While ransomware attacks on state and local governments have been in the news, the Bureau says to expect more attacks on “health care organizations, industrial companies, and the transportation sector.”
The PSA goes on to give some pointers on ransomware defense, such as:
And more best practices.
But like many lists of best practices in cybersecurity, this one doesn’t give direction on how to prioritize among the many worthy recommendations. How would an organization, particularly a large one, focus its defenses based on...
Sophisticated organizations use Factor Analysis of Information Risk, the FAIR model that’s the basis of the RiskLens Platform, to make risk-based, financially defined decisions on ransomware controls. For an example, take a look at a case study of a large manufacturer and RiskLens client.
The manufacturer was concerned about a zero-day ransomware attack crippling its distribution process and was weighing one solution -- investing in additional controls to improve response time for outages – against another -- implement micro-segmentation to decrease the probability of ransomware propagating across the network.
With the RiskLens Platform, the manufacturer could model specific scenarios (such as ransomware propagating from a single workstation to the main system supporting operations for a key distribution center) with varying inputs and outcomes based on different controls, ultimately showing a return on investment in dollars and cents.
Read the complete case study here.
Interestingly, the FBI’s PSA is of two minds about paying the ransom:
“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
While to pay or not to pay is a highly controversial topic (see the strong stand against paying taken by the US Conference of Mayors), one thing’s for certain: Any organization should prepare itself to make the decision by running a quantitative risk analysis so it thoroughly understands the stakes in dollars and cents.