Tune out news reports that blame victims for improperly defending against ransomware. They are based on the fallacy that sound security is accessible.
The cybersecurity community too often treats ransomware incidents through a flawed lens of idealism when blaming organizations for poor cyber defenses. For leaders in most organizations, cybersecurity is overwhelming because they simply lack the expertise, time, or resources to filter through the noise. My 20+ years of experience indicates that our perspective on the problem is critically limited because security professionals generally only work with well-resourced enterprises that can afford our services. Most organizations do not fit that profile, meaning that even the most basic technical expertise is largely out of reach.
Consider that, according to the JP Morgan Chase Institute, 88% of US businesses in 2013 had less than 20 employees, with nearly 60% of those recording annual revenues of less than $100K. Compare those statistics against reports about a 2019 Robert Half survey that found CIOs of mid-size businesses were seeking an ideal technical support employee to end-users ratio of 1:64. Furthermore, a December 2019 Salary.com report estimated that the average salary for a security administrator in the US is $71K.
In short, a vast majority of US businesses have less than one technical support employee with little-to-no security expertise.
Rather than be overwhelmed by the cost and experience needed to follow most expert recommendations, take a do-it-yourself approach to improve your cyber defenses at a pace that your organization can support. In five steps, you can help your team build competency in the areas most important to your organization and more efficiently apply your limited resources against the areas where you most need help. Your risk level will still be high, but a little progress can go a long way to building resilience against ransomware attacks.
Step 1: Engage Your Core Team
Most security professionals would rightly suggest conducting a comprehensive inventory of the organization’s systems and services as part of a routine Business Impact Analysis. I have found that conducting such an all-encompassing assessment action from the start is counter-productive in small organizations with limited security expertise because it tends to promote adversity and prohibits rapid improvement. Instead, I suggest that resource-constrained organizations be more agile and approach ransomware defense in a collaborative, incremental process that emphasizes rapidly achievable goals.
Drawn from a leading cybersecurity practice in large enterprises, the best way to begin enhancing your ransomware defenses is to conduct a simple discussion exercise to determine what services your organization most depends on and prioritizing early actions against those most critical needs.
To get started, the business or mission lead should identify the 3–5 people that are most critical to service continuity. Start by asking, “Who is the first person to call if the organization were suffering a cyber attack?” Regardless of role or position on the organization chart, there is usually a small number of staff members who everyone trusts to fix problems. They probably know the most about how the organization’s capabilities work and the dependencies for maintaining proper function, making them central to any defensive action. After that, schedule a few hours to meet.
Step 2: Prioritize Critical Services
Prioritization is not easy, especially as the lead will have to negotiate with business and system owners who can all present reasons for their systems being the highest priority. Under ideal conditions, I would suggest hiring an expert cybersecurity facilitator to conduct the meeting, capture results, and report out. Doing so provides independent support for difficult decisions. But, when resources are tight, the lead can use this simple structure to guide the discussion:
- Agree on the top three criteria for service criticality (e.g. financial impact, necessary timeliness of service delivery, # of users).
- Have each team member identify what they believe are their most critical services. I find it helpful to start with an exercise where each member writes the service on a sticky note and puts it up on a wall.
- Prioritize services based on the agreed on criteria. To prevent verbal arguments right off the bat, I like to use a technique where each participant is given some number of “priority points” to distribute amongst the identified services (one point for each criterion). Either restrict them from assigning points to the services they self-identified, or give them an extra set of points to distribute outside of self-identified services. The participants then go to the sticky notes and distribute points across the identified services. After completing that exercise, the lead tallies the results and ranks the services by number of points.
- Determine who in the room has system responsibility for each critical service, starting with the top priority. If no one has direct responsibility, assign a representative to follow-up with the appropriate service owner.
The lead should then capture the prioritization and system responsibility to establish an initial cyber defense improvement plan.
Step 3: Document System Details
It’s helpful to take a little bit of time to capture some key information about the technology systems and business processes that support the highest priority services. That way, the team doesn’t need to repeat the activity when accounting for inevitable change over time. It shouldn’t be onerous or time-consuming to capture important initial details, but I recommend establishing a simple standard format that will promote consistency and reduce potential future confusion. For ransomware defense, I suggest that the minimum information that system owners should capture includes:
- System Name: The commonly understood name for the system.
- System Owner: Name of the person within the organization responsible for the system’s function. This may be different than the service owner determined in Step 2.
- System Priority: A rating of how critical the system is for supported services. This can inherit the rating of the highest priority service associated with the system or a rating based on downtime tolerance for the system (minutes, hours, days).
- Services Supported: A list of the services that rely on the system to function.
- Data Storage Location: Identifies where the system data is stored.
- Data Storage Owner: Identifies who is responsible for ensuring that the system data is available for use by the system.
- Data Backup Location: Identifies where the system data is backed up to.
- Data Backup Frequency: Describes how often the system data is backed up.
I have found a variety of templates available online that the team can use to capture the information. From the nice Business Impact Analysis Template for the National Institute of Standards and Technology (NIST) Special Publication 800–34 (SP 800–34), I suggest focusing on Section 3.1 — Determine Process and System Criticality and Section 3.2 — Identify Resource Requirements. Another good template was produced by the state of Oregon, with Section 2 — Key Business Processes and Section 5 — Business unit Inter-dependencies being my suggested starting points.
Step 4: Backup Systems and Data
I recently argued that effective ransomware defense for most organizations begins and ends with backups. Unfortunately, this step is where things get technical, the point where most non-technical folks begin to get overwhelmed. So, I encourage the leads to take a deep breath and remember that the initial objective is not perfection, but rather improvement. Even small incremental changes to system backup processes will pay dividends should an attack occur.
There are two primary scenarios for backing up system data assets that support the high priority services:
- System Data is Managed Within the Organization. When the system is managed from within the organization, it becomes easier to ensure that the system data is backed up regularly. Ideally, the system owner would backup the data frequently, but the first step is to figure out how to backup the system data. Most cybersecurity professionals would rightly recommend that an offline backup to an external hard drive is the best way to be sure that the organization can recover the system from a ransomware attack. For those organizations that may not have the resources readily available to procure the necessary hardware, I argue that a cloud-based backup represents a good start. In either case, the Global Cyber Alliance includes pointers for activating basic system backups.
- System Data is Managed Outside of the Organization. When the system data is hosted in a cloud repository for an internally-managed web application or the system is managed by an external service provider, the organization will likely be more restricted by how it can back up the data. For cloud-hosted repositories, the data is probably much more difficult to lose in a ransomware attack and downloading it could be costly. My suggestion is to leave it be initially and focus on other systems that are more susceptible to ransomware damage. For a system managed by an external service provider, while backups should be the responsibility of the provider, the internal system owner should have a regular discussion with the provider about how the system data is backed up. The MassCyberCenter made available a nice questionnaire that can help start a constructive conversation with service providers (Disclaimer: The questionnaire was developed under a state municipal security initiative that I support). I have posted the questions at the end of this post.
Step 5: Elevate Your Ransomware Defense Baseline
The lead should establish a shared repository for maintaining system documentation and prioritization so that the whole team can easily access and update the status of system backups. Then, the team should establish a regular check-in protocol to help maintain momentum and steadily improve your organization’s ransomware defenses, repeating these steps to work down the service priority list and confirm that all of the system data that is necessary to recover service integrity in the event of a ransomware attack is backed up. This cycle will also enable the group to more quickly identify when system data backup needs change.
As the team gets more practiced, the lead can then use this cycle to enhance defenses in other areas, steadily building competency and confidence in the organization’s ability to respond to and recover from cyber attacks.
Questions About Backups for Service Providers
Can you help us implement an effective backup strategy that meets the standards/requirements outlined below, including:
- A clear definition of what is being backed up and where it is being stored
- Appropriate backup retention span and frequency
- Annual testing of successful restore
- Physical and virtual access to online backups are restricted to authorized personnel only
- Backups are air-gapped and ransomware resistant
- Awareness of any Personally Identifiable Information (PII)
- Use of backup encryption where applicable
- Backups include not only data but any relevant images, policies etc.
- Documentation of the backup and restore strategy
Can you help us understand, document, and implement appropriate access/permissions to the data and systems of our organization?
- Have we minimized the number of employees who have administrative rights to machines?
- Do we limit access to files, folders and applications only to those for whom it is necessary for their job?
- Is there a protocol for removing outdated accounts, especially those with administrative privileges?
- Have we changed default passwords, especially for accounts with administrative rights?
- Do we have documentation of our access controls?