On January 26, 2023, The Fifth Estate, Canada's premier investigative documentary series on the Canadian Broadcasting Corporation (CBC) network, examined in "Hunting the Hacker of Gatineau" the case of a Canadian government worker caught working with Netwalker, a criminal ransomware group that extorted victims around the world for millions in cash and bitcoin. The documentary illustrated how hackers are aggressively extorting companies as a part of criminal ransomware gangs, holding companies hostage for millions over threats of continued disruption or data leaks. Sounds all too familiar, right?
While the documentary warns of the dangers of ransomware, and the reality of those lurking in the shadows to strike at unsuspecting businesses, it should leave viewers with several questions. Most importantly, what can I do to avoid getting attacked by ransomware and hackers?
First and foremost, there is ZERO guarantee that your business will be 100% protected against ransomware, regardless of the steps you take to protect yourself, or the industrious claims of security companies. That's simply not possible. If an adversary is absolutely dedicated to disrupting you or your particular business, and is willing to spend the millions to do it (especially if they are state-enabled), they will spend the effort to circumvent any and all your protections. Luckily, this level of dedication is seemingly reserved for the largest institutions who offer the most valuable data sets, like healthcare data, taxpayer and financial information, or those critical infrastructure businesses for which the public is highly dependent upon in their daily lives.
While avoiding the dedicated adversary might be less of a concern, you still need to protect yourself against the opportunistic adversary. These threat actors are simply out there finding easily exposed weaknesses in your defense shields and taking advantage of them. While these attacks don't make the daily headline news, they are happening nearly every single day across the world. Luckily, there are a few simple things that businesses can do to exponentially reduce their risk and become a formidable opponent.
1. Understand your ransomware readiness. I can't state this loudly enough. Too many companies simply don't understand whether or not they're protected against ransomware attacks or where their gaps are. If you don't know where your risks are, your chances of closing any vulnerabilities is highly unlikely.
What should you do? Get a ransomware readiness assessment on your business. There are many free tools available to help you with this. Most will give you a score, based on your inputs. To get a better and more realistic picture, you're best to consult a security provider who can run an assessment with you. Managed Detection and Response provider ActZero, offers a free Ransomware Readiness Assessment (RRA) to help you understand where your gaps are by emulating a complete ransomware attack operation on your organization. The RRA will help you identify key vulnerabilities, understand how they help close those gaps to better protect you, and set you on a guided path to improving your ransomware readiness. It's free and requires ZERO commitment.
2. Formalize your plan to close the gaps. Yes, there are many, many guides and frameworks out there showing steps for defending against ransomware. Most are either over-simplified, or so technical that you need to hire an army of IT professionals to decipher the content. Check out the Ransomware Task Force's "Blueprint for Ransomware Defense," for which I was a lead contributor and huge supporter. Aimed at Small and Medium-sized Enterprises (SMEs) that have small IT teams with limited cybersecurity expertise, the 'Blueprint' provides a short list of 40 easily-implementable Safeguards provide "essential cyber hygiene" – the protective controls and foundational capabilities necessary to help defend against general, non-targeted attacks. These safeguards were selected due to their effectiveness in blocking more than 70% of common ransomware attacks - those most likely to be directed to businesses like yours or used by opportunistic adversaries.
The Blueprint provides guidance on topics like understanding your environment, limiting access to only those who need it, implementing multi-factor authentication, software and hardware policies, security awareness training, incident response, and recovery efforts.
3. Bring in the professionals to detect and manage cyberthreats. According to Accenture's Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves. This is not to say that businesses haven't invested in cybersecurity. Organizations have spent considerable chunks of funding on the most cutting-edge tools to prevent an attack. Unfortunately, most of these tools are reactionary, spit out massive volumes of unnecessary false alerts and noise, or miss threats altogether.
The aforementioned Blueprint lays the groundwork for more advanced capabilities like detecting and rapidly responding to threats that have evaded protective measures. Being able to stop adversaries who bypassed protective measures is key to avoiding ransomware. To be successful, your cybersecurity efforts need to be cohesive and constantly adapting to keep pace with evolving ransomware actors. This continuous effort is an absolutely MASSIVE challenge for an established cybersecurity vendor (most fail), let alone a small or medium-sized business.
Hiring a managed detection and response provider is the most practical and affordable way for SMEs to accomplish this goal. So, what makes a good MDR vendor?
- They can find threats (existing and emerging) quickly and with great precision;
- They can quickly react to threats on your business by automating simple procedures to block and contain threats before they cause damage;
- They help you (and themselves) learn from security threats, incidents, and events and provide guidance on how to close your hygiene and vulnerability gaps;
- And finally, the sum of all this effort needs to go into making the necessary adjustments to their threat models and tools so that the security incidents never happen again to you or others.
Humans and tools alone won't be able to compete with adversaries. I highly recommend implementing an MDR service that uses machine learning - like ActZero - to find, contain, and respond to ransomware threats.
4. Get cybersecurity insurance. Starting as a new coverage for corporate data breach liability, cyber insurance has evolved dramatically in the past decade into a critical tool for managing corporate cybersecurity risk. Cyber insurance should never be considered a default position against ransomware attacks. You don't (or shouldn't) drive wildly out of control because you have car insurance. You still drive defensively to avoid accidents. Cyber insurance should be treated the same way. It is there to cover your costs of recovery and loss if all your other efforts fail.
Obtaining cyber insurance isn't a given, though. Insurers have become much more diligent in assessing risk. That's why it's critical to follow my top 3 recommendations to allow your business to put your best foot forward to both qualifying for coverage, achieving discounts on your premiums, and overall, allowing you to sleep a bit better at night.
So there you have it. While this is not an exhaustive list of the many things that you can do to protect your business, my hope is that I have provided some simple steps to help you avoid becoming an interview participant on The Fifth Estate's follow-up to their documentary - with all due respect to them and their excellent work to share this story with Canadians and beyond.
Stay Vigilant!