The ransomware threat has been building for years. But only recently has it broken through into mainstream news cycles and, in turn, come to the notice of lawmakers. That’s because of a few big-name breaches that have government wonks increasingly nervous. Following the Colonial Pipeline attack in early May, the US executive branch seems to have finally got the message: reaching out to urge CEOs to take the threat more seriously, and planning to elevate attacks to the same priority as terrorism.
But where does that leave businesses, and especially SMBs? With much work to do.
The story so far
Ransomware attacks have been climbing for some time, but it took the pandemic for threat actors to hit top gear. The combination of distracted remote workers, poorly secured home working devices and networks, vulnerable VPNs and misconfigured RDP endpoints was ruthlessly exploited last year. Hospitals, public sector organisations, professional services firms and the food industry were particularly badly hit.
The targeting of healthcare organisations (HCOs) was a wake-up call for many who simply viewed this as another cyber-threat to be managed and insured against. Extorting hospitals for ransom when lives were at stake exposed the nihilistic pursuit of money that drives most threat groups. The more recent disruption caused by the attack on a major East Coast fuel pipeline brought home the potential impact cyber-attacks can have in the physical world. Fuel prices spiked for several days as shortages persisted.
Government takes action
A change of administration at the heart of Washington had an almost immediate impact on the situation. President Biden issued one of the most detailed and far-reaching Executive Orders (EOs) on cybersecurity yet to enhance best practices in the federal government and its supply chain. Steps such as multi-factor authentication (MFA), endpoint detection and response (EDR), strong encryption and mandatory event logging drew widespread praise from the cybersecurity industry.
It followed this with the creation of a DoJ Ransomware and Digital Extortion Task Force, which has already scored a major coup by helping to seize more than half of the funds paid to the Colonial Pipeline attackers. Then there were those reported plans to elevate the seriousness with which ransomware is treated by government.
What impact will this have in reality? In short, more central coordination of attacks with the DoJ Task Force to improve attribution, tracking and counter-measures. It’s a good start, but there’s still plenty of work to do. Much of the problem revolves around the continued use of cyber-insurance to fund ransom payments. As long as such a mechanism exists, it’s hard to see how organisations will be incentivized to improve baseline security—unless their insurers get more prescriptive in policy documentation.
The government could do a lot by placing more ransomware groups alongside Evil Corp on the Treasury’s Office of Foreign Assets Control (OFAC) sanctions list. That will prohibit insurers and victims to pay certain actors, and in so doing helping to raise the barrier to entry for affiliate groups that now conduct most ransomware activity.Steps to stop these attacks include such as multi-factor authentication, endpoint detection and response, strong encryption and mandatory event logging drew widespread praise from the cybersecurity industry.Click To Tweet
What businesses should do
Government can also do more to help SMBs respond to these challenges. Despite the big-name breaches, it is smaller organisations that form the majority of victims today. That’s why the average ransom payment remains in the hundreds of thousands rather than millions of dollars. Deputy National Security Advisor for Cyber, Anne Neuberger, recently wrote an open letter to business leaders urging them to do more.
Yet if you’re an SMB owner with few resources to splash following a global financial crisis, where do you start? The good news is that best practice security doesn’t have to be onerous. The UK’s National Cyber Security Centre (NCSC) has some sage advice. It includes the following:
- Regular back-ups according to best practice 3-2-1 rule
- Email and URL filtering to mitigate the threat of phishing
- Enhanced cybersecurity training and awareness programs
- Multi-factor authentication (MFA) at all remote network access points
- Prompt patching of all known vulnerabilities
- Apply principle of least privilege for remote access
- Segment obsolete platforms from rest of the network
- Establish and regularly test an incident response plan
- Disable or constrain scripting environments and macros
Many of these steps can be implemented as part of a Zero Trust approach, which is an increasingly popular way to minimise risk in a new world of distributed working and cloud applications. But whatever route your strategy takes, it’s time to recognise ransomware as a top-tier threat.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.