Maksim Kabakou - Fotolia
There is no shortage of companies out there making claims that there is a universal solution to security (it makes for a good marketing message), but unfortunately, in practice there is no “one-size-fits-all” solution to security.
Determining which practices, controls and countermeasures will work best in a given organisation is based on that organisation’s own needs: what works for it culturally, the level of risk that its business is subject to, and so on.
For example, the security techniques and methods that work best for a large hospital might be very different from what would work best for a “mom and pop” retailer – and more different still from a government agency or large financial institution. So, answering the question “what should organisations do?” is a bit more nuanced than it might seem on the surface.
In my opinion, there are two things every organisation should be doing: risk management and intelligence gathering. Risk management is the process of figuring out which risks the organisation needs to address, and putting measures in place to find them, track them, mitigate them, and make sure they stay mitigated going forward. Likewise, intelligence gathering, particularly of the threat environment – what the bad guys might be interested in and how they might attack – informs the risk management process directly.
Both of these areas are systematic processes rather than solutions that can be bought off the shelf, so the good news is that no special equipment is required to accomplish this. However, doing these things well and comprehensively takes discipline, planning and preparation.
For ransomware specifically, one very helpful measure is to conduct a pre-planning “tabletop” exercise to ensure that individuals in the organisation are prepared for a ransomware event. For example, think through your response and discuss specific decision points ahead of time rather than when the heat is on during an actual incident.
The normative position of law enforcement (and most security practitioners) is not to pay the ransom – it can cause a criminal to “retarget” the organisation down the road, and only sometimes will the attacker actually make good if the ransom is paid. However, this can be a more difficult stance to take in the heat of an incident: the dollar amount can seem small compared with the impact of the ransomware. Decisions like this are best thought through in advance.
In terms of limiting the impact of cyber attacks in general and recovering quickly, tabletop and planning exercises are again a good idea, as is a systematic risk management process.
Beyond these, helpful practices can include building capabilities to understand and react to the threat environment – in particular, keeping tabs on “big ticket” events such as ongoing malware or ransomware attacks – as well as testing the organisation’s defensive posture through vulnerability assessment, penetration testing and other techniques that allow an organisation to systematically measure its defences.