Critical cybersecurity threats nowadays are ransomware and supply chain compromises, writes Tomasz Wojciechowski, CISO and Head of Cybersecurity at Spyrosoft, a member of SoDA Poland.
The reason behind these trends is straightforward – money. Criminal groups want to earn money as easily as possible, considering the time and effort needed to prepare for such an attack. If an attacker wants to target a big company, they may face many issues and difficulties extending the time required to launch the attack.
Attackers are clever. Therefore, they may try to hit the weakest link in the chain – a supplier of a big company, where cybersecurity may not be at a suitable level to tackle modern attacks. A good example of such a combination is the recent ransomware attack on the NHS where attackers targeted one of the suppliers.
Fortunately, we are not helpless, and we can undertake specific actions to reduce the likelihood and impact of ransomware attacks – and take steps to take to improve your cybersecurity.
Prevention and detection
Prevention is mainly focused on both people and technology aspects. From the employees’ perspective, it is crucial to improve awareness about modern threats and the consequences of a successful attack on an organisation.
A good approach is to guide and coach employees, teach them key cybersecurity principles, and encourage them to use common sense when using company equipment in daily tasks. It is also important to teach how to identify basic threats (e.g. phishing attempts) and report suspicious activities. It is vital to keep in mind that no matter how much awareness training an employee receives, it will not make them a cybersecurity expert. Therefore, other means must be put in place to battle ransomware attacks.
From a technology perspective, it is important to highlight key technologies like antivirus, EDR, firewall, sandbox, IDS/IPS or mechanisms like browser isolation or even concepts like zero trust networking which are all valid defensive mechanisms to battle modern threats, including ransomware.
It is also important to remember that although technology supports an organisation in many areas of cybersecurity, it is not a silver bullet solution which will eliminate the risk of a successful ransomware attack. The challenge is to design an overall security architecture which is scalable, resilient, and not overcomplicated for employees who are responsible for maintenance and security monitoring.
Network segmentation should also be applied to limit any spread of ransomware. It will be much more manageable to contain the ransomware in one subnet than across the whole organisation.
From a process perspective, it is crucial to have a backup policy and actual backups in place ready to be able to recover systems in case of a successful ransomware attack.
Reaction is the phase when an organisation must act after a successful attack by cybercriminals. It is essential to have a plan (playbook) detailing what to do in case of a ransomware attack. The plan’s goal is to ensure that there will not be any panic with ad-hoc actions taken, but that there’s a structured approach with defined steps on how to deal with the attack.
The plan should contain at least:
- Defined roles and responsibilities for named individuals
- Defined communication path
- Defined technical process for incident handling, which should contain phases such as: identification, containment, remediation, recovery, lessons learned.
Finally, the plan should be regularly tested to identify any gaps that should be addressed.
Unfortunately, it is expected that the volume of ransomware attacks will only increase. Therefore, organisations must ensure they are ready to deal with attacks efficiently.
It is worth remembering that there is no one-size-fits-all solution in cybersecurity and the processes, procedures and tools should be tailored to an organisation’s business model, risk profile and other specific requirements.