Facing a ransomware attack head on is a terrifying experience, whether you're a small startup or a multinational corporation. But once the rush to secure and get systems up and running has passed, your organization must then face the mess left in its wake. As experienced security leaders, we know that it's never a question of if your organization will be attacked, but when. And with threat actors pivoting to ransomware as an easy payout, odds are better than ever that your organization will eventually experience a ransomware attack. If ransomware is unpreventable, then how can organizations minimize its impact and lessen the blow?
Measuring the cost of a breach is a difficult task and there is no uniform, one-size-fits-all framework. However, recovering quickly comes down to one important facet: a well-built cyber-incident response plan. Baked within this plan should lie previously decided-upon activities that need to be tracked, such as burn rates (both short and long term), and licensing costs, as well as a project manager to track vendor statements of work, track time, and to generally keep things organized. Having someone who measures these seemingly minute details provides a far more accurate picture of the total cost of an attack, which is often much larger than companies realize.
It's also necessary to view costs through the lens of short-term expenses (ransomware payment, cyber-insurance costs, legal fees, and consultancies) and long-term costs (reputational/press, sales, and training). For example, we use a tool that contains standardized tasks, dependencies, owners, and a host of other metrics that a security team can start logging against. Regardless of the specific tool you use, the important thing is to sit down and lay out exactly what you need to track in a way that's collaborative across all teams.
One of the biggest mistakes an organization can make is to blindly throw technology at the problem instead of properly investing in building a security team. Organizations often spend hundreds of thousands of dollars on endpoint detection and response (EDR) solutions while neglecting monitoring and investment in high-quality security leadership and human talent. This is a great approach if you're looking to throw money into a black hole.
Some other costly mistakes include:
Ignoring the Basics
Some of the simplest mistakes can be the most expensive. According to IBM research, a breach life cycle under 200 days costs $1 million less than a life cycle over 200 days, so even small tweaks to reduce the time can save a lot of money. A general rule of thumb: If you don't have the top five best practices down from CIS's Top 20 list, such as log management and retention, focus on those before moving on. Frustratingly, breaches most often happen due to vulnerability management failures (e.g., missing patches). Vulnerability management is deceptively difficult but catastrophic when ignored.
Not Having Clear Lines of Responsibility, Accountability, and Reporting
Do you know exactly who is overseeing technology operations? And does the top security leader have a direct line of communication to that person? CIOs and other IT decision-makers will almost always choose to prioritize initiatives for business operations over security, so ensure you have a good ambassador that can clearly communicate security priorities to top leaders. This way, your team isn't left in the dark during important leadership conversations.
If you have a tool that generates alerts, make sure to follow up on those. As obvious as it sounds, ignoring these alerts is usually the start of serious issues.
Once you have your plan mapped out with a clearly defined measurement framework, you can now begin to strategically invest time and resources into building it out with tactics. So, what should you invest in? Here are a few specific areas of investment, outside of your defined incident response plan and security staff, that you should prioritize.
Start with network segmentation. With laptops, smartphones, and IoT devices, among others, organizations today have a plethora of attack vectors. But organizations can save millions by ensuring an attacker is only able to compromise one device, rather than moving laterally without obstruction through an environment.
Make sure to perform tabletop exercises as part of the security maturity process. These are critical to ensure that your team members know what to do as well as how to do it (and when) so they're not scrambling when the fire alarms sound.
Take backups of critical data (including your IT golden images) and store them offline. If you can't get to full offline backups, at least ensure that backups can't be accessed with domain administrator credentials. Ransomware threat actors will go after your backups — don't make it easy for them. Once you get your backup program up and running, ensure backups are updated on at least a monthly basis. Having backups will not only facilitate faster restoration to regular operations, but they also provide visibility into what went wrong several months back — often critical for root cause analysis.
Throughout my time in the industry, it's a clear trend that organizations facing downtime for multiple days also happened to lack these key processes, tools, and plans.