If any company’s leadership hadn’t been paying close attention to the growing threat of ransomware attacks, the Colonial Pipeline incident should serve as a loud wake-up call.
The Colonial incident is far from the first ransomware attack to disrupt a U.S. company’s operations, but it stands out because of the immediate impact it had on critical infrastructure that affects millions of Americans’ everyday lives.
The big lesson from this attack is that virtually any organization can be vulnerable to the scourge of ransomware. While it hasn’t been disclosed exactly how a suspected Russian hacking group gained access to Colonial’s systems, companies that run critical infrastructure should be some of the best protected and have access to support from U.S. government agencies to beef up their defenses.
But just as Covid-19 can lay low healthy, cautious people, ransomware attacks can infiltrate companies that may feel they’ve done the right things and are immune to attack.
Exacerbated by the pandemic-driven work-from-home trends and the growing sophistication and boldness of hackers, the number of ransomware attacks has surged over the past year. The rapidly growing number of hardware and IoT devices that are connected to networks is making it hard for not just IT departments but also operations departments to keep up with potential weak points while increasing the risk of serious safety issues, such as shutdowns of hospitals or transport systems.
The gravity of these threats demands a multi-level response by governments and companies. U.S. regulators need to find ways to reduce incentives and increase deterrence for the cyber criminals behind ransomware assaults. An important first step could be to increase controls over cryptocurrencies like Bitcoin, the anonymity of which has made it the payment method of choice for hackers.
CEOs and their CIOs shouldn’t base their cyber defense on government action, though. They should be taking steps to identify and address any potential weaknesses in their networks and to limit the fallout from a successful attack.
As individuals and remote workers, we should all be practicing basic IT security hygiene to protect our data from bad actors. That includes creating strong passwords, being alert to phishing attacks, keeping sensitive documents secure, and habitually shutting down idle computers and devices, especially routers.
At the corporate level, there remain big discrepancies in how seriously companies invest in cybersecurity and how tightly they enforce procedures.
Companies need to have multi-layered protections, starting with a strong cloud network to perimeter end-point security to avoid that initial breach. An important part of that is ensuring software patches, including anti-virus protections, are always up to date to help eliminate known vulnerabilities.
This sounds obvious, but it has become easier to miss as systems become more complex and patch installations are delayed to avoid interfering with other systems.
IT departments also need to have strong systems in place to monitor threats to their networks and investigate unusual activities. Quickly catching and containing a breach before it spreads to vital systems can make the difference between a minor incident and a full-blown crisis that costs millions of dollars. This can be done in-house or through one of the excellent third-party monitoring services that are available.
Companies should also consider the risks inherent in moving their data to the public cloud. While these services are generally secure, they do increase potential exposure and may not be appropriate for certain sensitive types or data or for companies in critical infrastructure sectors.
The weakest security link in organizations is often human error, a vulnerability that has grown since whole workforces have shifted to remote working arrangements amid the Covid pandemic. It only takes one successful phishing email or weak password to give bad actors the access they need, making it essential for companies to have effective security training programs in place.
Unfortunately, a lot of training efforts become a box-checking exercise and lack incentives for employees to absorb the key messages. A “carrot-and-stick” approach — with warnings about the career consequences of failing to absorb the lessons and rewards for the best performers — can be an effective way to incentivize staff.
It’s also important to have a clear and well-rehearsed plan in place in case the worst happens. Senior executives and IT teams should conduct regular exercises around real-world scenarios in which they have to scramble to respond to an attack and a ransom demand. Executives should know which contacts in law enforcement to call for help dealing with the crisis and gather any information they have on the threat and the group behind it.
Running a tight cybersecurity ship with these practices and precautions won’t guarantee against a ransomware breach, but it will go a long way toward deterrence and minimizing an organization’s exposure and risk when attempted attacks are detected early. As organizations rapidly move to become fully digital businesses, cybersecurity is no longer a “nice to have” — it’s a critical part of the IT infrastructure.