Enhance identity controls before banning ransomware payments

I agree with Ciaran Martin that ransomware payments should be banned, however, the reality is that while many large corporations will have appropriate controls, measures and backups in place, SME organisations may be unable to recover from losing that data.

Losing sensitive data that could be health, legal or financial data could have real world implications to life or a business’s feasibility. Only a few weeks ago, a large health organisation in the US paid $22m to recover its encrypted data.

A strong security culture is the bedrock of a robust and strategic security programme, and coupled with how capable a business is to respond to these threats, ensures that businesses are promoting the right processes and behaviours.

We regularly talk about phishing and how users need to be aware of what phishing emails look like. Yet every day users will receive legitimate emails asking them to click on a link to visit an internal site, provide feedback or access a file or document. Organisations need to really look at how they engage with both internal and external users and what behaviours they encourage.  

There have been some drastic real world examples recently where organisations have trialled removing internet access for staff or preventing the ability to click on links within emails, and maybe that’s what it will take for some companies. This will go some way to removing some of the risks, but I think the reality is that identity and credential compromises will happen, and ensuring organisations have robust preventative controls that prohibit the propagation of ransomware and the ability to detect such attempts is key.

Employing a zero-trust approach, where every request is analysed, considering the context of that access in terms of time, location, network, client, frequency and device can slow and prevent ransomware completely. 

We talk a lot about identity being the new perimeter and ransomware depends on identities, credentials and permissions in order to infiltrate systems and networks. With remote work, unmanaged devices, and cloud and Software as a Service (SaaS) environments, identity is the only common thread that connects people to all the devices, apps, and resources needed to do their jobs, or function as a consumer or citizen in a modern world, and ransomware will look to exploit all of those where it can.

I do believe that banning ransomware payments would go a long way to minimising that industry, and the threat it poses to companies. However, I would expect the threat to evolve and a new iteration to appear as a result. Furthermore, I would expect an increase in ransomware targeting should such a law be brought in. Ransomware is not something that we will be able to remove quickly, but it is an important step for our industry and something that would be beneficial to businesses, employees and communities as a whole.

Most importantly, we need to ensure there are appropriate measures in place to support businesses where losing that data could be life-threatening.

Stephen McDermid is EMEA CSO at Okta