If you are on a Board of Directors, you might be concerned about Cybersecurity and more specifically, how to avoid or protect from ransomware. As a dutiful Director executing your ‘Duty of Care,’ perhaps you’ve tried to read up on the problem. Maybe the CISO or an outside cybersecurity consultant did a presentation for the Board. If so, great! But, let me make a wild guess here: the material was either too technical and filled with IT jargon, too general, or both. When you finished reading or listening, it might have left you wondering what questions to ask management.
If that’s where you are, read on to learn six principles that reduce the risk of Cybersecurity ‘incidents’ and minimize the damage such incidents can do to your firm. And, none of these principles require a computer science degree to understand!
1. Robust Prevention — Keep Unauthorized Users Out and Protect from Ransomware
The first goal of Cybersecurity is to keep unauthorized users out and protect from ransomware. Despite what you read in the news, most incidents aren’t targeted attacks by Nation-states. They are indiscriminate attacks launched against many targets in the hope of getting lucky. It’s the cyber equivalent of juggling door handles on a row of parked cars to find one left unlocked. We all know the joke about a bear chasing two hikers, for instance. “I just have to outrun YOU” doesn’t just apply to running from bears. It applies to Cybersecurity threat prevention, too.
2. Quick Detection — Don’t Give Them Time to Settle In
Cyber evildoers are like termites, boring their way into your hidden but vital infrastructure. Much like termites, their damage gets worse over time. The cyber term for this boring from within is ‘Dwell Time’ — the time from penetration to discovery. Firms are reluctant to disclose details of a breach, but dwell time estimates for some major breaches range from 100 days to over one year! Imagine termites in your walls for a year and you’ll understand how much damage an undiscovered breach can do when failing to protect from ransomware!
3. Defense Depth — Lock Interior Doors
Every store has a ‘customer area’ and a locked door separating customers from employee-only areas (front of the house vs. back of the house). It may be a shock, but few IT networks use the same thinking. Once an evildoer breaches your outer wall (or gets invited in the front door (‘Social Engineering’), they often have unrestricted access. A break-in through a subcontractor work-order portal causes the infamous Target breach. It wasn’t isolated from the extremely sensitive card-swipes at cash registers.
4. Keeping Secrets Secret — They Can’t Leak Encrypted Data
Want to impress your CISO? Ask, “Is all sensitive data encrypted at rest and in motion?” You’re asking whether they store the data on disk and tape in encrypted form. Additionally, you’re asking if they send sensitive data from place to place in encrypted form. Anything other than a ‘yes’ means your business can’t protect from ransomware and that an attacker can threaten to both deny access to your data AND sell your sensitive data. It also means they can leak embarrassing details to the press (a la the Sony breach).
5. Effective Repair and Restoration — Prepare to Repel Boarders
Once you know or strongly suspect a breach, stop dithering. Break out the Crisis Management plan. Management has already created and shared a plan with the Risk and Audit Committees. Then, execute! Execute! Execute! Two crucial points:
- Prepare in advance — don’t ‘wing it’ dealing with crisis responses!
- Have outside experts (legal, Cybersecurity, PR/IR) pre-qualified and available as needed.
6. Not Keeping All Your Eggs in One Basket — Keep Backup Data Safe
Ransomware works by silently encrypting your data, rendering it unusable by your firm. If you have backups, you can quickly restore your data and get back to work while you’re taking other recovery steps. The fly in the ointment is that extended dwell time enables evildoers to encrypt your backups day by day by day, or even mass-encrypt backups stored within your IT environment until all your valid data gets overwritten. Once that happens, it’s probably time to pay the ransom. Keeping backups segregated from your primary IT environment plus working to shorten dwell time helps make data restoration/recovery much more likely.
And there you have it, how to protect from ransomware through robust Cybersecurity without excessive jargon. It’s critical to have a plan that covers risk prevention, detection, and restoration in the event your data is breached. Be sure you’ve discussed the above six cybersecurity principles with management and understand the level of residual risk they’ve designed into their IT system.
- Be careful with terminology! An ‘incident’ means ‘we think something happened’ whereas a ‘breach’ potentially triggers insurance provisions and notification clocks. Only say ‘breach’ when you know an evildoer has penetrated. ↑
- If you are in an industry that’s subject to targeted Nation-State attacks, I sure hope you’re not here learning about Cybersecurity for the first time! ↑
- In case you were wondering: Yes! They can additionally encrypt your encrypted data. If you encrypt your data as I suggested, evildoers can’t sell or leak it. But their encryption of your encrypted data still locks you out! ↑