By Amar Singh, Co-Founder & CEO, Cyber Management Alliance
Ransomware attacks are on the rise – in number and sophistication. This is a fact that needs little reiteration in the world of business and technology today. These attacks have come to become a part of modern life and business, and there’s no wishing them away. What you can do, however, is take necessary steps to prevent them and be prepared to handle them with enough sophistication to mitigate their impact on your organisation.
In this blog, we’ll take a look at a few crucial details every business must keep in mind for ensuring Ransomware Readiness and necessary compliance.
What is Ransomware Readiness?
A ransomware attack is one where hackers inject malware into the victim computer or system and encrypt files. Typically, hackers demand a ransom and threaten to either lock you out of your computer indefinitely or leak sensitive data online – both repercussions that can severely damage your business operations and/or reputation.
Simply put, ransomware readiness is the ability of a business to handle a ransomware attack. It refers to the process of ensuring that your IT and Cyber Incident Response Teams are well-equipped with the right tools and knowledge to manage a ransomware attack such that your business doesn’t come to a halt.
Making the right technology investments, especially investments in proper backups, managing privileged credentials and training your staff regularly in ransomware preparedness and response are critical components of a sound ransomware readiness strategy.
How do you Ensure Regulatory Compliance?
While businesses stand to lose thousands of dollars to ransomware attacks, not to mention the massive public relations disasters these attacks can be, the threat to individuals (as customers or partners of the attacked business) is as significant. They stand to sometimes permanently lose data, face the threat of their personal information being leaked and the threat of being further victimised by social engineering attacks based on the leaked data.
This is what makes the compliance angle vital in any discussion about Ransomware Attacks. Compliance with the relevant ransomware law and regulations is an extremely critical aspect of ransomware response and it should therefore be part of any ransomware readiness programme.
Different national regulatory bodies may have varying standards and requirements of compliance. However, some key aspects of the regulatory requirements that you must be aware of include:
- Guidance on reporting: You should know what your country’s and/or regional authority’s governing body’s regulation on cybercrime reporting is and what the time frame is within which you must report a ransomware attack.
In the EU and the UK, for example, if a ransomware attack results in a personal data breach, such as, but not limited to, the unauthorised exfiltration of personal data, you must report the breach to the Information Commissioner’s Office (or ICO) within 72 hours of learning about the breach.
In the US, President Joe Biden has very recently signed the Cyber Incident Reporting for Critical Infrastructure Act into law. Businesses that are deemed to be operating in “critical infrastructure” sectors will now (for the first time) have mandatory reporting obligations for “cyber incidents” and ransomware attacks within 72 hours of the event.
In order to avoid fines and other regulatory penalties, it is important that your IT and Incident Response Team understands the reporting obligations specific to your geography and industry.
- Guidance on Payments: Most regulatory authorities insist that victims should avoid making ransom payments. This is because as hackers keep getting ransom payouts, they continue to strike at other victims with greater vigour.
However, if making the ransom payment seems to be the only way out, you still need to consider your regulatory requirements pertaining to payouts. The FBI Director said last year that private companies should definitely avoid paying the ransom and should contact the “Federal Bureau of Investigation as soon as possible so that law enforcement can help take action in response, potentially obtaining encryption keys used by hackers.”
After the enactment of the Cyber Incident Reporting for Critical Infrastructure Law, organisations that do pay the ransom are required to notify CISA (Cybersecurity and Infrastructure Security Agency) within 24 hours of paying the ransom.
Further, in North Carolina, state agencies and local governments are legally prohibited from using taxpayer money to make ransom payments. Instead, they’re encouraged to use the funds for securing sensitive data, conducting regular cybersecurity audits and training staff to avoid ransomware attacks in the first place.
- Testing: The UK’s GDPR requires businesses under its jurisdiction to regularly test and assess their cybersecurity controls and processes as well as cyber resilience measures.
As far as ransomware attacks go, this means that you should regularly test your cyber incident response plans through ransomware tabletop exercises. These exercises simulate an actual attack environment and your important business stakeholders, and management team members are forced to think and act like they would during an actual attack.
Such a tabletop exercise effectively evaluates your staff’s familiarity with the incident response and disaster recovery plans while also showing the gaps in these plans and processes. In Canada, the Canadian Centre for Cyber Security advises that Incident Response Plans should be tested, revisited and revised annually to keep them effective and relevant.
In summary, you must know what the general guidelines for cybersecurity testing in your region is and you must try to adhere to these guidelines to ensure overall compliance.
Ransomware actors are nowhere close to backing off. And while it’s going to be some time before ransomware attacks are behind us, we can all collectively take some important steps to disincentivize and discourage the malicious actors. Beefing up our ransomware preparedness and increasing our overall awareness can together contribute towards less likelihood of ransomware payouts. By reducing the number of payouts, we can make ransomware attacks less lucrative for cybercriminals and improve our own cyber safety and that of our clients in the process.