The relentless nature of ransomware attacks is a huge pain point for IT decision-makers (ITDMs) today. The reputational and financial damage to companies from successful attacks can be frustrating. According to Veeam’s latest Ransomware Report, one in seven organizations had almost all (>80%) data affected as a result of a ransomware attack.
The escalating frequency of such attacks on organizations is making cyber insurance a less viable option for companies today, as insurance companies are either opting out of cybersecurity coverage or putting a higher price tag on it. There are numbers to prove it: 74% saw increased premiums, 43% saw increased deductibles, and 10% saw reduced coverage benefits. This leaves organizations more vulnerable than ever, as 77% of ransoms were paid by insurance in the past year. Without this safety net, it is critical for organizations to focus on making their organizations more resilient.
Here are 12 tips that ITDMs need to follow to keep ransomware attacks at bay:
#1 – Phish your employees before blackhats do
If something sounds too good to be true, it probably is. Data-mature companies have started running phishing simulations on their employees, figuring out who’s diligent enough to report these attempts and identify those most likely to fall for social engineering. The tried and tested advice bears repeating: do NOT click on unknown links, open unexpected or suspicious attachments, or provide information to anyone you don’t know or weren’t expecting to hear from.
#2– Know your malware statistics
Let’s face it: for all the talk about cybersecurity, there will always be individuals who get lulled into a sense of complacency. According to Veeam’s Data Protection Trends Report, 85% of organizations in Asia Pacific have suffered from at least one cyberattack in the last 12 months. Constant vigilance is key to preventing you from being part of this statistic.
#3 – Give hackers a hard time
Number-only passwords with ten characters can be brute-forced instantly. 11 numbers bring it up to 2 seconds. It goes up exponentially from there – 17-digit passwords will take four weeks to crack. Longer is stronger. Leverage passphrases to help create long passwords that are easy to remember but hard for others to guess.
#4 – Control your time to control your data
Wise men say only fools rush in – when working on sensitive information, slow down and avoid making simple mistakes. Also, always double-check parameters when sending information – the recipient/cc/bcc lists, attachments you may have forgotten to remove, or even message history.
#5 – Establish data classification systems
You cannot protect your most sensitive information if you don’t know the significance of the data you hold. Inventory and categorize your files. Classify and protect them based on their sensitivity level, and ensure the classification systems adhere to a clear hierarchy obvious to anyone who comes into contact with proprietary information.
#6 – Keep sensitive data in information silos
You may hire the most trustworthy people to work for you, but that doesn’t mean they all need access to your most sensitive information. As in the previous tip, provide access only on a need-to-know basis. This protects confidentiality and drastically reduces the impact if someone’s access is compromised. Use multi-factor authentication when given the option to minimize the damage if static passwords are stolen.
#7 – Automate your security
Technology is a cybersecurity leverage point. Using the right tools and introducing trusted systems that fit your organization can exponentially increase your productivity. This can mean introducing company-wide SaaS tools like VPNs to secure your data or leveraging comparatively ‘primitive’ tools like bookmarks for important URLs to reduce the odds of falling for phishing sites.
#8 – Establish a clear security structure
World-class athletes train to reach the point where muscle memory carries them through familiar situations. Your organization’s security can reach such a level, but the steps to get there must be intentional. First, you must have a defined incident reporting and response plan; secondly, this plan must be communicated frequently. Having these in place, the barriers to action when incidents actually occur. The shorter the time between an occurrence and your security team learning about it, the more damage can be mitigated.
#9 – Mobile phones are an attack vector too
Security doesn’t stop when you leave the office. Use an external battery pack rather than public charging ports as a first line of defence against ‘juice jacking.’ Connect only to private, trusted, and secure Wi-Fi networks to prevent data leakage. Use a privacy screen or stay away from prying eyes when keying in banking details or medical information. These are habits that, when formed, pay long-term dividends.
#10 – Create distinct work-life balance – for your devices
The boundaries between work infrastructure and personal devices are blurring. Some of us use personal devices and similar cloud services for work. To mitigate this, ensure your corporate policies are updated, requiring devices with internet connectivity that are used for work to be protected. This could take the form of anti-malware software, strong passwords, or access controls. No organization or device are the same, but a general rule of thumb is that if you can connect it, protect it.
#11 – Upgrade your 3-2-1 backup strategy
You can have a best-in-class security program and still find yourself in a situation where your data can no longer be accessed or trusted. The traditional advice is the 3-2-1 strategy – have three copies of your data on two different media, with one copy offsite. For increased security, consider Veeam’s 3-2-1-1-0 strategy. On top of the steps in the 3-2-1 strategy, make sure to have one copy of the data that’s air-gapped and immutable, as well as a mandatory check for 0 errors to ensure the data’s integrity and usability.
#12 – Invest in a data-native workforce
Cybercriminals are constantly evolving and adapting their tactics as they learn about new protections being put in place. There are Phishing-as-a-Service providers that specifically target enterprises. Against this backdrop, it’s clear that your organization’s people can either be your weakest link or your greatest asset. Place greater emphasis on your staff’s digital education and data maturity beyond their scope of work and teach them how they can be part of your human firewall – each of them can become an extension of your security team.
Related article: Ransomware attacks in APAC surge by over 35% in 2022
By Beni Sia, Asia Pacific & Japan (APJ) Leader, Veeam.