Whether your business generates $10 million or $10 billion in annual revenue, the fastest-growing threat to your operations is a cyber incident—most commonly in the form of ransomware. With over 70% of organizations globally hit at least once per year, ransomware is no longer a distant possibility. It’s a recurring reality.
Why Every Business is a Target
Imagine coming into work one morning to find that all your servers and data have been encrypted and you cannot access any of it. Additionally, all your employee and customer data has been leaked on the dark web and put up for sale to anyone willing to pay for it. Then the news sites start spreading the news that you have been targeted by a cyber ransomware organization and all your customers are at risk because of you. Imagine what that does to your reputation, not alone your bank account, as you either pay the ransom or pay for recovery operations.
Historically, cyber criminals targeted organizations to steal trade secrets and conduct industrial espionage. Today, ransomware has democratized cybercrime. Any business with data, systems, and money is now a viable target. Connected to the Internet and protected by nation states, cyber criminals are virtually immune from prosecution. They are complex money-making ventures with political and social ties.
Anatomy of a Ransomware Attack
Threat actors no longer need to breach firewalls or exploit unpatched systems—over 75% of attacks rely on social engineering. Threat actors impersonate helpdesk or technical support staff, tricking employees into granting access. Once inside, attackers move quickly to compromise privileged accounts, exfiltrate sensitive data, and encrypt systems.
One popular ransomware technique begins with a threat actor flooding an employee’s email inbox with thousands of emails over the span of just a few minutes. Then the threat actor calls the unsuspecting employee posing as technical support and offering to help them with the problem. Once the employee surrenders their computer to the threat actor, the threat actor can install persistent malicious software, or back doors, to give them continuous access into the network where they can start going lateral by compromising other accounts and passwords.
Threat actors have tools they can use to dump password hashes out of memory and crack them against known databases, as well as other methods to gain access to privileged accounts. The fewer layers of security a business or organization has, the quicker the threat actor can compromise the data and systems. Once access is gained, the threat actor begins copying data and PII offsite to public servers and then deletes backup copies of data and encrypts the primary data on the way out, leaving a ransom note with terms of payment in the form of Bitcoin or other cyber currency.
At this point, the only hope the business has of recovering data is if they have immutable backups (backups of data that can’t be deleted) that they can use to recover, or they will have to negotiate with the threat actors and pay a ransom and hope they can recover from the incident. Many times, organizations pay the ransom and still do not get their data returned to them.
So, what can an organization do to protect themselves against a ransomware attack?
The Foundation of Cyber Resilience: Recoverability
The primary way to protect against a ransomware attack is recoverability. Prevention is important but you have to consider that no matter how good your cyber program is, the threat actor might be better and more committed to compromising it, or they find that one hole in your cyber program that you didn’t consider. You must have immutable backups using an immutable backup system. This means backing up data using policies that make the data impossible to delete for some period of time. Multiple copies is better, with one copy being air gapped – disconnected from your primary network. The gold standard being 3-2-1, with three copies of data, on two different types of media, with one being off-site. Having a SAN or storage snapshots on disk, a copy backed-up to the cloud, and an immutable copy in a different cloud or air-gapped location is a good strategy.
If you are fortunate enough to be a company born in the cloud and all your data is in the cloud, don’t be fooled into thinking your data is safe. Your cloud provider is probably replicating your data across the cloud to protect against hardware and system failures, but they are not backing it up unless you are paying them for the service. Threat actors can compromise your data in the cloud, encrypting it or deleting it once they gain access.
There are a lot of layers in a well-designed cybersecurity program to include training end users, prevention with firewalls and end point protection, a solid patching program, etc., but the foundation lies on the ability to recover after an attack without having to pay a ransom and having to depend on the honor of the criminals to give your data back to you.
Regardless of the size of your business, $10 million in revenue or $10 billion, the foundational implementation of backups and recovery is the same – only different in scale.
Executive Action: What You Should Ask
If you are business owner, founder, or executive and you are unsure of the protection level of your data, simply ask your IT team or provider about their backup strategy, level of immutability, number of copies, and how often backups are tested to make sure they are working.
There are a lot of components to an effective cybersecurity program, but backups and recoverability are the un-sexy foundational components that you must get right, regardless of your company’s size or industry.
Here are other important parts of your cybersecurity plan that I will be diving into in future posts:
- Enforce Strong Password Policies
Require employees to use complex passwords (at least 12 characters, combining letters, numbers, and symbols) and update them every 90 days. Utilize a reputable password manager to securely store and manage credentials, reducing the risk of unauthorized access.
- Implement Two-Factor Authentication (2FA)
Enable 2FA across all critical systems, including email, banking, and cloud services. This additional verification layer, such as a code sent via SMS or an authenticator app, significantly enhances account security.
- Maintain Up-to-Date Software
Regularly update operating systems, applications, and antivirus software to patch vulnerabilities exploited by cybercriminals. Enable automatic updates to ensure timely protection against emerging threats.
- Train Employees on Cybersecurity Awareness
Educate staff to recognize phishing emails, fraudulent invoices, and suspicious links. Conduct regular training and simulated phishing exercises to reinforce vigilance, as human error accounts for a significant portion of successful attacks.
- Deploy Robust Firewalls and Antivirus Solutions
Install and maintain advanced firewalls and antivirus software on all devices to protect against malware, ransomware, and other threats. Ensure these tools are configured for real-time monitoring and automatic updates.
- Protect Your Wi-Fi Network
Secure your Wi-Fi with WPA3 encryption, hide your network’s SSID, and use a strong, unique password. Create a separate guest network for visitors to prevent unauthorized access to your primary network.
- Restrict Access to Sensitive Data
Use role-based access controls to limit employee access to only the data and systems necessary for their roles. Promptly revoke access for former employees to prevent potential insider threats.
- Encrypt Sensitive Information
Apply encryption to sensitive data, including files, emails, and website transactions (using SSL/TLS protocols). Encryption ensures that even if data is intercepted, it remains unreadable to unauthorized parties.
- Develop a Cyber Incident Response Plan
Create and regularly update a comprehensive incident response plan that outlines steps for identifying, containing, and mitigating a cyberattack. Designate key personnel, establish communication protocols, and conduct drills to ensure preparedness.
- Implement Privileged Access Management and Restrict Access
Use Privileged Access Management (PAM) to control and monitor access to critical systems and sensitive data. PAM solutions enforce strict authentication, limit permissions to only what’s necessary for each role, and log privileged activities to detect anomalies. Additionally, apply role-based access controls to ensure employees access only the data and systems required for their duties, and promptly revoke access for former employees to mitigate insider threats.
Conclusion
By proactively implementing these cybersecurity strategies, businesses can significantly reduce their vulnerability to cybercriminals. Investing in robust defenses, employee training, and reliable recovery mechanisms not only protects your operations but also builds trust with customers and partners. The priority is making sure you can recover from a cybersecurity event, and that relies on rock solid backup and recovery systems and processes that are tested on a regular cycle.
hello