Cyber Security Advisory
In February this year, the UK’s National Cyber Security Centre (NCSC) in partnership with the FBI, NSA, CISA, and Australian Cyber Security Centre, released a sobering assessment of the state of ransomware worldwide. According to the security community, there has been ‘an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organisations globally.’ As a result, the NCSC ‘recognises ransomware as the biggest cyber threat facing the United Kingdom.’
But it’s not just critical infrastructure that’s at risk. In fact, the report notes a marked shift away from so-called ‘big game hunting’, in which criminals target the organisations and departments with the biggest pockets. Instead, they’re now targeting the mid-market, believing smaller organisations make for easier targets. The attacks are indiscriminate: ‘Education is one of the top UK sectors targeted by ransomware actors, but the NCSC has also seen attacks targeting businesses, charities, the legal profession, and public services in the local government and health sectors.’
Censornet’s own data backs up this assessment: our State of Integrated Autonomous Cloud Security report found that in 2021, a fifth of mid-market organisations suffered a ransomware attack and subsequently paid the ransom. The average payout was £144,000, with 7% of those affected handing their ransomers more than £500,000.
Mid-market threats need mid-market solutions
Despite advising immediate action to mitigate against the growing ransomware threat, many of the steps the NCSC proposes are out of reach for mid-market organisations (for instance, ‘protecting cloud storage by backing up to multiple locations, requiring MFA for access,
and encrypting data in the cloud.’). If the mid-market is the target, then mitigation needs to be achievable for mid-market budgets and teams.
With that in mind, here are the top 10 steps mid-market organisations should take to protect themselves against ransomware.
1) Protect. Your. Emails.
Nine out of ten attacks start via email. Whether it’s phishing or embedded malware, emails are the simplest way into your system, and human error is still an often-fatal flaw in your defences. Effective protection against ransomware begins with intelligent, high-capacity email security – and regular staff training (more on that later). Ultimately, the fewer malicious emails that hit your employees’ inboxes, the lower your chance of a ransomware attack.
2) …and all primary infection vectors
But email security is not enough on its own. Cross-channel and multi-channel attacks are now used by state and criminal actors. If a malicious email does slip the net and is opened by an unsuspecting employee, it’s essential that your cybersecurity products can rapidly track the threat as it proliferates across the system – for example, initiating web security defences if an email link opens a malicious webpage – and isolate it before it takes hold.
Similarly, strong web security is a must – CryptoWall ransomware, one of the top 10 most common types of ransomware, spreads via malicious ZIP attachments to emails, as well as via the web (Java vulnerabilities and malvertising).
Email, web – and don’t forget ID, Remote Desktop Protocols (RDP), and cloud apps. RDPs are the second most common entry point for ransomware attacks, so if you’ve got doors open for remote access, make sure they’re closely monitored. Multi-layered ID security is key here – make sure you’ve got MFA and cloud application security (CASB) in place to limit criminals’ ability to brute-force your RDP passwords. And finally, keep a close eye on your cloud software – vulnerabilities can be quietly forced open by targeted attacks, so patching mustn’t be neglected (again, more on that later).
3) Don’t neglect the weekend
It might sound like something Batman would say, but cybercrime doesn’t take weekends off! The NCSC report noted that ransomer tactics are diversifying, with a number of canny attacks landing on weekends or holidays, when fewer IT security staff will be on duty.
Of course, small teams at mid-market organisations can’t be on call 24/7. But the right technology can be. Autonomous security systems can be programmed to respond at speed to a suspected attack, and when integrated with threat intelligence feeds, can take action against new and emerging threats without the security team having to rewrite outdated rules. On top of that, behavioural analytics are a key tool for spotting unexpected activity – like why the finance director’s account is mysteriously sending out requests when he should be home and fast asleep…
4) Enable MFA anywhere and everywhere it’s available
It’s worth saying twice: multi-factor authentication is essential in the fight against ransomware. Balancing security with minimal user friction, it’s a simple but effective way to limit the avenues of entry for bad actors. Put simply, if they need access to a mobile device sitting behind its own security measures as well as a cracked password, it’s going to take a lot more effort and a lot more mistakes for an attack to succeed. So if it can be MFA’d – MFA it.
5) Make the most of user and entity behavioural analytics
Don’t just track activity in your cloud environments – it pays to be on the lookout for unusual behaviour from user accounts. To protect your organisation, you must be able to understand in real time what constitutes normal activity for each and every user. These factors then provide the vital context to enable your system to flag anything unusual that could be cause for alarm – and take defensive action before it’s too late.
The more granular your data, the better. Geography, time of access, usage patterns, and access permissions can all be combined to give a clear picture of standard behaviour. This means that if a user account begins attempting to access systems it doesn’t have clearance for, at the wrong time, and from the wrong country, the balloon goes up automatically and quickly.
6) Run regular cybersecurity awareness training and phishing simulation
No matter how sophisticated your cybersecurity systems are, it still only takes one well-meaning but misguided click from an employee to send your sensitive data hurtling into ransomware oblivion. Never underestimate the insider threat.
Regular simulations are a good way to keep employees sharp – particularly involving live tests with ‘real’ impact. It’s also good practice to ensure employees are regularly reminded of the risks and the stakes involved, as well as keeping them abreast of evolving phishing tactics – for example, the possibility that an attack might target their email and their phone simultaneously if both were compromised via the same database.
7) Limit the spread of ransomware
Cross-channel attacks are increasingly the norm. The boundaries between web, email, and cloud apps are fast dissolving. That means any silos in your cyber defence also need to be dissolved. Start by moving away from running separate security solutions to one integrated platform that allows you to monitor and respond to any cross-channel threats. It’s also a good idea to segment your network and apply multiple individual security protocols across your organisation. If ransomware does get inside your systems, this will maximise the opportunity for your cybersecurity products to track, isolate, and stop it before it encrypts sensitive data.
8) React in real-time
How quickly can your security posture intelligently react to any security breaches? Using all the contextual information available in an Autonomous Security Engine to manage any unexpected or malicious activity in real-time is critical. For example, it’s not always necessary to know how many users have uploaded files to cloud folders. But what you do need to know is what information was in those files so you can block upload in real-time if there’s any sensitive or regulated information.
9) Maintain a rigorous patching regime
This might sound obvious, but it’s easier said than done, particularly if you’re forced to run outdated operating systems – for example, in industrial control systems or in healthcare (MRI scanners and computers on wheels rarely get the latest OS!). It’s also complicated by BYOD policies, where employees may have control over the timing of software patches.
Nevertheless, the seriousness of this point shouldn’t be underestimated. As the Log4j vulnerability demonstrated all too well, a simple unpatched software vulnerability can have catastrophic effects. Make sure your employees are regularly prompted to install updates, and prioritise updates to centrally-owned systems.
10) If all else fails – pull the plug!
Not every cybersecurity response has to come from a piece of software. If you think your system has been compromised by ransomware, do what you can to identify the propagation method it’s using. Is it moving from endpoint to endpoint? Over the network? Over the cloud only? When you know that – isolate it! Yank the network cable out. Turn off the WiFi. It’s not a permanent solution, but it’s better than the ransomware making its way from an employee’s inbox to the CEO’s valuable IP.
Conclusion: integrate and automate
In a cloud-first world, mid-market organisations are at risk from highly sophisticated, cross-channel ransomware attacks. Isolated endpoint security is not enough – only a truly integrated, autonomous approach gives you the wide-ranging insight, speed, and availability to deal with threats wherever they originate and proliferate.
Autonomous, integrated cloud security used to be the preserve of blue-chip organisations – but through the innovation of market leaders like Censornet, it’s now in reach for the mid-market. It’s time to level the playing field.