Last month, I participated in a panel discussion hosted by the National Cyber Security Alliance (NCSA).
The topic of the day? Ransomware.
Domingo Rivera from the Cybersecurity and Infrastructure Security Agency (CISA) and I had a great conversation. And if you missed the webinar, you can always rewatch it here.
Without further ado, here are some takeaways from our discussion…
1. Ransomware can involve a two-step process.
When you think about ransomware, do you picture a hacker hand selecting which businesses to encrypt?
I’m not saying this doesn’t ever happen. But the reality is, the vast majority of the time…
Cybercriminals are using automation to find easy vulnerabilities. Once these automated attacks have identified potential victims, the bad guys will exploit in a targeted manner.
2. Remote access is becoming a bigger problem.
Our webinar also addressed whether phishing or remote desktop technology is a more popular delivery method for ransomware.
According to Domingo, phishing is the top vector, but remote access is a growing problem. I also noted that phishing is harder to stop. While we have the ability to shore up remote access so it’s not vulnerable, human beings are more difficult to protect.
3. Data exfiltration is like squeezing toothpaste out of the tube.
Data exfiltration was another issue that came up. (If you’re not familiar with this term, data exfiltration occurs when cybercriminals gain access to critical data and remove it. The bad guys can then use business data to extort money.)
During the webinar, I mentioned that once data has been exfiltrated, there’s not a lot that you can do. So you need to prevent the exfiltration in the first place.
As the president of an IT firm that serves the small-business sector, I recommend security information and event management (SIEM), a technology that may help you respond to cybercriminals before exfiltration occurs. SIEM was discussed on our webinar (and you can read about SIEM here).
4. Preventing a ransomware disaster isn’t rocket science.
Preventing ransomware attacks is straightforward.
It doesn’t take a lot; it just takes discipline.
If you want to mitigate risk, your business simply needs some specific, well-known preventative measures (for example, hardening) to place itself in a position where it won’t need to pay a ransom.
5. Don’t think that a VPN equals complete ransomware protection.
On the webinar, Zarmeena from the NCSA brought up virtual private network (VPN) technology—a relevant topic in this work-from-home era. Someone had asked a question like, “Do VPNs also help protect or defend against ransomware?”
Domingo explained that while a VPN provides an encrypted tunnel for web traffic, it doesn’t address an existing cybersecurity vulnerability.
As I’ve said before, a cybersecurity solution doesn’t automatically mitigate your risk.
6. Cloud technology isn’t a magic bullet.
Another question we encountered had to do with the cloud and risk.
I concur with Domingo’s answer: Both the cloud and on-premise can be properly secured, and one isn’t inherently safer than the other one. He was spot-on in saying it’s a business decision.
7. Don’t compensate cybercriminals.
If you read my blog, you might remember that my stance on ransomware payments is this: Paying the bad guys is not normally a good idea. To quote my November 2020 article…
“For starters, can we really trust [cybercriminals] to keep their word? Who says they will decrypt your data once you meet the ransom?”
The webinar demonstrated that CISA and Proactive IT align on this controversial topic—with CISA discouraging ransomware payments. Notably, Domingo mentioned, “There have been reported cases of people being targeted again or extorted to pay even more.”
8. There’s a better option than paying up.
On the webinar, Zarmeena voiced an objection (from a business or individual’s perspective) to backup technology.
The issue she raised?
Whether it’s better to pay a ransom because it’s faster.
In the business world, downtime is a valid concern. Just consider this news snippet…
“Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.” [Emphasis mine]
But as I said on the webinar, I don’t buy that argument. When you’re doing backups in a well-managed, disciplined way, recovery is super fast.
Bottom line: You don’t have to be afraid of excessive downtime. You have a better option than paying up.
9. CISA isn’t the cyber police.
When your company is hit with ransomware, should you reach out to law enforcement?
This is an important question. And CISA’s stance on this issue wasn’t what you might expect.
As CISA’s spokesperson, Domingo communicated that his organization isn’t the cyber police and that businesses have discretion about reaching out to authorities. He didn’t give a hard-and-fast answer about handling ransomware reporting postincident.
My caveat: Just be sure your business is compliant with any government or professional requirement about ransomware disclosure.
10. Backups, backups, backups.
Before we ended our session, both Domingo and I emphasized backups.
I encouraged our attendees to double-check their backups and added that, in my experience, 80% of small business owners lack what they think they have. (For more on backups, please read this article.)
Hopefully, you’ve benefited from these takeaways! If you’re a video person, don’t hesitate to rewatch our webinar here.
Have a question about ransomware? Reach out to email@example.com or 704-464-3075 extension 3.
Dedicated to IT security and productivity,
About Steve Kennen
As an expert in information technology infrastructure management, cybersecurity, and cyber risk management practices for small businesses, Steve spearheads initiatives that keep his clients secure and their business operations running smoothly. His core message is that the details matter.