Eight lessons from the biggest ransomware attacks of 2021
2021 has unfortunately been no stranger to high-profile ransomware attacks. From the attacks on Colonial Pipeline and JBS which forced both businesses to shut down operations, to the supply chain attack on Kaseya, causing ramifications for thousands of smaller businesses, not a week seemed to pass without another company being targeted.
And while each attack had varying levels of severity and response, they all resulted in considerable repercussions, not just for the business, but customers, partners, and in some case, broader society.
Each attack provided a stark reminder that no business is immune from a potential ransomware attack. So what are the key lessons that CxOs should take away from the biggest breaches this year?
1. Paying the ransomware can do more harm than good
While initially it might seem logical that simply paying the ransom will encourage a hacker to relinquish its grip on your company’s operations, it can actually have the opposite effect. Ultimately, if you pay the ransom once, then you become an attractive and lucrative target for future attacks, as seen with attacks on Acer and Olympus. There’s also no guarantee that you’ll be able to recover your data in the event of paying the ransom. And even if you have do have cyber security insurance, insurers are less likely to include ransomware within standard policies, and if they do to foot the bill the second time. So the focus should be on how to prevent and limit the damage of ransomware attacks through effective detection and response.
2. Implementing the right controls is critical
You need to ensure you have the right controls in place to mitigate risk. This includes applying the appropriate privileges to users and updates to stop attackers gaining too much of a foothold in the organisation, as well as using multifactor authentication to verify a user’s identity and add a layer of security to traditional login credentials. Extending these principles to deploy a zero trust approach, whereby all devices and users are treated with the same level of suspicion, makes it harder for hackers to gain initial access and move around inside a diverse, distributed or hybrid IT estate or supply chain.
3. Networks should be segregated
Network segregation, or at least visibility, is vital to mitigate damage from a cyber attack, particularly if you’re in the critical national infrastructure sector. The Colonial Pipeline breach is a perfect example of this, with the attack causing petrol stations to hike prices or run out of fuel due to the shortage created by the pipeline shutdown. It was a breach in the organisation’s IT estate that compromised its operational capability, demonstrating the dependence of IT within Operational Technology (OT) environments. While reports suggest there was no indication the attackers were able to breach more critical operational technology systems, the company may not have had to shut down its pipeline if it had more confidence in the separation between its business network and pipeline operations.
4. All organisations are at risk
Every organisation has something of value to lose, whether that’s access to systems and impact to operations, intellectual property or customer data. So you need to have a plan and technology in place to mitigate risk and prevent, detect and respond to attacks swiftly. Managed Detection and Response (MDR), that encompasses threat detection and response, threat intelligence and threat hunting, is critical for enabling fast detection and response, while Extended Detection and Response (XDR) technology can provide visibility, irrespective of user or device location, giving you true peace of mind over your security posture. MDR can be used to rapidly mature any organisation.
5. Don’t forget the supply chain
Make sure you look beyond your own operations and ensure all suppliers have stringent security measures in place and are regularly reviewed to prevent a security incident. Check which security frameworks your suppliers comply with, such as NIST, ISO27001, or Cyber Essentials Plus. If a supplier states that it has never been breached, it’s likely to be the case that an undetected breach has actually occurred and its incident detection capabilities need to improve. Using Cyber Threat Intelligence and Digital Risk services also allow you to use open source intelligence to help identify risks within the supply chain before they become issues for your organisation.
6. Increase end-user awareness
End user awareness and education is vital in preventing ransomware attacks. A well-trained workforce can provide early warning of breaches by reporting unusual activity early to security teams. Different levels of training for different employees should also be considered, particularly as privileged users are common targets. Regular phishing or red team assessments, which can simulate real-world phishing and ransomware attack scenarios, can help to identify any security gaps.
7. Always undertake a thorough investigation
Should the worst happen and a ransomware incident occur, don’t forget to conduct a full investigation. While it’s of course crucial to get critical operations back up and running as soon as possible, it’s important to learn from past incidents and build those learnings into a cyber response or resilience plan. You need to understand how the attack occurred and why. This ensures the attackers don’t have persistent access to the business network to cause future disruption.
8. Develop effective vulnerability management processes
Finally, developing and maintaining comprehensive vulnerability management processes is critical. This means using exploitability, context and risk information to prioritise and remediation vulnerabilities in the business. This could include ensuring software patches and updates are applied wherever possible and conducting assessments on legacy systems to check for potential vulnerabilities.
Ransomware attacks have surged in the past few years and cost billions of dollars in ransoms paid. It is a topic being discussed in most boardrooms and something every company should be taking note of. By keeping these lessons front-of-mind, you can avoid the reputational, financial and operational damage posed by ransomware attacks. Acting now could prevent a potentially catastrophic incident further down the line.