Dmitry Dontov, CEO and Chief Architect of Spin Technology, considers the best ways to approach modern ransomware prevention in the modern workplace.
Ransomware attacks grew by 435% in 2020 compared to 2019 and this increase is not expected to slow down anytime soon. To put that into perspective, ransomware attacks have outpaced the already massive growth rate for overall malware prevalence during that same period (358%). And according to Cybersecurity Ventures, ransomware damages will cost the world US$20 billion in 2021 (nearly 60 times the level of financial repercussions seen in 2015).
Over the last 12 months, the threat landscape has changed dramatically with the rise of remote workforces and the explosion of cloud services. So how can your security strategy evolve as well? When it comes to ransomware, here are five areas to think about.
It’s no secret that remote work has changed the ransomware attack landscape. Now more than ever, employees are operating outside of the traditional corporate perimeter, beyond where the bulk of your security controls are most effective and concentrated. As a result, there are new attack vectors to address, such as vulnerable VPNs and Virtual Desktop workspaces, which means attackers are more likely to target individual users than corporate networks. They’re using social engineering methods to make attacks more personalized and sophisticated. This is one of the reasons why 73% of ransomware attacks succeeded in 2020.
Remote work has also forced organizations to invest more heavily in cloud services to ensure employees can access corporate data and resources regardless of their location, making SaaS apps and cloud services a prime target for attackers. Additionally, it’s much harder to monitor employees’ activities outside of the office and thus, more challenging to mitigate potential attacks. Lastly, employees’ increasing use of unprotected home computers and Wi-Fi routers with default passwords provides many new ransomware opportunities for bad actors.
But what’s the difference between an attack on a corporate network vs. the cloud? A ransomware attack on a corporate network usually occurs in the form of a malicious app that runs a malicious script on a local PC or corporate server. It encrypts data and then spreads to other PCs and servers. In the cloud, there are two ways to encrypt SaaS data. The first is through a syncing app that connects your local device with your cloud environment. The second is through a malicious OAuth app or browser extension with access to your SaaS data via API. More on best practices for detecting and preventing cloud ransomware later.
So how can companies limit the impact of infections on remote workforce devices? Today, many device management tools allow you to install VPNs or anti-malware software remotely, create security policies, prevent employees from visiting suspicious websites, and monitor and manage employee devices – often from one centralized cloud-based dashboard. On top of that, you need to implement an activity log monitoring solution that uses AI to intelligently scan and identify behavior anomalies such as abnormal GeoIP login, brute force attacks, etc. For organizations with growing remote workforces, this is a ‘must-have approach’ to protecting sensitive corporate data and keeping work-from-home employees from causing security disasters that could impact the entire organization.
Unfortunately, parts of security education and training just aren’t working. A lot of security training platforms and programs don’t adequately cover remote work risks. In the world we live in today, these programs must educate employees on how to securely use their devices in potentially vulnerable home environments.
For example, most employees today need to know how to update router admin passwords, monitor and manage connected devices, and more. And, these training programs don’t cover best practices for protecting company devices from non-employees that can easily gain access. In many cases, guests and even family members could access a corporate laptop throughout the day, creating yet another concern for SecOps teams to manage.
So, what is the best way to approach modern ransomware prevention?
- Start by understanding how criminals get access to mission-critical assets. Attackers usually introduce ransomware through phishing emails, removable media, malicious file downloads from the Internet, malicious email attachments with nefarious links, vulnerable software, or because their victims’ security policies and solutions are inadequate (or absent). It’s important to understand that ransomware only affects data the user in question can access. So, limiting data access strategically can mitigate the consequences of a successful ransomware attack.
- Use a mix of security controls that address common attack vectors, including anti-malware and anti-phishing solutions, penetration testing and vulnerability scanning, URL filtering to prevent users from accessing malicious sites and security awareness training (that incorporates remote work security modules), among others.
- Monitor cloud and SaaS environments 24/7 to identify and proactively remediate ransomware attacks in real time.
- Monitor any and every third-party app your employees use, including extensions, add-ons, mobile solutions and more; anything with access to corporate data cybercriminals can hold hostage. This will require ML and AI capabilities to reduce the costly realities of human error and false positives – two things you can’t afford in cloud ransomware prevention.
- Finally, back up your sensitive SaaS data to trusted, secure cloud storage services like AWS and Azure daily to ensure you can recover in the event of a successful ransomware infection.
Keep in mind that downtime is an inevitable risk of any ransomware attack that you can’t avoid. Today, an average downtime incident lasts about 16 days and can be tremendously costly. Here are top reasons how downtime comes from:
- Data is growing exponentially
- There are still a lot of manual processes when it comes to Disaster Recovery
- API limitations of SaaS providers
When you design a Disaster Recovery strategy for your organization, you have to take downtime into account to reduce the downtime and recovery timeline because when it comes to ransomware attacks today it is no longer if, it’s already when.
About the author
Dmitry Dontov is the CEO and Chief Architect of Spin Technology, a cloud data protection company based in Palo Alto, and the former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur with over 20 years of experience in security and team management, Dmitry has a strong background in the cloud protection field and is an expert in SaaS data security.Click below to share this article