Recent headlines have highlighted the growing cybersecurity risks to UK firms, in line with the ‘steady and significant’ rise in ICO-reported attacks. Additionally, there has been some speculation that risks will continue to grow in retaliation to sanctions against Russia.
However, not all attacks are equal. Since the ICO began publishing their data in 2019, malware and phishing reports have remained fairly consistent. By contrast, ransomware allegations have increased more than five-fold: from 72, in the first two quarters of 2019/20, to 363 in the same period this year.
Ransomware attacks gain access to company data, and then hijack access, typically, through unauthorised encryption. They then offer to return the data – by providing the encryption key – in exchange for a cryptocurrency fee – the ransom.
These attacks have significant implications for organisations that handle personal data. The ICO has published their own advice for organisations responding to these attacks, and the NCSC provides guidance for private and public sector organisations to mitigate ransomware threats.
Above all, the most effective actions available to organisations dealing with ransomware attacks are their preventative measures. In particular, there are three key prongs of defence:
- Data security
- Cyber-hygiene and defences
- Incident management
Considering each of these in turn:
Data Security: How are you protecting data?
Security measures come in lots of forms – including technical, personnel, and policy considerations – and an effective security plan will broadly cover all these bases.
Technical measures include a secure firewall, and multi-factor authentication. These are the defences which make it difficult for attackers to gain unauthorised access to your servers.
Personnel measures are equally important: clear governance, appropriate security policies, and strong access controls. Good practice restricts data access to necessary users only, and in doing so internal vulnerabilities are limited.
Finally, regular data backups will insure against the risk of data loss and neutralise the fundamental threat of ransomware (your data cannot be ransomed if you have a second copy). However, backups do not mitigate the risk of unauthorised access to data. NCSC have published security guidance specific to data backups on their blog here.
Cyber-hygiene and defences: How are you defending from attacks?
Cyber-hygiene is a term for user practices and policies which maintain device ‘health’ or ‘cleanliness’ by avoiding common ways of ‘picking up’ malware or scam attempts. Robust, organisation-wide cyber-hygiene training is a powerful tool for limiting your organisation’s vulnerabilities.
Part of this training should emphasise the technical duties of employees and their potential consequences –– for example, of using secure passwords to guard against fraudulent access. As well as these technical measures, effective training includes an understanding of the policies which govern it, and identification of key data protection contacts within the organisation.
Assuming ongoing attacks
Cyber-attacks are not static. Malicious actors are constantly looking for new vulnerabilities to exploit, and new ways to exploit them.
So, training should be routinely updated and regularly delivered. This is mainly for reasons of accuracy and familiarity, but also because regular training with out-of-date information is an ineffective tool, which will undermine the importance of your cyber-hygiene measures.
Similarly, technical security measures – your firewalls, authentication measures, and so on – should be consistently monitored and regularly updated. Key elements should include:
Vulnerability recognition – to identify weaknesses in your system as soon as possible
Fast patch management – to restrict those vulnerabilities through quick resolution
Virus detection – to ensure that your first line of defence is not your only defence, and the potential damage from any viruses which are delivered to your system can be rapidly limited
Incident management: how prepared are you for an attack?
Security measures, staff training, and vulnerability management are all important good practices for maximising damage limitation in the case of a cyber-attack. However, the vital final component is a robust incident response plan. Speed is of the essence when it comes to responding to cyber-attacks, and by having a plan already in place a rapid response time is ensured for maximum recovery.
An incident response plan should cover:
- Key contacts
- Escalation and evaluation criteria
- Guidance on legal and regulatory obligations
In other words, the same key pillars which inform the development of your organisation’s security measures and preventative training. Simply put, when it comes to ransomware attacks, preparation is your best defence.
