The FBI just issued a Public Service Announcement “ High Impact Ransomware Attacks Threaten US Businesses and Organizations,” saying that “ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly.”
While ransomware attacks on state and local governments have been in the news, the Bureau says to expect more attacks on “health care organizations, industrial companies, and the transportation sector.”
The PSA goes on to give some pointers on ransomware defense, such as:
- Regularly back up data and verify its integrity.
- Focus on awareness and training.
- Patch the operating system, software, and firmware on devices.
- Ensure anti-virus and anti-malware solutions are set to automatically update
And more best practices.
But like many lists of best practices in cybersecurity, this one doesn’t give direction on how to prioritize among the many worthy recommendations. How would an organization, particularly a large one, focus its defenses based on...
- The likely frequency of a ransomware attack
- The probable magnitude of impact
- The most valuable assets to be protected from a ransomware situation
- Choosing one anti-ransomware defense against another
- More or less cyber insurance coverage to buy
- The return on investment for anti-ransomware defenses vs. other cybersecurity initiatives – or even other profit-making initiatives within the organization.
Sophisticated organizations use Factor Analysis of Information Risk, the FAIR model that’s the basis of the RiskLens Platform, to make risk-based, financially defined decisions on ransomware controls. For an example, take a look at a case study of a large manufacturer and RiskLens client.
The manufacturer was concerned about a zero-day ransomware attack crippling its distribution process and was weighing one solution -- investing in additional controls to improve response time for outages – against another -- implement micro-segmentation to decrease the probability of ransomware propagating across the network.
With the RiskLens Platform, the manufacturer could model specific scenarios (such as ransomware propagating from a single workstation to the main system supporting operations for a key distribution center) with varying inputs and outcomes based on different controls, ultimately showing a return on investment in dollars and cents.
Interestingly, the FBI’s PSA is of two minds about paying the ransom:
“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
While to pay or not to pay is a highly controversial topic (see the strong stand against paying taken by the US Conference of Mayors), one thing’s for certain: Any organization should prepare itself to make the decision by running a quantitative risk analysis so it thoroughly understands the stakes in dollars and cents.