The FBI just issued a Public Service Announcement “High Impact Ransomware Attacks Threaten US Businesses and Organizations,” saying that “ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly.”
While ransomware attacks on state and local governments have been in the news, the Bureau says to expect more attacks on “health care organizations, industrial companies, and the transportation sector.”
The PSA goes on to give some pointers on ransomware defense, such as:
And more best practices.
But like many lists of best practices in cybersecurity, this one doesn’t give direction on how to prioritize among the many worthy recommendations. How would an organization, particularly a large one, focus its defenses based on…
Sophisticated organizations use Factor Analysis of Information Risk, the FAIR model that’s the basis of the RiskLens Platform, to make risk-based, financially defined decisions on ransomware controls. For an example, take a look at a case study of a large manufacturer and RiskLens client.
The manufacturer was concerned about a zero-day ransomware attack crippling its distribution process and was weighing one solution — investing in additional controls to improve response time for outages – against another — implement micro-segmentation to decrease the probability of ransomware propagating across the network.
With the RiskLens Platform, the manufacturer could model specific scenarios (such as ransomware propagating from a single workstation to the main system supporting operations for a key distribution center) with varying inputs and outcomes based on different controls, ultimately showing a return on investment in dollars and cents.
Interestingly, the FBI’s PSA is of two minds about paying the ransom:
“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
While to pay or not to pay is a highly controversial topic (see the strong stand against paying taken by the US Conference of Mayors), one thing’s for certain: Any organization should prepare itself to make the decision by running a quantitative risk analysis so it thoroughly understands the stakes in dollars and cents.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.
We help organizations translate cyber risk from the technical into the economic language of business.