Ransomware attacks are complex — preventing them isn’t

As geopolitical conflicts increasingly play out in cyberspace, ransomware attacks are ravaging businesses and governments of all sizes.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly recently implored city officials to make ransomware a “kitchen-table issue” and I could not agree more. Ransomware must be simplified so it’s easy to understand and discuss. There must be simple solutions and simple actions.

There are things that all towns, cities and counties can do. These actions do not require large budgets, more technology or hiring more staff. They require a better understanding of how ransomware attacks occur and the implementation of policies that drastically reduce the ability for criminals to snatch valuable data.

Before joining the Cyber Readiness Institute, I spent over 25 years in federal service at several departments, including the Department of Energy, Department of Homeland Security and the Executive Office of the President, managing agencies’ infrastructure and mission services, reducing risks from daily cyber incursions. In that time, I came to appreciate the need to do more — to train and educate people in basic, good cyber-hygiene practices.

At CRI, we provide free, easy-to-use tools and resources to help small and medium-sized businesses around the world become more cyber-secure and resilient. When it comes to government entities, towns, cities, and counties are essentially small businesses. Our resources and guides focus on human behavior and place significant emphasis on employee education and awareness. Most ransomware and phishing incursions can be prevented by taking practical, common-sense steps.

In the case of ransomware, it is as simple as: prepare, respond and recover.

Prepare

Ransomware gangs and nation states want to hold your town or city data hostage and do the most economic damage possible. So, don’t give them leverage. Regularly back up your critical data and store it offsite in the cloud or offline. And this part is vital: Regularly test your backups.

Also, know the behaviors bringing ransomware risk. Phishing attacks are the most popular entry point for cybercriminals. Conduct routine phishing tests so employees can detect a phishing email before clicking on any dangerous links or attachments and, when possible, use anti-phishing software.

Make sure your software is up-to-date with the latest security patches. Insist employees use strong passwords or passphrases (at least 15 characters) and implement multi-factor authentication, which requires users to present more than one piece of evidence when logging in to an account. This step alone prevents 99.9% of account-compromise attacks.

Respond

If an employee or your government agency is confronted with a ransom request, your organization must first assess the legitimacy of the ransom request by contacting your IT manager. If you have prepared and have backups that work, the ransomware attack is moot. You are free and clear to restore your data completely and get back to work. Regardless, you should report the incident to the appropriate law enforcement agency.

If the data held hostage is needed and there are no working backups, things become more complex. Check if the data exists somewhere else in the organization so you can “tape” together the data to replace what is being held hostage. If you can’t access the data elsewhere, ask the following questions:

• Is the data critical to your operations?
• Has your organization pre-determined that it is OK paying a ransom?
• Does your insurance cover it?

Recover

The scope of the ransomware attack and the severity of its impact on your daily operations will determine how much time and effort is needed to recover. Use the incident as a learning experience to reinforce the importance of preparation.

As with any security breach, notify all affected parties, reset the user IDs and passwords of all compromised devices, update the software on all devices and reinstall your data from backups once the ransomware threat is neutralized.

Ransomware is not an incurable scourge. Protections are not limited to organizations with the deepest pockets. We know the playbook for preventing debilitating attacks that could limit the abilities of towns and cities to serve their citizens, and we all just need to implement it.

Karen S. Evans is the managing director of the Cyber Readiness Institute and has held Congressional- and Presidential-appointed cybersecurity leadership roles with the U.S. Department of Energy, U.S. Department of Homeland Security and the Office of Management and Budget.