Ransomware attacks are so frequent now that even some big ones don’t make headlines. But last week’s attack on Kaseya VSA, a tool used by IT professionals around the world to help manage networks and provide tech support, garnered plenty of headlines. That’s because it was the biggest ransomware attack on record, affecting more than 1,000 business and likely costing tens of millions of dollars. Because of the size and impact, it may change the way business leaders view their technology and the engineers that support it.
That’s a good thing. The breadth and sophistication of ransomware attacks are growing rapidly, and now is the time to take stock of your technology strategy and make sure you’re managing a fast-growing business risk properly.
Here are three ways that growing cybercrime risks should change how you think about technology.
#1 – “Don’t Get Hit” Is not a Sensible Plan Anymore
It’s comfortable for technology teams to discuss network security in terms of loss prevention. Antivirus software prevents network infections. Firewalls prevent unauthorized access. User access policies prevent data leakage, and backups prevent data loss.
That might have made sense five to ten years ago, when most businesses did successfully prevent each outsider attack. In those days, ransomware attacks were uncommon, and most cybercriminals simply encrypted files and hoped the target didn’t have data backups.
Today, businesses are subject to constant ransomware, business email compromise and password exfiltration attacks. The attackers use phishing emails, stolen employee credentials, and sophisticated attacks that compromise hundreds or thousands of business networks simultaneously.
If your business is big enough to celebrate an employee’s birthday most months of the year, it’s big enough to face hundreds of these attacks each month of the year. And eventually, despite heroic efforts to prevent them, one of these attacks will make it through your perimeter defenses.
That’s why it’s important to ask your IT management team specifics about breach response, not just breach prevention. Teams that have invested properly in breach response should be ready to discuss processes and tools to mitigate damage after a breach occurs.
- — They should know who needs immediate notification of a potential breach, and how to manage communications with employees, customers and vendors.
- — They should have a documented process on how to quickly shut down outside access to customer networks and to preserve company data from further exfiltration, encryption or deletion.
- — They should have incident response teams to provide continuous monitoring if necessary.
- — They should also know when and how to restore any data lost during the incident, and which critical infrastructure should be restored most quickly.
Breach prevention is still any network’s first line of defense, and it deserves more attention than ever. But if your technology team – internal or external – can’t answer questions about the tools and processes they have in place to respond to a successful network breach, it’s time to find a provider that wants to have that hard conversation with you.
#2 – Maturity Matters When It Comes to Your Technology Partner
If you’ve ever tried calling Facebook, you know that giant companies don’t provide the best service. Facebook, a $1 trillion company, has no phone support. If you really want someone to pick up the phone when you call, hire a local business.
And you’ll need your IT support to pick up the phone when you’re facing a potential network breach. But you need more than that. You need them to identify any threat actors on your network and get them off immediately. You need them to lock the network down, and actively monitor it to ensure the attacker doesn’t find another entry point. The source of the attack needs to be investigated. Your insurance company will have some questions, too, and some of them may be highly technical.
For at least a few days, you’re going to need a much larger IT support team than normal, with a higher level of technical proficiency. That’s not something you’ll be able to pull off with an internal staff, and small IT managed services providers won’t be able to rapidly scale up your services, either. You need an IT service provider that fits the popular business slogan “Big enough to serve you, and small enough to care.”
Your managed IT service provider (MSP) should be able to quickly provide knowledgeable engineers when you need them most, including for major projects, office relocations, company growth, and, unfortunately, cyberattacks. And when you’re interviewing them for a job, most MSPs will happily tell you they’ve got expertise in all of these areas, along with surge capacity and plenty of battle-tested processes in place for when the worst happens.
Don’t take their word for it.
Ask for examples where they’ve handled the types of problems you expect your business might encounter. Ask them what items are on their office relocation checklists, or what their project management process looks like. Most importantly, ask them what systems they have in place for incident response, whether they’ve used them, and how they’ve performed in the past.
An operationally mature MSP isn’t “winging it” on these things – they’ll have processes in place to handle them, and they’ll be happy to discuss them with you.
#3 – You Can’t Just Assume Backups Will Save You
Thus far, last week’s attack seems to have been mostly automated, with no manual attempts to gain wider network access or download company data. It’s likely the attackers simply didn’t have the time or resources to explore so many networks before the attack became public and they lost their opportunity to encrypt servers and workstations.
Threat actors do typically look around on a network before encrypting files. And if they only have time to find one thing, they’re going to find your backups. Because they want to get paid.
They know that company leaders are much less likely to pay a ransom if they can quickly restore all their critical data from a backup. And while hackers might threaten to leak embarrassing emails, company financial data or customer credit card numbers, they might simply come up empty handed on those things. If an attacker can find a way to corrupt, delete, or encrypt your backups, they’re going to do it.
That’s why the details of a “backup solution” are so critical. Where are backups stored? What credentials are required to disable backups, or to disable alerts when backups are disabled? Once backup files are created, can the files be modified in any way, or are they immutable? Protecting backup files from ransomware attacks has become its own game of cat-and mouse, with backup solution vendors building safeguards to protect the files and hackers finding new ways to defuse the safeguards.
None of this means that backups aren’t effective or worthwhile – they’re still the best, last defense against a successful ransomware attack on your network. Just make sure that your IT team or MSP is armed with more information than a vendor’s marketing materials before they put data backups on autopilot.
When Facing a Cyberattack, Be Ready to Respond
Businesses are facing more cyberattacks than ever before this year. The worst of these attacks are also more sophisticated and therefore more likely to breach the perimeter of your network security. Businesses that are prepared for a threat actor gaining access to their network will fare far better than those who aren’t. Businesses with the best chance for a successful response will have:
- — Invested in breach response tools and processes before the breach occurs
- — Contracted or hired a scalable team of experienced engineers ready to quickly execute a breach response plan, and if necessary, a disaster recovery plan
- — Selected a disaster recovery solution that anticipates and blocks threat actors’ attempts to corrupt, encrypt or delete backup files.
Quick thinking and fast execution can limit the damage caused by a breach. If the breach does impact your company, data backups can be the difference between short-term losses and long-term damage – or bankruptcy.
To learn how WingSwept can help protect your company from emerging cyberthreats, call us at 919-460-7011 or email us at Team_WingSwept@WingSwept.com.