Ransomware has been front page news for several weeks, after the Colonial Pipeline and JBS Meats incidents. It has even been discussed by the White House Press Secretary and brought security experts onto the Rachael Madow Show. And Sunday’s Meet the Press had Intelligence Committee Leaders discussing how to better avoid Ransomware.
With all this attention, the question is what can we all do to prevent this new form of extortion. I asked experts within the #CIOChat. Their compiled answers: it is simple not about requiring better technology. Stopping ransomware requires better processes, better personal choices, and better management. Let’s start with better management.
1) Better Management
I was honestly surprised that management was first on the CIOs list, but after reflection, how could it not be?
In Theordore Levitt’s book, Thinking About Management, he says managers should ask simple questions. Why do we do it this way? What are the alternatives? What are the potential business costs? Who does it better? It is time for CEOs to start asking these kinds of simple questions about their firm’s security posture.
CIO Paige Francis suggests, “everything starts by determining where you are. This starts with assessment. With this, leaders can map out a plan to create continuous, rock-solid security and compliance. There can be no shortcuts. You need to identify and combat gaps and vulnerabilities every step along the way. And then you need to re-assess and repeat.”
In this process, CTO Peter Salvitti says, “determine where your organization is with respect to cybersecurity. Is your information security good and defensible? To be clear, good means basic hygiene is in place plus situational awareness, and defensible means enough has been done to protect your organization.” CMMi and continuous improvement approaches without question can help here as well.
Meanwhile, CIO David Seidl suggests organizations take a disaster recovery mentality with respect to cybersecurity. To be effective, this requires the consideration of the CEOs and CIOs. It should include “three things: 1) a response process is exercised and tested; 2) decision flows for ransoms, communications, and restoration priority; and 3) 3rd party contracts to help already being in place.”
CIO Justin Bauer adds that “the incident response plan printed and practiced.” Finally, in this moment of division, Michelle Dennedy, former Chief Privacy Officer, and the Author of the “Privacy Engineers Manifesto,” argues “for a more diversified security team. Security is an area where inclusive hiring is sorely needed. This is about finding the skills and self-confidence to work with all the resources— not just failed models that feel safe but clearly are not.”
Part of doing well is like what business strategist Rita McGrath discusses in her book “Seeing Around Corners.” In this case, it involves looking for security inflection points that have the power to change the very assumptions the current security plan is built upon. This requires leaders creating an environment that actively supports the challenges tools, ideas, and current standard security.
2) Cybersecurity Maturity
Smart organizations have learned from past hacks and invested. A few years ago, I heard Mike McNamara, the CIO of Target, speak. He said that if Target had another massive compromise, their business franchise would be over. So, what is needed, say CIOs, are three things:
- Good security operations
- Good security policy
- Good security engineering and testing
CIO Jason James adds that organizations need “zero trust models, accurate data mapping and auditing, enhanced detection, third-part auditing and verification of policies and procedures, and consistent patching.” This includes active monitoring and a secure network architecture.
Hurwitz & Associates Analyst Dan Kirsch argues that “encryption is critical. You should make your data worthless during a cybersecurity breach. Also, you should consider key management. If keys are exposed your encryption efforts are worthless. In the case of cloud computing, does your cloud vendor support bring-your-own-key?”
I personally believe, however, that data governance and masking based on role and responsibility is even stronger than coarse grain encryption because the bad guys don’t get the keys to everything.
3) Know Your Data
Dennedy suggests it is essential that organizations “know their data too. The wicked problem of privacy and security is continuous changing. Doubling all data is not sustainable. Organizations need to know where, what, and how to apply controls.” She goes onto say “if data protection and privacy is not in the scope of security plan, why not?” What is needed is the application of “fair information protection principles. Data should only be kept as long as it is needed. It is an asset that should be actively governed. Data collection should be proportionate and minimized.”
4) Data Backups
According to CIO Aldo Ceccarelli, organizations need to “become black belts in the art of backup.” David Seidl adds “backups need to be in a secure, separate location with good policies for critical stuff. There also need to be data segregation especially around backups. CIOs say recognize that what one recovers will not cut it if your whole infrastructure is under attack. Prepare for the two-pronged attack of encryption and exfiltration.”
5) Involve Your Employees
Employees have a critical role in preventing Ransomware attacks. CIOs say it is critical to put in place employee awareness training. This should include explaining the operational and economic impacts. It should as well include internally generated phishing campaigns to demonstrate how easy it is to fooled.
And this training cannot be a once a done—it needs to be on going and relevant. Getting specific, CIO Pedro Martinez Pui says, “invest in avoidance, awareness training combined with fake email campaigns, and help the ones that are caught. There should be structural pen test plan followed by remediation actions. And remind all units this is a consubstantial price to be in business!”
Even with all of these things, CEOs and CIOs will not prevent every attacks. There is clearly a role for government. And hopefully, there can be some actions take against state actors. This could include offensive denial of service attacks.
But with this said, I believe the five actions recommended by CIOs can limit the amount of success criminals achieve. We all have a role in prevent Ransomware because as friend in the cybersecurity said to me recently, they have unlimited dollars and every tool and technology needed to succeed. Only together can we prevent them from achieving their ends.