Ransomware response guide for businesses - final Part: How to reduce the risk of a ransomware infection.
Taking a proactive approach to security can help reduce the risk of a ransomware incident. Businesses of all sizes should implement, enforce and regularly test the following preventative measures:
Credential hygiene: Practicing good credential hygiene can help prevent brute force attacks, mitigate the effects of credential theft and reduce the risk of unauthorized network access.
Principle of least privilege: All organizations should adhere to the principle of least privilege, a security concept in which users, programs and processes are given only the bare minimum privileges necessary to perform their tasks.
Employee training: Because ransomware frequently spreads through user-initiated actions, companies should provide regular cybersecurity training with an emphasis on phishing, malicious email attachments and other social engineering tactics.
Multi-factor authentication (MFA): MFA should be made mandatory wherever possible to reduce the risk of unauthorized access.
Review Active Directory: Organizations should regularly review the Active Directory (AD) to locate and close existing backdoors such as compromised service accounts, which often have administrative privileges and are a popular target for attackers who wish to obtain credentials.
Network segregation: Effective network segregation is crucial for containing incidents and minimizing disruption to the wider business.
Secure remote access: As RDP is an extremely popular attack vector, organizations must take steps to secure remote access (or disable it if it is not required). Remote access should only be available via certain networks or MFA-enabled VPN, and limited only to users who require it for their work.
Avoid BYOD: Implementing and strictly enforcing security protocols on employees’ personal devices is extremely challenging. Ideally, companies should provide dedicated devices and hardware and discourage employees from using personal devices for work-related tasks.
PowerShell: PowerShell is one of the most common tools used by ransomware gangs to move laterally within a target network and should be uninstalled if possible. If PowerShell is required, it must be very closely monitored via endpoint detection and response systems. Administrators should be aware of every single PowerShell script that is running on their endpoints.
Cybersecurity insurance: Organizations should consider cybersecurity insurance to help mitigate the impact of a ransomware incident. Cybersecurity insurance can be particularly beneficial for MSPs, which are often responsible for protecting other companies’ data. Some cyber insurance companies lean toward readily paying ransoms, while others prefer to explore other remediation options, so companies should talk to prospective insurers and discuss policies before committing to an insurance provider.
Incident response procedures should be tested regularly to ensure that employees are familiar with security processes and understand exactly what to do in the event of an infection. Testing also helps companies identify and rectify flaws in the response chain. The worst time for a company to try and work out what to do in a ransomware attack is during a real ransomware attack.
A proactive approach to ransomware prevention can help companies significantly reduce the risk of infection. In the event of an incident, organizations must have effective response procedures in place to contain the incident, prevent data loss and safely initiate the recovery process.
The practices described in this article can help businesses of all sizes mitigate the impact of a ransomware attack. Do note, however, that these procedures should be considered general and non-comprehensive advice. Security requirements can vary significantly and security systems should always be tailored according to industry, regulatory requirements and the company’s unique security needs.