The following are the most important first steps any company, whatever the size, should be taking to minimise the risk of a successful ransomware attack.
1. Use Endpoint Detection and Response Software (EDR)
EDR is an advanced form of threat protection, which is often confused with antivirus software. However, antivirus products are only generally designed to protect known threats, whereas EDR is able to detect and respond to many new forms of attack as and when they happen.
EDR works by collecting data from workstations and other endpoints, and using that information to detect the signs of malicious behaviour.
Since the sudden shift towards remote working, EDR has become increasingly more important, as hackers seize the opportunity to exploit weaknesses in endpoint devices to get their foot in the door.
2. Follow the Principle of Least Privilege (PoLP)
The PoLP is an approach to IT security whereby you grant each user the minimum level of access to the data and resources they need to perform their role. For example, a member of staff may need to access personal data as part of their duties but doesn't need to change anyone's personal details. You should therefore grant them permission to read such data but not to modify it.
The PoLP can help lower the risk of a ransomware attack through social engineering techniques such as phishing emails. Because, if a hacker manages to steal an employee's login credentials, it doesn't necessarily mean they'll have sufficient privileges to launch an attack.
3. Implement a Strong Password Policy
Password files are favourite targets for hackers. Although the passwords contained within password files are hashed, which makes them unintelligible, attackers have a number of tricks up their sleeve to crack them. However, the longer and more complex your passwords are, the harder they are to crack.
So it's essential you enforce strong passwords by imposing a minimum length and requiring at least one number, uppercase letter, lowercase letter and non-alphanumeric character. That way, in the event someone stole your passwords, it would be very difficult for the perpetrator to crack them.
You should also rotate passwords as part of a robust password policy. In other words, you should prompt users to change their passwords periodically. This effectively limits the time attackers have to crack your passwords and make of use them.
4. Enable Multifactor Authentication (MFA)
If your systems support MFA, where users must go through an extra verification step such as entering a one-off code sent to their phone, you should enable it as soon as possible.
MFA acts as a layer of defence by putting up another barrier for an attacker to overcome to get into your systems.
In addition to one-time codes via SMS, other forms of MFA include:
authenticator apps for desktops and mobile phones
physical U2F security keys, which connect via Bluetooth or plug into your USB port
login confirmation codes delivered to your email address
biometric authentication, such as fingerprint, facial and voice recognition
5. Keep Software Up to Date
Software updates and patches contain fixes to vulnerabilities that attackers can exploit at any time. So you should apply them to your software and operating systems as soon as they become available.
But always remember to take backups before installing updates so you can quickly recover if you encounter issues such as a system crash or loss of critical functionality.
In cases where you cannot tolerate any downtime, you may need to administer updates in a test environment first in order to check for any potential problems before rolling out to your live systems.
6. Raise Security Awareness
According to joint research by Stanford University and email security provider Tessian, human error was the root cause of nearly 90% of all security incidents. The study also revealed that the younger generation were more vulnerable to phishing attacks – with 25% saying they'd clicked on a phishing link compared with just 8% of employees over the age of 51.
Your users are the weakest link in the security of your systems. So it pays to nurture a culture of security within your business.
Enrol employees on a security awareness course and back it up with your own advice about security best practices. If you periodically remind them of everyday risks, such as sharing removable media, clicking on malicious links and using public Wi-Fi services, you'll be far less vulnerable to a ransomware attack.
Business Continuity and Disaster Recovery (BCDR) Measures
In addition to robust security procedures and processes, you should also have measures in place to get your business back on its feet as quickly as possible in the event of a successful attack.
This is what business continuity and disaster recovery (BCDR) sets out to achieve.
Whatever the nature of the disruption, whether through a ransomware attack, power cut, hardware failure, human error or unforeseen adverse event, BCDR will help ensure rapid recovery of IT systems and mission-critical data with minimal disruption and cost to your business.
The following steps are integral to a well-designed BCDR plan.
7. Follow the 3-2-1 Backup Rule
You should never just rely on a single backup copy of your data.
Restores can fail. Not only that but more advanced ransomware attacks also target your backups.
To ensure adequate protection you should follow the 3-2-1 backup rule whereby you maintain two local copies, your production data and a backup copy on a different medium, and another copy stored to an offsite service.
The local backup will be immediately available for simple and fast recovery. However, it will also be more vulnerable to attack.
The offsite backup, on the other hand, will be air-gapped from your on-premises systems. Hackers will therefore find it more difficult to attack, as they'll likely need additional access credentials and also supplementary network information to locate it. This will be particularly so if you use a cloud backup service.
8. Take Immutable Backups
An immutable backup is a copy of your data that cannot be modified, encrypted or deleted. It uses locking technology that prevents anyone, including users with admin privileges, from making such changes until the end of a specified retention period.
Consequently, you can be confident you can always recover from a ransomware attack or any other type of data protection incident.
Immutable backups solutions are generally based on storage drives that use the WORM (write once read many) format. They are available as both on-premises appliances and cloud-based offerings.
9. Maintain Backup Hygiene
It could be some time between the moment an attacker first breaches your system and the point at which they actually trigger their attack.
During this period your backups will have also been infected. So make sure your backup system doesn't just take copies of your data but also scans them for malware. That way, you can be sure they're clean and safe to use whenever you need them.
And don't forget to test your restore system on a regular basis, as you want to be sure it works properly when you need it and that backups are free from corruption or other problems that could prevent recovery.
10. Draw Up an Incident Response Plan
Recovery from a ransomware attack can be a huge undertaking, as you get services securely up and running while carefully purging them of all footprints left by an attack.
As part of your response, you may need to perform detailed forensic analysis to establish the full facts of the incident. If the attack carries a threat to the privacy rights of individuals then it's likely you'll need to report the crime to both the National Cyber Security Centre (NCSC) and Information Commissioner's Office (ICO).
In fact, you'll have a lot of systematic steps to follow.
So it's important to draw up an incident response plan so you're properly equipped to deal with an incident. This should prioritise the recovery process.
For example, authentication services should be near the top of your list so users can immediately log back in once other services return. You should also prioritise internal email servers so staff can communicate with customers and each other as soon as possible.