Unfortunately, ransomware isn't the type of online threat that only impacts big corporations and government entities. In the global digital supply chain, anyone connected to the internet could be vulnerable to a cyber attack of this nature.
Making real, fundamental change to better protect against ransomware attacks takes time. But let's say you want to implement some fast strategies now. What are some quick wins?
In this article we'll discuss:
What is identity and access management?
Identity and access management (IAM) is the process of assigning and monitoring who can access your systems and apps, at what times of day, and for how long they have that access. It's quite a broad term, covering not just user account management but also the tools required to allocate, renew and revoke permissions.
We have a whole PDF on the topic if you want a complete guide to its best practices.
Why does it work?
The majority of cyber breaches involve the use of either human error (85%) or stolen credentials (65% - Verizon). Cyber criminals often attack their targets using phishing attacks or social engineering, both of which are designed to dupe victims into handing over sensitive information or downloading malicious links which grant the criminals access to the system.
Good IAM is one of the simpler, yet still hugely powerful, means to prevent such a breach from spreading. You can't always prevent a staff member from being tricked, but if their account only has limited access to the system then the attacker will need to work harder to penetrate your most sensitive data - giving you time to detect and stop their activities.
Quick steps to implement good IAM
To learn even more about best practice IAM, we recommend downloading our guide. It covers everything above and more, and goes into greater detail about each point. Download here.
What do we mean by keeping systems backed up?
Ransomware is designed to lock access to files, folders and entire systems. Once your files have been restricted, you have to pay to get them back - although not everybody gets their data back even if they pay. In fact, only 8% of organizations actually get back their files (Sophos).
Backing up your system is one way to circumvent this event. That means exporting the entire thing, on a regular basis, to an offsite storage system which is protected separately to the main company's network.
Why does it work?
If you lose access to your data, it can disrupt your entire organization. Indeed, the BSI found that one particular German university hospital couldn't admit emergency patients for 13 days after a ransomware attack in 2021.
Having a backup means you may not need to pay. If you find data has been restricted, you can reinstigate the backed-up version and only lose data that had been created or gathered between then and now.
Quick steps to implement system backups
What is a software restriction policy?
A software restriction policy governs what website domains and software apps are allowed to be used with your corporate devices. It can also govern who is allowed to install new software and make changes - thus ensuring that only fully trained, trusted admins have privileged access.
Again, we'll talk more about privileged accounts below in our fourth point.
Why is it important?
Ransomware can get into a system from a variety of different access points. Human error we know is relatively common. But, attackers also commonly spoof apps and websites, or even compromise legitimate apps to sneak in that way. They can be very hard to spot.
The act of restricting access is known as whitelisting, which is different to blacklisting. Blacklisting is easy - it's just the act of blocking an app or website. But there are thousands of each out there, and you can't blacklist them all.
Whitelisting, on the other hand, sets a list of allowed applications, domains or developers and blocks everything else. It takes a bit of extra research to set up, and will need to be monitored and finessed over time to ensure you've got a whitelist that balances safety with the needs of your employees, but it's easier to manage in the long-term.
Quick steps to implement a whitelist
What is a privileged account?
A privileged account is, simply put, an admin account. Privileged users are able to change the system, remove elements (i.e. uninstalling apps) or install new ones. They can also run maintenance operations, patch software, and so on.
As you can see, their access is essential to the business - but could be devastating if it fell into the wrong hands.
Why is it important to manage admins carefully?
If a cyber criminal gets their hands on privileged access, it means they can make critical changes to the system - installing their malware, destroying data, stealing data, and all sorts of other criminal spying or sabotage.
Ransomware is probably the least of your problems if an attacker has this kind of system access.
Quick steps for implementing a privileged access management (PAM) policy
Why should you patch software on company devices?
Cyber criminals and software developers are in a constant arms race. When developers improve their security, criminals will find a way to break it. Then, developers improve their security - and that too is exploited. On it goes in a never-ending cycle.
If you never patch the software or OS installed on your company devices, soon your technology could fall behind in this arms race. This may expose your company to the vulnerabilities present in those older versions of the software/OS.
Quick tips for implementing a patching policy
NOTE: Before downloading any new patch, ensure it has been tested first in a safe, protected environment. Patches are meant to improve safety, but they don't always get it right. This is where it's vital to have third-party risk management plans in place - learn more here.
Understanding the importance of antivirus and endpoint security
Your company's endpoint security is its first line of defence. That includes antivirus, firewalls and other anti-malware or intrusion detection tools.
These systems are vital for helping users, especially users with low cyber awareness (which we'll cover in our seventh point below), from downloading potentially harmful software, accessing untrustworthy websites, or using unclean USB devices.
Like company apps, antivirus must also be updated
Our advice here is the same as above. The arms race is still going on, and antivirus is another tool that can be left behind if not updated. Keeping endpoint security as cutting edge as possible means you're accessing the best security knowledge the world has to offer.
Quick tips for implementing an endpoint security management policy
Why is cyber awareness important?
As we know, most breaches come from some form of human error. So, any plan to avoid ransomware attacks must invariably include staff training.
It's vital that your staff know how to spot suspicious activity, and what to do in the event they are made aware that they've been compromised. Plus, they should know what communication channels to follow if they're ever unsure.
Quick tips for promoting cyber awareness
What are macros?
A macro is a script that automates a sequence of clicks or button pushes without the mouse or keyboard's input. For example, they can be used to automate repetitive actions on, say, a spreadsheet, so you don't have to do a task manually (like copying and pasting data).
They were invented for convenience, but can easily be exploited.
Why is disabling macros important?
Macros may be useful, but unfortunately they have been known as points of vulnerability for cyber attackers to abuse.
They're called macro viruses, and they're pieces of malware written in the same language as an innocent macro. When downloaded, they perform tasks on behalf of the attacker, such as disabling antivirus, installing new malware, stealing data, or sending spam messages using someone's email account (so it appears the spam has come from a trusted source). Macros are often used to prepare a system to download ransomware without any endpoint protection or monitoring systems detecting it.
Phishing attackers use them fairly often, trying to trick users into downloading Word documents or spreadsheets that then deploy the malicious macro.
So the quick tip here…
Disable macros on company devices to prevent this from being possible. If you need to automate certain tasks, it may pay to look at specialist software - such as replacing financial Excel spreadsheets with accounting automation software.
What is a honeypot?
A honeypot is essentially a lure - a fake target designed to attract the attention of cyber attackers so that they strike there, not a legitimate target.
They can also be set up to gather data on an attack, such as identity, method and motivation.
Why are honeypots important?
Honeypots can look like any digital asset, whether that's an application, your server or an entire fake network (known as a honeynet). So long as it looks legitimate, it can convince an attacker that they have successfully penetrated your system when in actual fact they are in a controlled environment.
When they're within this environment, you can gather vital data. This data may help you improve your defences as you see weak points being exploited, or you see what the most attractive targets are in your network. It may also reveal blindspots you'd never even thought of.
NOTE: Honeypots can't be your only protection. If an attacker figures out they're in a honeypot, they may flood it with activity to attract your attention while breaking into the main system. In a way, this would mean that your own decoy distracts you as well. Alternatively, an attacker may flood the honeypot with misinformation so that you learn the wrong things. Thus, you need comprehensive security across the network to ensure protection from multiple angles.
If you aren't sure how to set up honeypots, you will likely need technical support
These can be quite a bit more complex to set up than the rest of our quick wins in this list. While they won't take years of transformation and a sizable change management process, there's still a lot to know to set them up correctly (especially if you're combining honeypots into a network).
We would recommend that you reach out to a specialist if the expertise is not already within your company. To talk to us about what we could do to help, contact us here.
What is ZeroTrust?
ZeroTrust is a security concept. Companies that adopt this stance are adopting a stance of trusting no one (literally zero trust) - the IT network does not, by default, trust any user or device.
In this way, access to the system is always carefully controlled because it is no longer assumed. Users gain access by permission, and privileged users gain access through strict testing and training measures.
Why is ZeroTrust important?
If anyone can access your network at any time, then anyone who becomes compromised can compromise the entire system.
But ZeroTrust isn't about blindly banning users from accessing what they need to do their jobs - it's about picking and choosing who can access what, where, when, in order to more tightly control security. It doesn't have to be an obstruction to people's daily lives. With a strong IAM policy in place, as discussed already in this article, the process of assigning and updating access permission can be heavily streamlined (and partially automated).
We've already covered ZeroTrust extensively in another article that we think will be very useful if you're interested in this approach. It covers the basics of ZeroTrust, how it applies to modern business, its benefits and challenges, and quick implementation steps. Read more here.
We've covered a lot in this article, and we know that each of these steps are of mixed complexity. If you're ever unsure about what to do next, where to start, then we can help.
Or, book a free maturity consultation today and we'll talk to you about your business and its needs, so we can help you build a roadmap to implementing the best quick wins for your needs.