Ransomware is hitting close to home for organizations of all sizes and sectors. With attacks making headlines daily, it’s no surprise that 62% of surveyed IT decision-makers are concerned about coping with malware and ransomware, according to the Dell Technologies 2021 Global Data Protection Index (GDPI).
It’s not only the rising drumbeat of the bad news that keeps this threat top of mind. When you regularly see the impacts on your industry peers, you start asking yourself: are we next? At the GDPI launch event, Michael Dell, chairman and CEO of Dell Technologies, explained why all businesses, large and small, from your insurance broker to the local butcher, are more spooked than ever before.
The GDPI survey uncovered that 64% of leaders are concerned they’ll experience a disruptive event, such as data loss or downtime, in the next year. With the frequency of ransomware attacks on the rise, all businesses should expect an attack. Whether or not you should be fearful depends on how prepared you are.
Many cybersecurity threats are destructive, but few pack as big a punch as ransomware. Its profound effects stretch across your entire organization, halting operations, disrupting business-critical services, and sometimes even putting people at risk. These attacks are also among the costliest to mitigate.
What makes ransomware unique, however, is its “in your face” style. You can discreetly mitigate other security incidents, but ransomware attacks have become so overt that your customers will most likely know about them. What would that do to your brand reputation and trust?
For cybercriminals, ransomware is the perfect crime for the digital age. Not only does it have a low entry barrier, but it yields a greater return on investment than garden-variety cybercrime. Like a savvy entrepreneur, a threat actor goes where the best opportunities are—and today, that’s ransomware.
A ransomware attack requires little technical skill, thanks to the availability of ransomware-as-a-service on the dark web marketplace. The ransomware operators don’t have to concern themselves with reconnaissance, gaining initial access or writing exploits. All these services, and plenty others, are available in abundance—complete with 24/7 customer service.
On top of that, the attackers don’t have to go far to monetize. When you’re hit with ransomware, you become, in essence, an instant “customer” of theirs. They know you need your systems to be up and running as fast as possible, and you need to prevent the potential release of your data. They have your instant attention and the power—unless you have the means to defend yourself and recover your data.
To guard against ransomware, you have to start with the basics. First, implement the NIST Cybersecurity Framework (or a similar framework designed for your industry). Once you have the essential pieces in place—patching, antivirus, security awareness, and so on—you can build to the more sophisticated defenses, such as zero-trust and identity and access management.
Regardless of what other defenses you have in place, one of the most critical steps in fighting a ransomware infection is data backup. The more robust your backup plan, the less power and hold the attackers will have over you.
You likely have a backup strategy, but have you considered how ransomware has evolved? Before compromising your core data, attackers will typically spend a little bit of extra time in your network to see if they can compromise your backups. If you have a connected backup, they’ll find a way to exploit it.
That’s why you need an immutable, offline copy for your critical systems. But if this immutable copy is at some distant location on tapes, how quickly can you access it and restore your systems? According to the GDPI survey, the average time to recover from disruption, such as a ransomware attack, is six hours. But that length of time is too disruptive for many organizations.
Founders Federal Credit Union (FFCU) calculated that they could only give themselves an hour window. Working in a high-volume, online transaction-based industry, they simply couldn’t afford more time. So, the financial institution implemented a major overhaul of its data center with a focus on cyber resilience.
One of the many parts of the transformation initiative for FFCU includes a data backup and recovery plan that ensures data is always available, always protected, and always in use, thanks to technology such as a cyber recovery vault.
Improved compliance, business growth, and enterprise-class business resiliency are among the many outcomes for this small, regional credit union. But what makes FFCU a great success story is that today, it offers cyber resiliency consulting to other federal credit unions, in addition to participating on technology advisory boards for cyber resiliency and digital transformation.
Another important step in ransomware defense that many organizations overlook is practicing their disaster recovery and response plans. Without running drills, simulations, and tabletop exercises, your team will have to work out the details in the middle of a crisis. That’s not the best time to figure out whom to call and where to find those phone numbers.
According to the GDPI survey, 67% of IT leaders are not confident they’ll be able to recover their business-critical data in the event of a destructive cyberattack. As an industry, we can do better. If you haven’t thought through the ransomware risks and implications yet, start that process now. With practice comes confidence. Be reassured: you don’t have to be beholden to brazen criminals. There are ways and means to protect yourself. Yes, at some point in time, you’ll be targeted (if you haven’t already). But you can choose how you respond and minimize the fallout. There are ways to protect your business and recover your data without submitting to the criminals’ demands and lining their pockets with your hard-earned money.
To learn more about achieving breakthrough transformation at the intersection of people and technology, visit Dell Technologies’ hub on MIT Technology Review here.
This content was produced by Dell Technologies. It was not written by MIT Technology Review’s editorial staff.