The year of ransomware: How companies are boosting cybersecurity controls

Participants specifically were asked whether high-profile ransomware events over the last year, like the Colonial Pipeline attack, prompted their business to beef up its cybersecurity controls, to which 64 percent of the 308 total respondents answered with a resounding “yes.”

Asked in what specific areas they are enhancing their cyber defenses, respondents chose the following:

• Invested in new technology infrastructure (71 percent)
• Increased employee training (71 percent)
• Patched software vulnerabilities (49 percent)
• Increased testing/tabletop exercises (46 percent)
• Reviewed employee permissions (42 percent)
• Reviewed third parties (40 percent)
• Increased staffing around incident response (32 percent)

Experts in the cyberspace Compliance Week spoke with collectively noted cybersecurity investments really began to grow in response to coronavirus-induced shutdowns, forcing businesses to rework their processes to align with the newly remote workplace.

“I’m not surprised by the investment in technology infrastructure,” said Microsoft Chief Information Security Officer Bret Arsenault. “We have seen this increase more because of the pandemic, the move to hybrid work, and the subsequent need to improve cybersecurity capabilities.” 

One positive finding is the 71 percent who said they have increased employee training in this area. “Security is every employee’s responsibility, not just the CISO’s,” Arsenault said. “As I tell our employees at Microsoft, we have to focus on secure-by-design and secure-by-default, meaning security should be built into everything we do.”

In addition to investing in a new technology infrastructure, “companies need a set of simple principles,” Arsenault said. Microsoft, for example, lives by the principle of “zero trust,” he said.

A traditional “castle-and-moat” approach to network security, in which everyone inside the castle is trusted and everyone outside the moat is a threat, “leaves organizations exposed,” said Danny Lopez, CEO of cybersecurity firm Glasswall. A zero-trust approach trusts no one by default, regardless of whether they are inside or outside a network, he said.

Ransomware vulnerabilities

A concerning finding from the survey was only 49 percent of respondents said they patched software vulnerabilities. This number should be higher, given cybercriminals continue to exploit unpatched vulnerabilities in carrying out their attacks.

According to analysis conducted by Qualys, many major ransomware attacks over the last five years resulted from unpatched vulnerabilities when patches had been available for several years.

“We consistently see poor patching numbers across industries, which is one of the most basic security hygiene tactics that can help prevent security incidents,” Arsenault said.

Failure to implement the most basic measures is resulting in dire consequences for targeted companies. In 2021 alone, high-profile ransomware attacks hit critical infrastructures like Colonial Pipeline; meatpacker JBS USA; and engineering firm Weir Group, just to name a few.

“Companies are not going to get good at responding to ransomware if you don’t first get good at intrusion management, intrusion detection, and intrusion response.”

Steve Moore, Chief Security Strategist, Exabeam

Moreover, the pandemic has emboldened cybercriminals to carry out even more attacks. According to analysis conducted by the Financial Crimes Enforcement Network (FinCEN), U.S. banks and financial institutions filed 635 ransomware-related suspicious activity reports (SARs) concerning 458 transactions, valued at $590 million, during the first six months of 2021.

FinCEN received 487 such SARs in all of 2020, with transactions totaling $416 million.

Effective measures

Steve Moore, chief security strategist at Exabeam, stressed ransomware is the end goal of cybercriminals. Often, it is the product of a stolen credential—for example, a password that was harvested by a criminal group—or of precursor malware that analyzes the system’s environment and delivers ransomware at a later point.

“Companies are not going to get good at responding to ransomware if you don’t first get good at intrusion management, intrusion detection, and intrusion response,” Moore said.

Patching vulnerabilities and establishing multifactor authentication (MFA) are simple and healthy practices that go a long way to preventing a cyberattack, said John Shier, senior security advisor at Sophos. At Colonial Pipeline, for example, the now-offline ransomware gang known as DarkSide was able to breach the company’s network through an inactive virtual private network (VPN) account that didn’t use MFA.

Companies should also have the know-how to detect anomalies in the network, which includes understanding what normal network traffic and normal user activity looks like. “Having a sense of what that baseline looks like is critical to then being able to notice when something anomalous happens in your network,” Shier said.

Moore suggested considering the following questions: How do we know if our accounts, either internally or externally, have been compromised? How do we differentiate normal sign-in activity? How do we know if credentials have been stolen, and what do we do to monitor those?

When it comes to responding to a cyberattack, keeping backups offline where they are not accessible to cybercriminals helps get the business back up and running as quickly as possible, cybersecurity experts recommend. Increasing testing/tabletop exercises, as cited by 46 percent of survey respondents, is a helpful exercise as well.

“Maybe it means shutting down a whole segment of your network and/or shutting down vulnerable networks,” Shier said. It also helps to know in advance who will need to be notified in the event of a breach.

Compliance’s role

Our survey asked respondents what role compliance has in their company’s cybersecurity function. The plurality (31 percent) said they do not play any role, followed by 29 percent who said they are “part of a committee.” Another 20 percent said they serve as an advisor.

Asked what role compliance should have, part of a committee received the most votes (40 percent). Advisor (24 percent) was next, followed by primary oversight (16 percent).

Only 9 percent said compliance shouldn’t have any role.

“Compliance officers play a huge role in ensuring the overall viewpoint of an organization’s risk is captured,” Lopez said.

Every state in the United States requires companies to notify individuals when a security breach compromises their personally identifiable information. Depending on the size of the organization, that mandate can potentially be a monumental and costly compliance task.

Moore shared a real-life example of a company that fell victim to a data breach and had mail notifications go out to each of its more than 78 million customers. The firm enlisted the help of the three largest printing companies in the world, and they still couldn’t respond fast enough, he said.

The moral of the story: Compliance can help ensure the company has its ducks in a row when it comes to large-scale incident response and assessing whether plans need adjusting.

Questions to ask include: How does the company plan to notify victims in the event of a breach? If we’re going to notify each person through email, do we have everybody’s email address? For mail, do we have everybody’s valid home address?

Compliance can also encourage and train employees “to put their hand up straightaway” in the event someone opens a corrupt document, Lopez said. “When you come under attack, time is the biggest commodity,” he said, and it is only through having complete transparency that the business can respond quickly.

“From a compliance perspective, the goal should be to make security as straightforward as possible for employees so that it is built into what they do,” Arsenault said. In practice, that means simple things like keeping only sensitive data that’s needed for as long as it’s needed and giving access to only those who need it for as long as they need it. “This helps employees to stay on a compliant track,” he said.

Cyber insurance trends

According to the survey, 48 percent of respondents said their company has considered purchasing cyber insurance in the past year, while 11 percent said no. The rest were unsure.

Asked which clauses they consider most important, participants most commonly chose cyber-extortion (27 percent), followed by social engineering (10 percent) and failure-to-maintain (8 percent). Some organizations purchase all the above.

As ransomware continues to rise in scope and severity, some insurance providers have started putting in place strict underwriting controls or limiting ransomware coverage altogether. It’s critical for companies that are considering such coverage to first familiarize themselves with what cyber insurance products are out there, as well as their coverage limits.