Why organisations are failing to close the gap on ransomware

When COVID-19 spread across the globe in 2020, countless businesses swiftly migrated to the cloud to implement a remote work model.   

While this allowed for business continuity and the cloud presents great opportunities, the rush to get meant many organisations did not take full advantage of its capabilities.   

And, still don't. 

Many businesses have simply moved what they did on-premises to the cloud. And, this is increasingly shown to result in inefficient and expensive outcomes when compared to a cloud-native strategy.  

Organisations are also missing out on some of the inherited on-premises security characteristics of network segregation and private networks that may have been overlooked as protective measures.   

At least the ‘Soft-Centre/Hard-Shell’ security model had a hard shell.  

In the cloud, businesses are effectively shifting and exposing their data to a hotbed of malicious activity, opening every user’s device as a doorway to that precious data.  

So, while the transition to remote work provided benefits to both employees and employers, it also presented unique security threats—threats that many organisations are yet to overcome.   

Attackers seeking the path of least resistance are actively looking for organisations that haven’t considered how employees access infrastructure, assets, and information online. 

There may not be a silver bullet to stop ransomware, but there is a way to turn the cloud into a security opportunity. 

Controlling ransomware 

While ransomware has been a preferred method of attack for cybercriminals for years, the frequency of ransomware attacks has increased.  

The Australian Cyber Security Centre (ACSC) recorded a 15 per cent increase in ransomware cybercrime reports in the 2020–21 financial year.   

Today, organisations are attaching the effectiveness of their security controls to their identity. IT departments are therefore incentivised to say they have ransomware under control, even when they know they haven’t. 

Externally, cybersecurity is growing so rapidly that a slew of vendors are entering the space, also pledging they have got organisations covered.  

A quick scan of local media reports in the last few days provides evidence that organisations are not covered. Demands to NSW Labor, Uniting Care Queensland, and a pokies outage in Tasmania – to name a few. Then there’s the “shock report in Forbes that “92% who pay don’t get their data back”. 

Not to mention the catastrophic failure of US Pipeline operator Colonial to prevent a ransomware cyber-attack by the criminal DarkSide group, closing operations and preventing the flow of fuel in the US. 

All of this is eroding trust.  

Despite assurances from IT and vendors, and significant investment in shiny hardware and software, businesses are always shocked to find they are still vulnerable to ransomware attacks.  

Or worse, become the target of one. 

However, when you look at what it takes to defend against ransomware, very few organisations have the necessary measures to address it effectively. 

Ransomware realities 

Ransomware itself isn’t as complicated as it seems, but it takes many layers of security, alongside many different approaches and controls, working in unison to effectively deal with it.  

IT and vendors are part of the solution, but it is going to take more than the approach typically followed by organisations today to close the gap on ransomware.   

Effective ransomware protection relies not only on integrity and control over data; it requires consistent management across all devices that access that information. 

And, this is much harder to achieve with a traditional endpoint security approach. 

Organisations that give employees privileged access to cloud environments also risk increased exposure to (often automated) ransomware attacks. Alarmingly, Forrester Research found 80 per cent of security breaches involve compromised privileged credentials. 

The remote workplace, which was desired and required during the pandemic, must be addressed from a security perspective too. 

Employees still need to get their jobs done while working from home, even though the rise in remote working has led to a rise in opportunities for an attack across all sectors. The current approach to facilitating visibility of remote devices is to use a VPN, but that opens an organisation’s information to employee devices. 

Ransomware responsibilities 

We celebrate the individual or team that says they have ransomware covered, but it is an unrealistic expectation.  

IT typically does not have adequate funding or resources to deal with ransomware effectively before an attack. 

Backups are unreliable and untested, endpoints and devices lack adequate security to prevent their use to pivot to other systems and access the data, and organisations don’t have visibility of where the threats are. 

When an attack happens, organisations tend to open a big “emergency” budget, which contractors take advantage of while the client is vulnerable. It’s a reactive approach, which is inefficient, costly and ultimately ineffective. 

Even those who survive the ransomware attack find themselves vulnerable and often succumb to subsequent attacks. 

Organisations must stop making ransomware IT’s reactive problem. They need to see it as a business problem that is everyone’s responsibility and learn from successful attacks. 

Businesses need to set a business-as-usual benchmark that they are keeping up with the basics, such as patching, and applying sensible security models, based on consistent security baselines across the entire fleet.  

This helps prevent the adversary from gaining the initial foothold from which they build their ransomware attack. 

The CIS Benchmarks, for instance, are designed by security professionals to provide the greatest coverage from the widest array of attacks, by applying best-practice security controls to the operating systems and software we rely upon.  

Institutions of any size can implement these benchmarks, without buying endpoint software or investing in unnecessary predictive measures like artificial intelligence and machine learning. 

Ultimately, it comes down to good management and sensible hygiene. 

Tackling ransomware 

Tackling ransomware requires a layered security approach that includes discipline in lots of different areas, prioritising requirements based on what the threat looks like.  

Patching is the first step, but it is just as critical for organisations to ensure they have visibility over all devices, their software, and security posture.