout your team
8. Disabling macros
9. Using honeypots
10. Adopting ZeroTrust as a long-term policy

1. Maintain best practice identity and access management

What is identity and access management? 

Identity and access management (IAM) is the process of assigning and monitoring who can access your systems and apps, at what times of day, and for how long they have that access. It's quite a broad term, covering not just user account management but also the tools required to allocate, renew and revoke permissions.

We have a whole PDF on the topic if you want a complete guide to its best practices.

Why does it work?

The majority of cyber breaches involve the use of either human error (85%) or stolen credentials (65% - Verizon). Cyber criminals often attack their targets using phishing attacks or social engineering, both of which are designed to dupe victims into handing over sensitive information or downloading malicious links which grant the criminals access to the system.

Good IAM is one of the simpler, yet still hugely powerful, means to prevent such a breach from spreading. You can't always prevent a staff member from being tricked, but if their account only has limited access to the system then the attacker will need to work harder to penetrate your most sensitive data - giving you time to detect and stop their activities.

Quick steps to implement good IAM

1. Write or update your IAM policy: Your policy should clearly outline who is allowed access to what systems, at what time, and for how long.
2. Ensure your team uses good passwords: Simple passwords don't need to be stolen - they can be cracked, sometimes in seconds. Passwords should be a minimum of eight characters, containing numbers and symbols as well. Consider including a timeframe within your IAM policy for changing these passwords. We know it's a pain for some users, but it really does make a difference.
3. Know your admins: Admin accounts have greater privilege, giving them the power to make changes and install new software. That means they must be extra protected, so you need to know who has these accounts. We'll talk more about this in our fourth point below.
4. Turn on multi-factor authentication (MfA): MfA takes a good password and makes it better. Even if a hacker can get a password, they still won't have access to your system. Common MfA tools include Google Authenticator and Last Pass.
5. Monitor joiners, movers and leavers (JML): When someone joins the company, moves role or leaves, their access must be updated. Write strong JML rules into your IAM policy so you know there's someone monitoring accounts to look for changes and removing defunct accounts of past employees.

To learn even more about best practice IAM, we recommend downloading our guide. It covers everything above and more, and goes into greater detail about each point. Download here.

2. Keep your systems backed up

What do we mean by keeping systems backed up?

Ransomware is designed to lock access to files, folders and entire systems. Once your files have been restricted, you have to pay to get them back - although not everybody gets their data back even if they pay. In fact, only 8% of organizations actually get back their files (Sophos).

Backing up your system is one way to circumvent this event. That means exporting the entire thing, on a regular basis, to an offsite storage system which is protected separately to the main company's network.

Why does it work?

If you lose access to your data, it can disrupt your entire organization. Indeed, the BSI found that one particular German university hospital couldn't admit emergency patients for 13 days after a ransomware attack in 2021.

Having a backup means you may not need to pay. If you find data has been restricted, you can reinstigate the backed-up version and only lose data that had been created or gathered between then and now.

Quick steps to implement system backups

1. Keep it frequent: Back the entire system up (or the desired parts of the system) on a regular basis - a timeframe set by your policies. Maybe it's daily, or weekly. You will need to determine what is most relevant for you based on your type of data, how critical it is for business operations and your budget.
2. Test the backups: Your backups aren't of any use if they can't be utilized. Test them by trying to restore the system from the backup to see if everything functions, so you know it's there if needed.
3. Keep it offline: Offline means that the backup system is not connected to the rest of the network - it's a different network entirely. That way if your company is hit by malware, it can't spread into the backup.
4. Keep it offsite: Similarly, offsite means that your backup is stored in a different location to the main network. This could be a remote server, or a cloud backup. This will help in the event that a disaster or other event destroys your on-prem systems (like a fire or flood), as you can restore the copy of the system stored elsewhere.
5. Use backups safely: If you've been struck by malware, check that the backup has not been infected in the same way before restoring it. Quite often attackers will begin to slowly insert themselves into a network weeks, months, even years before the main event. While the objective is to never backup malware by accident, it does not hurt to check.

3. Write modern software restriction policies 

What is a software restriction policy?

A software restriction policy governs what website domains and software apps are allowed to be used with your corporate devices. It can also govern who is allowed to install new software and make changes - thus ensuring that only fully trained, trusted admins have privileged access.

Again, we'll talk more about privileged accounts below in our fourth point.

Why is it important?

Ransomware can get into a system from a variety of different access points. Human error we know is relatively common. But, attackers also commonly spoof apps and websites, or even compromise legitimate apps to sneak in that way. They can be very hard to spot.

The act of restricting access is known as whitelisting, which is different to blacklisting. Blacklisting is easy - it's just the act of blocking an app or website. But there are thousands of each out there, and you can't blacklist them all.

Whitelisting, on the other hand, sets a list of allowed applications, domains or developers and blocks everything else. It takes a bit of extra research to set up, and will need to be monitored and finessed over time to ensure you've got a whitelist that balances safety with the needs of your employees, but it's easier to manage in the long-term.

Quick steps to implement a whitelist

1. Working groups: Create a working group of IT, security and other experts (including end users) to research what apps/domains are essential for the business. You may choose to trust just specific apps, or the entire suite of a notable developer.
2. Make a list: Create a list of every app in use by the business, no matter how large or small.
3. Classify the list: Classify each of these apps as either essential or non-essential. Remember, though, that some apps are non-essential but still desirable, such as social media - the blocking of which can upset employees.
4. Compare the list to other factors: Compare the apps in your new whitelist to the five Ws and H (who, what, where, when, why, how). This may help you further control access to best ensure protection. For example, IT management or admin tools must be whitelisted, but access to them cannot be universal.
5. Write a policy: Write all of the new rules you've just set into a policy, and stipulate how frequently that policy will be reviewed and updated. Into this policy there must also be written rules for requesting new apps, temporary admin privileges, and hearing feedback from end-users - so your company can evolve over time.

4. Keep privileged accounts secure

What is a privileged account?

A privileged account is, simply put, an admin account. Privileged users are able to change the system, remove elements (i.e. uninstalling apps) or install new ones. They can also run maintenance operations, patch software, and so on.

As you can see, their access is essential to the business - but could be devastating if it fell into the wrong hands.

Why is it important to manage admins carefully?

If a cyber criminal gets their hands on privileged access, it means they can make critical changes to the system - installing their malware, destroying data, stealing data, and all sorts of other criminal spying or sabotage.

Ransomware is probably the least of your problems if an attacker has this kind of system access.

Quick steps for implementing a privileged access management (PAM) policy

1. Assign access based on trust: Only assign privileged accounts to people whom you trust. That is, users who have security qualifications and/or who have gone through the required security training.
2. Write a policy: You'll need a PAM policy. This will clearly define who can be a privileged user, and what gaining that access will require.
3. Review this regularly: Make sure you add a regular review to your PAM policy, so someone qualified knows to audit its integrity over time. For example, removing old accounts.

5. Regularly patch company devices

Why should you patch software on company devices?

Cyber criminals and software developers are in a constant arms race. When developers improve their security, criminals will find a way to break it. Then, developers improve their security - and that too is exploited. On it goes in a never-ending cycle.

If you never patch the software or OS installed on your company devices, soon your technology could fall behind in this arms race. This may expose your company to the vulnerabilities present in those older versions of the software/OS.

Quick tips for implementing a patching policy

1. Develop a software inventory: You'll need to know exactly what software/operating systems are in use by employees at your company, no matter how small that use. In the list you will also need to note the current versions, and the date that these versions were installed. This may already have been completed as a part of your whitelisting process, or could be done at the same time.
2. Review this regularly: As with many of the other steps in this list, your list will also need to be reviewed regularly. During this review, software and OS versions that are no longer in use must be removed and any new software not on the list must be added. Someone will need to be accountable for this.
3. Update software regularly: In your patching policy and review process, you must include a step for updating software and OS versions. If lots of different apps and systems are in use across the business, you may first wish to standardize to make it easier to manage.

NOTE: Before downloading any new patch, ensure it has been tested first in a safe, protected environment. Patches are meant to improve safety, but they don't always get it right. This is where it's vital to have third-party risk management plans in place - learn more here.

6. Regularly update company antivirus solutions

Understanding the importance of antivirus and endpoint security

Your company's endpoint security is its first line of defence. That includes antivirus, firewalls and other anti-malware or intrusion detection tools.

These systems are vital for helping users, especially users with low cyber awareness (which we'll cover in our seventh point below), from downloading potentially harmful software, accessing untrustworthy websites, or using unclean USB devices.

Like company apps, antivirus must also be updated

Our advice here is the same as above. The arms race is still going on, and antivirus is another tool that can be left behind if not updated. Keeping endpoint security as cutting edge as possible means you're accessing the best security knowledge the world has to offer.

Quick tips for implementing an endpoint security management policy

• Follow our earlier advice: But, contextualise it for antivirus and any other endpoint solution in place at your business. That means conducting an inventory, noting down versions and dates, and writing a policy that includes a review process. To ensure this happens when it needs to happen, you'll also need someone to be accountable for this process.

• Perform a risk assessment: You may wish to perform a risk assessment based on cyber threats to your business, compared with your current endpoint solutions. This process may reveal that you are missing a critical security system, or perhaps the opposite - that what you're paying for is overkill.

7. Promote cyber awareness across the business

Why is cyber awareness important?

As we know, most breaches come from some form of human error. So, any plan to avoid ransomware attacks must invariably include staff training.

It's vital that your staff know how to spot suspicious activity, and what to do in the event they are made aware that they've been compromised. Plus, they should know what communication channels to follow if they're ever unsure.

Quick tips for promoting cyber awareness

1. Treat it like any other change management process: You will need change champions on your side, employees and leaders across the business who can help their peers with the change. Plus you must lead with empathy, recognising that some people will struggle, others may push back on changes, and that's OK.
2. Write down what you want to achieve: What will your cyber-aware culture look like? Ensure leaders follow that example.
3. Host workshops/training sessions: Remember to focus on engagement - most people will forget boring presentations or bland speeches. Make it practical, or even competitive. Teach people the cyber awareness skills they need to know in a manner that they will be able to recall.
4. Translate jargon: There's a lot of tech jargon in IT. Try to translate as much of it as possible into layman's language so that everyone, regardless of technical ability, can understand what you mean and what they need to do.
5. Create communications pathways: Clear communications pathways are key to helping people report malicious (or suspicious) activity. Employees need to know who to talk to, when and how.
6. Onboard with cyber awareness: All of the above should be written into your onboarding process to ensure new employees receive the same level of training.
7. Make it a regular thing: Build cyber awareness into your day-to-day culture. Send out regular articles or helpful tips, or perhaps cool facts and stats. Demonstrate what good cyber hygiene looks like and shout out/recognise top performers.

8. Disable macros

What are macros?

A macro is a script that automates a sequence of clicks or button pushes without the mouse or keyboard's input. For example, they can be used to automate repetitive actions on, say, a spreadsheet, so you don't have to do a task manually (like copying and pasting data).

They were invented for convenience, but can easily be exploited.

Why is disabling macros important?

Macros may be useful, but unfortunately they have been known as points of vulnerability for cyber attackers to abuse.

They're called macro viruses, and they're pieces of malware written in the same language as an innocent macro. When downloaded, they perform tasks on behalf of the attacker, such as disabling antivirus, installing new malware, stealing data, or sending spam messages using someone's email account (so it appears the spam has come from a trusted source). Macros are often used to prepare a system to download ransomware without any endpoint protection or monitoring systems detecting it.

Phishing attackers use them fairly often, trying to trick users into downloading Word documents or spreadsheets that then deploy the malicious macro.

• Learn more: "10 known cyber espionage groups, and how to protect yourself"

So the quick tip here…

Disable macros on company devices to prevent this from being possible. If you need to automate certain tasks, it may pay to look at specialist software - such as replacing financial Excel spreadsheets with accounting automation software.

9. Use honeypots

What is a honeypot?

A honeypot is essentially a lure - a fake target designed to attract the attention of cyber attackers so that they strike there, not a legitimate target. 

They can also be set up to gather data on an attack, such as identity, method and motivation.

Why are honeypots important? 

Honeypots can look like any digital asset, whether that's an application, your server or an entire fake network (known as a honeynet). So long as it looks legitimate, it can convince an attacker that they have successfully penetrated your system when in actual fact they are in a controlled environment.

When they're within this environment, you can gather vital data. This data may help you improve your defences as you see weak points being exploited, or you see what the most attractive targets are in your network. It may also reveal blindspots you'd never even thought of.

NOTE: Honeypots can't be your only protection. If an attacker figures out they're in a honeypot, they may flood it with activity to attract your attention while breaking into the main system. In a way, this would mean that your own decoy distracts you as well. Alternatively, an attacker may flood the honeypot with misinformation so that you learn the wrong things. Thus, you need comprehensive security across the network to ensure protection from multiple angles.

If you aren't sure how to set up honeypots, you will likely need technical support

These can be quite a bit more complex to set up than the rest of our quick wins in this list. While they won't take years of transformation and a sizable change management process, there's still a lot to know to set them up correctly (especially if you're combining honeypots into a network).

We would recommend that you reach out to a specialist if the expertise is not already within your company. To talk to us about what we could do to help, contact us here.

10. Adopt ZeroTrust as a long-term policy

What is ZeroTrust?

ZeroTrust is a security concept. Companies that adopt this stance are adopting a stance of trusting no one (literally zero trust) - the IT network does not, by default, trust any user or device.

In this way, access to the system is always carefully controlled because it is no longer assumed. Users gain access by permission, and privileged users gain access through strict testing and training measures.

Why is ZeroTrust important?

If anyone can access your network at any time, then anyone who becomes compromised can compromise the entire system.

But ZeroTrust isn't about blindly banning users from accessing what they need to do their jobs - it's about picking and choosing who can access what, where, when, in order to more tightly control security. It doesn't have to be an obstruction to people's daily lives. With a strong IAM policy in place, as discussed already in this article, the process of assigning and updating access permission can be heavily streamlined (and partially automated).

We've already covered ZeroTrust extensively in another article that we think will be very useful if you're interested in this approach. It covers the basics of ZeroTrust, how it applies to modern business, its benefits and challenges, and quick implementation steps. Read more here.

Need help? We're here for you

We've covered a lot in this article, and we know that each of these steps are of mixed complexity. If you're ever unsure about what to do next, where to start, then we can help.

Or, book a free maturity consultation today and we'll talk to you about your business and its needs, so we can help you build a roadmap to implementing the best quick wins for your needs.