Thought Leadership

Ransomware: The cure costs more than prevention, and is less effective

Endre Jarraux Walls
Chief Information Security Officer, Corporate Security Group, Customers Bank

210113 tl

COVID isn’t the only malicious virus we’re facing in 2021.  Cybercriminals have become emboldened with new and more deadly “ransomware” attacks.  Customers Bank wants to help its clients take steps to protect against these attacks that can impose significant costs, destroy a reputation, and take down a business.

RANSOMWARE DEFINED…

A ransomware attack uses malicious code to block access to computer systems and the data they hold. This data becomes encrypted using a key possessed only by the attacker. If anyone tries to access the restricted system or data, they will find a ransom note demanding the payment of a ransom fee in order to restore access. Most organizations are not prepared for a ransomware attack, so they feel pressured into paying expensive ransom fees and recovery costs.  These ransom demands have increased drastically in recent years and now average hundreds of thousands of dollars.

PREVALENCE AND THE RISKS…

Not all of the ransom attacks come from people in a dark basement.  Increasingly, nation-states with sophisticated technical prowess are behind the attacks.  This year ransomware has become more of an issue than ever before. The prevalence of kits that target known vulnerabilities in data-driven systems – known as “exploits” – is accelerating and simplifying cyber-attacks.

The risks to the average business are disruption, reputational harm, loss of confidential information, and the exposure of company secrets or proprietary data to the dark web. And you can’t trust the bad guys: they’ll release the data whether the ransom is paid or not.  There is no honor among thieves.

Further complicating matters, there is no way to ensure that the thieves will delete the stolen information once the ransom is paid. This means there is nothing to stop the criminals from returning to demand more money.

Recently, Krebs on Security published an article about ransomware gangs now turning to Facebook to hack accounts and place public ads to shame businesses and pressure victims into paying the ransom. This latest tactic is sure to become more prevalent as it exposes a brand to public perception to entice the victims into making the extortion payments.

AN OUNCE OF PREVENTION…

We have all heard that wise quote from Benjamin Franklin: “An ounce of prevention is worth a pound of cure.” This is truer today in cyberspace than it was in Ben’s day. While prevention is not inexpensive, preventing the damage that ransomware can do to your business will still save millions in lost business, lawsuits from data breaches, not paying a ransom, not hiring media consultants, and not spending years rebuilding your brand.

Here at Customers Bank, we take security seriously, not because we are federally required to but because it makes good business sense. Regardless of your organization’s size or complexity you should follow these simple rules to contain the risk malware presents to your organization.

  1. Train your users – Malware starts with an employee clicking the wrong link in or sometimes just opening an email. Train your users to spot problematic emails and prevent phishing from becoming a threat by using anti-phishing technology and edge technology that catches bad links and attachments in email before they reach users.
  2. Encrypt what matters most – Data that could harm your company, its reputation, or its ability to be productive should be encrypted. This way, even if infiltrated, all your attackers will have access to is already encrypted information. This is what is meant by “encryption at rest.” Containerization of critical data can also help ensure it is isolated.
  3. Make backups a critical technology – Daily structured backups that are encrypted and stored outside of your infrastructure both physically and logically will make it possible to simply restore your data and not fall prey to ransom demands.
  4. Invest in security – Either in-house or a skilled 3rd party or even a mix of the two. Invest in security technology that can make anomalies visible and actionable, as well as people who can act on issues to prevent further damage and implement more proactive measures. This includes using EDRs (endpoint response) platforms to monitor individual computer and server activity, NACs (network access controllers) to prevent lateral movement of unauthorized software, and event correlation platforms to help improve infrastructure visibility and reduce the success rates for dormant malicious software. All of this goes beyond the traditional firewalls and signature-based anti-viruses suites of the past. Anti-ransomware software exists and is also a sound investment for larger organizations.
  5. Find an insurance partner – Not just a policy…an insurance partner who understands cybersecurity, has resources to provide incident support, and can facilitate response is a worthy investment for any business that handles sensitive or proprietary information. And remember, the data of your employees is as sensitive as information about your customers.

BUT IT ALL STARTS WITH YOUR STAFF…

We cannot stress this enough – security is a company-wide concern, not a technical one. Every employee must be onboarded to understand their part in keeping an organization’s data and customers safe and secure. Security awareness training, internal discussion groups, preparedness exercises, and implementing a least-privilege or zero access program for role-based access are your organization’s greatest defense to malware.

Security is easy when everyone is a part. Stay vigilant.