Repelling A Ransomware Attack: Safi Raza of Fusion Risk Management On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
A strong security culture. The requirement for a very strong and robust security program must be embedded within the culture of an organization. There are many ways to do this, but it must come from the top, from the C-level down. Organizations should, for example, have cybersecurity ambassadors within each department or team who highlight the importance of why security is so important and how catastrophic the impact can be on the business if it’s not taken seriously. Human beings, employees, are the weakest link in any IT infrastructure and the biggest attacks come from social engineering which exposes just how much work there is to do on ensuring every employee across an organization is security savvy, follows basic cyber hygiene protocols and wholly supports these protocols and understands why they’re so important.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Safi Raza.
Safi has more than 15 years’ experience in Information Security and is Director of Cybersecurity at Fusion Risk Management. Prior to joining Fusion, Safi spent 14 years at Rosenthal Collins Group, where he spent six years in information security.
Safi was responsible for overseeing the e-Trading Services Department where he helped introduce, adapt and support new and improved trading technologies.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and raised in the coastal city of Karachi, Pakistan. My family moved to Florida, and I attended Florida Atlantic University where I studied for a degree in computer science. After university, I moved to Chicago where I entered the financial services industry in the electronic trading sector. My role involved managing the high frequency electronic trading infrastructure. Whilst in this role, I took a specific interest in cybersecurity processes and programs and became very focused on IT security. My next role was at Fusion Risk Management, a role I continue in today as Fusion’s director of cybersecurity.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In my first job within the financial services electronic trading sector, I soon realized that while the job was focused on creating more efficient, faster ways of working, not a lot of attention was focused on security. I was amazed at how insecure the networks we worked across were and how vulnerable they were from a cyber-attack.
This is when my role became a lot more security focused. I took it upon myself to create and develop a robust cybersecurity program for my company at the time. I built the program, managed it and ensured our resiliency to cyberattacks was as robust as it could be.
When the opportunity to join Fusion as its cybersecurity director, I grabbed it with both hands. I have been here for 3 years now, and I lead Fusion’s cybersecurity programs. This includes not only Fusion’s own IT security infrastructure but is also focused on securing the IT applications that we provide to our customers.
Can you share the most interesting story that happened to you since you began this fascinating career?
At a previous organization I worked for, I remember a healthcare client, a small hospital in the US, suffered a ransomware attack. Although they paid the ransom, which is not recommended in many cases but given it was a life-or-death situation because they couldn’t access patient data this hospital decided to, they didn’t immediately get their data back. Despite paying a significant amount of money to release the data, nothing happened, and they didn’t receive the encryption key to unlock their data and resume normal operations. At some point, the information security director was able to track down an associate of the hackers through the dark web and speak to them to release the key. It turned out that the hackers were working in a corporate environment i.e., 9 AM — 5 PM, Monday to Friday etc. An “employee” was dispatched to work on a Saturday to retrieve the encryption key and provide it to the hospital. Eventually, the hospital got their data back, but I realized that the hackers were extremely organized conducting their ransomware attacks using legitimate business organizations. Moreover, they are willing to take financial exploitation to the extreme with no regard to human life. At that very moment I learnt that we are playing a very different game in the modern-day cyber landscape that becomes increasingly challenging and complex where the criminals continually change the rules. It was also abundantly clear that this was a business, a fraudulent one of course, but ransomware attacks were managed like a business deal or transaction. When this incident happened there was very little regulation on cyber-attacks and not much awareness around ransomware. It certainly opened my eyes and led me down the cybersecurity-focused role that I have now.
You are a successful leader. Which three-character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Patience — cybersecurity is culture-driven. It needs to be embedded within the ethos, within the purpose of an organization. All stakeholders within the company must be committed to it. Attitudes towards the role of cybersecurity are getting better. Leaders, employees and customers are taking it more seriously and embedding it into their business processes and systems. It’s taken a long time to get to this point, so patience has been a virtue. There’s still a lot of work to be done, it’s a change in mindset after all, but I remain patient and feel confident we are heading in the right direction as attitudes towards cybersecurity continue to evolve and progress.
Persistence — in a cybersecurity role, you need to remind yourself that your job is never done. With each new day there are new vulnerabilities, new methods of cyberattacks, in various forms, whether it’s software or hardware infrastructure related. As cybersecurity threats continue to evolve and become more challenging to avoid, you need to have persistence and determination to continue to drive and develop your cybersecurity program.
Continuous learning and a hunger for knowledge -the cybersecurity market is fast changing and rapidly evolving. In the last decade, there’s been a plethora of regulatory changes and it’s difficult to keep abreast of constantly evolving and changing law and what organizations must do from a legal perspective in terms of their cybersecurity policies and processes. It’s vital, in a cybersecurity role, to educate yourself about new regulation and continue to learn about new and emerging cyber threats and how cyber criminals are trying to stay ahead of the game and break through an organization’s security systems.
Are you working on any exciting new projects now? How do you think that will help people?
At Fusion, our focus is on providing resiliency to customers. No matter how many defenses we put in place, a breach will happen. A hacker will get through. Ransomware will occur.. Organizations must be ready for a data breach or cyber-attack. They must be prepared. And this is why Fusion exists, to work with global organizations and develop tailored resiliency programs to ensure that a business runs as usual during any disruption and continues to deliver its brand promise. In the last year alone, we have read about a number of high-profile cyber-attacks, for example such as the JBS ransomware attack or the shutdown of The Colonial Pipeline, where organizations were rendered inoperable due to the exploited vulnerabilities. Fusion is developing better tools to enable organizations to better assess their customers, their third parties, to understand what the risk is and provide guidance on how to resolve it. We work with organizations around the world on a daily basis to ensure they’re prepared and as resilient as they can be to handle any business disruption.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
I have many years of firsthand experience not just of the cybersecurity landscape generally but specifically ransomware, how it works, how it’s evolving and the impact it can have and does have. I’ve dealt with attempted ransomware attacks personally within an organization where I have successfully localized and contained the threat, managing it effectively to minimize the impact on the organization. I am also involved with a wide range of national and local cybersecurity organizations where we discuss and debate ransomware. We analyze the latest developments of the threat ransomware poses and share best practice knowledge to ensure our defenses against ransomware attacks are as robust as they can be.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
The most common form or method of a ransomware attack is phishing via email. This is when a person receives a fraudulent email that contains a malicious link. If the person clicks on this link, a malicious program is installed on to their computer. This is also known as social engineering.
Another form or method of a ransomware attack is via poor password management. Many employees and individuals do not have strong passwords or manage one weak password across many IT systems. From a business perspective, if leaders and employees do not prioritize and practice robust password management, it makes it very easy for a malicious actor to be able to guess the password, change the password and log into the company’s network. They then have free reign to install harmful files which can initiate a ransomware attack.
Ransomware attacks via third party links are also on the rise. Despite organizations implementing a strong security program, hackers have been able to gain access to robust networks via weak third-party network links, as demonstrated in the SolarWinds breach and Kaseya cyberattack. In these incidences, the infiltrators did not use social media or break through network firewalls to initiate an attack. Rather, they infected a third-party software which was deployed across the organization’s IT network, causing the breach.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
Both businesses and private individuals should be concerned about a ransomware attack. In the last few years, we’ve seen the rise of ransomware-as-a-service. This is where anyone can purchase ransomware software to carry out ransomware attacks with little requirement of IT or technical expertise. You just need to be able to know how to access the dark web and download malicious software after paying for it. Anyone can download the data and send the file to an intended victim which means organizations as well as individuals should be concerned about ransomware attacks.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
From a business perspective, every organization should have a security incident response in place. No matter what size of business, you must have security protocols. So, the very first action an employee should take is to call their IT contact or team. The IT team will immediately isolate the network to contain the cyber-attack. This will prevent the attack spreading across the IT network and to other computers.
It’s also vital that you ensure the infected computer or device is not connected to the internet. Although the hacker may have already seized data on your computer or device, by switching off the network connection it means the breach stays within that individual computer’s boundaries and does not spread across the wider IT network.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
They need to understand, quickly, the extent of the data loss and how much data has been compromised. They must determine whether the data was encrypted or not as this will dictate the next course of action. If the data is fully encrypted, then you are assured that even if in the hands of bad actors, they can’t misuse it as they won’t be able to read it. However, if the data was not encrypted and the hackers are able to access it and interpret it, the threat cannot be easily contained. The security team also need to establish if the data is backed up and if the data backup is impacted or secure.
If the data is not encrypted and in the hands of the attackers, IT must run a comprehensive and rapid diagnosis test to see if there are any other data copies, determine exactly how the attack was engineered and how the data was stolen. From this, the switch can then be focused on safeguarding the organization and all stakeholders in overcoming the data breach.
Should a victim pay the ransom? Please explain what you mean with an example or story.
The authorities would always advise that a ransom should not be paid. However, it is always a difficult decision to make in a fast-moving situation. If an organization or individual decides to pay the ransom, there’s no guarantee they will get the data back or receive right encryption key. There are several high-profile cyber-attacks where ransoms were paid. For example, CNA Financial paid $40million to the attackers to get their data back. It depends on what’s at stake. There’s been many ransomware attacks on healthcare establishments, especially hospitals, in recent years, where the ransom is more likely to be paid. And I do understand why as the difference between having their data or not is often a matter of life or death.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The biggest mistake I have witnessed by far is a lack of appropriate patching and a poor vulnerability management program. It’s critical that every organization fully implements a very strict and robust patching and vulnerability program.
Another key mistake many businesses make is not rolling out impactful IT security training. Employees, human beings, are the weakest link in an organization’s IT security system. The company could have in place the strongest firewalls, the best multi-dimension security program but it just takes one person in the organization to click on a bad link and that can lead to a major security breach. Because of this, a resolute focus on employee security training is imperative and that’s something I think many businesses lack. They fail to create and develop interactive, engaging security training that ignites the interests of employees and, crucially, ensures they remain vigilant and are mindful of cybersecurity and the role it plays. This leads me to another common mistake which is a basic lack of cyber hygiene which I have encountered several times. So, for example, this incudes poor or weak password management protocols and insecure cloud applications.
IT infrastructures receive hundreds of updates every day, i.e., operating system patches, application updates, antivirus definitions, and more. It is near impossible to validate every single update that systems receive. However, prevention is possible by practicing good cyber hygiene and creating a robust security-focused culture.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
I believe there needs to be a greater focus and priority on strong and robust data privacy laws on a global scale. Although many incredibly helpful security standards exist, there needs to be a greater impetus around accountability and a stricter regulatory function when it comes to data privacy. What we need is a global all-encompassing law to secure customers’ private data. Standards simply don’t have strong compliance and likely never will.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
A strong security culture. The requirement for a very strong and robust security program must be embedded within the culture of an organization. There are many ways to do this, but it must come from the top, from the C-level down. Organizations should, for example, have cybersecurity ambassadors within each department or team who highlight the importance of why security is so important and how catastrophic the impact can be on the business if it’s not taken seriously. Human beings, employees, are the weakest link in any IT infrastructure and the biggest attacks come from social engineering which exposes just how much work there is to do on ensuring every employee across an organization is security savvy, follows basic cyber hygiene protocols and wholly supports these protocols and understands why they’re so important.
Network segmentation and segregation. This is vital in a situation where a ransomware attack has potentially taken place. Any organization must segregate the impacted network to ensure it’s isolated from the rest of the IT infrastructure and system. By doing so you can neutralize the threat.
Effective (IT) boundary protection. This is about an organization’s email protection solutions and filtering firewalls to stop any bad messages at your IT boundary level. In other words, effective boundary protection technologies can stop ransomware threats at the door instead of dealing with them when they’re inside the network.
Encryption. A ransomware attack is not 100% preventable but what is preventable is the severity of the attack. To minimize the impact of a ransomware attack, organizations should always encrypt their data. Even if the data is stolen, if it’s encrypted it means only the organization has the keys to unlock and interpret that data and no one else. So, yes, encrypted data can be put up for sale online, but no one can access it unless they have the encryption key. Encryption is key to neutralizing a ransomware attack.
Resiliency. Resiliency is one of the greatest defenses an organization can have in protecting itself in the event of a ransomware attack. You can establish and implement the most secure technology defenses possible, but this does not make your organization 100% foolproof from a cyberattack. And this is why resiliency is vital. By having in place a resilient security plan, you have an effective plan B if the worst does happen. You are prepared and able to fight back.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
I would like to see the introduction of some form of security score rating across industry. By this I mean a process similar to a credit score rating so organizations can evidence their cybersecurity strength. I believe any business that is collecting any information about its customers should have a security score. This is so customers can feel safe in the knowledge that their security is robust, that they have a strong security rating which is a reflection of good IT security measures. If there was a security score for every single organization or vendor I interact with it would makes things much easier and more transparent. Ultimately, the world would be technologically more secure, and you can avoid those who don’t embed or advocate strong security policies within their organization. A security score will add clarity and visibility into security operations and it will reduce the time organizations have to invest in validating the authenticity and standards of third parties.
How can our readers further follow your work online?
Cybersecurity: Innovations to Look Out for in 2022
Fortified fintechs: Security and cybercrime in finserve
The future of work is remote, now security must follow
LinkedIn: https://www.linkedin.com/in/safiraza/
This was very inspiring. Thank you so much for the time you spent with this. We wish you continued success and good health!
