How to prepare client companies for ransomware attacks

Ransomware is a constant aspect of the IT landscape but isn't always seen as a priority. IT service providers can help their clients mitigate the risk.

Headlines covering the latest ransomware attacks seem to be everywhere. Enterprise-level companies, SMB companies, healthcare organizations, government agencies, retailers -- ransomware has struck every type of business across almost every sector.

So why do some businesses still treat ransomware like an outlier threat?

One problem is that discussions around cyber-risks are sometimes seen as fear mongering, particularly when executives are already nursing a case of cyber-risk fatigue. But IT experts who monitor the evolution of ransomware attacks know the threat is more than a trendy news story -- it's today's reality.

Another challenge is that harried IT departments want to simply stand up some anti-ransomware technology and call it good. But effective ransomware defense and recovery strategies aren't all about tech. Translation: there's more work to be done.

That work is around two other vital components that IT service providers and end user organizations alike must also consider: people and processes.

If you want a reasonable chance of preventing a ransomware attack and, perhaps more importantly, of recovering from an attack should something slip through your defenses, then each of those buckets -- people, technology, and processes -- requires action.

Conduct security awareness training for ransomware

First, acknowledge that your clients will never get everyone to stop clicking on suspicious email links. It just won't happen. Human nature is both curious and trusting, at least when it comes to messages that kind of look like they might be from someone you met at a conference a couple years ago.

Knowing that you can't prevent every unwanted click, the goal instead should be to work toward fewer clicks and shrinking your overall risk envelope with security awareness training.

Training gets you toward that goal. Show users how to spot untrustworthy links. Educate them on ways to verify if a return email address is legitimate or spoofed. Then, give them clear direction on what to do if they click on something they shouldn't have. This way you'll at least have a head start on stopping a possible ransomware attack before it has a chance to get its hooks into your environment.

Prevent ransomware with proper security tools

As annoying as ransomware is, it's actually a complicated process for a device to actually become infected. That paradigm pays off with a lot of different ways to disrupt the kill chain before it causes unrecoverable problems. A ransomware attack requires a number of steps -- starting from opening email with a ransomware link that infects a single machine -- before it brings your company to a grinding halt by propagating across an entire network,. Has IT done enough to disrupt that chain?

If not, take heart in knowing that you have a slew of low-hanging opportunities to break the ransomware kill chain and make it much more difficult for an infection to damage a client's business. The most effective technology solutions focus on three key areas:

  1. Email security. The right products can block corrupt emails before they ever hit employees' inboxes. This is especially important when you look back to the people factor of your three-pillar foundation and remember that you will never, ever prevent 100% of ill-advised clicks. So even if someone opens an email from that long-lost colleague they met only once, a robust email security platform can put the brakes on a potential ransomware infection.
  2. Endpoint security. If your email security strategy doesn't stop a ransomware attack, a well-designed endpoint security solution can step in to do the dirty work. When endpoint security technology is implemented and configured correctly, essentially everyone and everything must pass through it. An email that doesn't pass the ransomware sniff test will be stopped and quarantined.
  3. Containment. Proper segmentation can still prevent an all-out ransomware attack, even if an email and its associated malicious files make it through other defenses. A strategy with segmentation at its core will maintain a protective perimeter around the most valuable data. It will enable you to stop the encryption of the assets that power core business systems. Segmentation offers a way to maintain operations even if a lot of other things go wrong during a ransomware attack.

Improve ransomware attack processes

Internal processes for dealing with a potential ransomware attack should be structured to bring people and technology into harmony to help you manage the evolving threat landscape. Consider how well-developed processes give you a leg up on dealing with ransomware:

  • Quick recovery following an infection
  • First steps in place to restore operations
  • Contacts available to support recovery efforts
  • Cyberinsurance coverage to help the business get back up to full speed

A couple of anecdotes illustrate how different approaches to ransomware defense and recovery have worked in the real world. The first is the city of Atlanta, which suffered a devastating ransomware infection that revealed a weak recovery strategy and a significant lack of planning. Operations were seriously disrupted while the attack was occurring and, three months later, a notable portion of the city's technology platforms continued to operate at a diminished capacity or were still offline entirely. Key data sets, including those related to law enforcement and legal proceedings, were permanently lost. The city's environment was too flat, they had little to no segmentation in areas where it mattered, and their recovery efforts were haphazard and poorly orchestrated.

In contrast, the ransomware attack experienced by Maersk logistics demonstrates just how valuable a strong recovery strategy can be. The shipping giant suffered an outage that was both huge in scale and quick in execution -- somewhere along the lines of 50,000 assets were encrypted in only 30 minutes. Though the enterprise also had a nearly flat network and the immediate effects included a widescale disruption of their corporate operations, Maersk's backup and data protection strategies were solid. The organization's thoughtful approach enabled them to completely recover their entire environment in just 10 days and no long-term data losses were reported.

A ransomware attack can cause show-stopping problems for businesses. But there are ways to avoid that pain with simple steps to make people more knowledgeable, processes more powerful, and technology more effective.

About the author
Josh King is the director of security solutions at Carousel Industries. With more than 20 years of experience in the industry, Josh is responsible for charting and executing Carousel's customer-facing cybersecurity strategy. With a career that began in operations support, where customer satisfaction is the number-one priority, Josh understands that balancing user experience and manageability, with risk mitigation and overall security posture is crucial to a successful practice. As director of security solutions, Josh helps both customers and colleagues alike make sense of the broad and sometimes confusing landscape of cybersecurity and arms them with the knowledge and tools to deliver effective business outcomes. His enthusiasm and excitement for not only the cybersecurity industry but technology in general shines through with every engagement he is a part of.

Next Steps

Local government ransomware attacks and how MSPs can help

Dig Deeper on MSP business strategy