More than three-quarters of IT security professionals believe a successful cyber attack is imminent in 2021 – but many don’t have the resources and tools to withstand it. At this point, it’s not a case of if, but when.
We’ve seen the enormous damage done across industries to organisations who were caught off guard, and the impact ransomware attacks have (you can read our blog on the long-lasting impacts here). As of writing this, the HSE (Republic of Ireland’s national health service) is still suffering the impacts of a ransomware attack that took place four months ago, leaving many departments without access to internet, patient records, treatment plans or vital documents.
So what can we do against the ever-present threat of cybercrime?
Create a holistic defence strategy
We can’t cut out crime, but we can reduce enterprise risk and approach security strategically, rather than reactively. The concept is simple: create a holistic defence strategy that can allow organisations to protect against attacks, detect vulnerabilities and threats, and respond immediately to reduce downtime and impact if the worst happens.
The difficulty lies in the application – the lengthy process of shoring up defences and implementing robust security can leave organisations open to attack in the meantime, and strains on resource, time and budget can mean businesses have to prioritise rather than work strategically.
What should IT and security professionals do to protect their organisations?
Protect, detect, respond
These three areas can help organisations to focus their efforts holistically – but the priority needs to be reducing immediate risk first, before all else. The best way to do this? Reverse the focus and build backwards.
Respond – ensure you can recover
Your ability to respond to an attack or breach of any size is vital in reducing enterprise risk and downtime. Creating your response plan first ensures your business can recover in the event of a breach, which could take place (or indeed already be happening) before you’ve executed your security strategy.
So, what should your priority be when it comes to developing a response plan? Backups, process and responsibility. Loss of data and servers is the number one disruptor for any organisation, and having a fast, secure backup solution with proper process supporting it will help prevent downtime and reduce financial impact.
What does best practice look like? Ensuring that responsibilities are clear and staff within the team understand what the process is and who should decide what in an emergency is vital for any response plan – understanding how to react and how the backup solution can be used, plus what has been backed up and where, will further reduce downtime and ensure a smooth transition.
There are many backup solutions available, but the generally accepted best practice is to have three types of backup across two different media, as well as an off-site copy. This is often referred to as the 3-2-1 rule, however with the introduction of immutable storage many organisations are now incorporating this into their backup process as a ‘silver bullet’ against ransomware attacks.
Immutable storage is a read-only storage facility that prevents any edits being made to the original data, essentially creating an “unbreakable” backup copy.
Cloud PCs or virtual desktops can be another vital tool in recovering from an attack; if devices are locked, users can still log into accounts and continue working, preventing a loss of productivity or service delivery.
Reviewing and testing
Once you’ve decided on your response and recovery plans, it’s time to review – you might think it’s bulletproof, but there are plenty of horror stories. From storing physical backups in the office (what happens if the office burns down?) to simply not switching on the right systems at the right time, there’s plenty of room for error when it comes to response and recovery. Take the time to go through your plans with a fine-tooth comb and anticipate any and all situations; it’s better to be overprepared than caught unawares.
Finally, it’s highly recommended that you test your plans to ensure that everything works as expected – waiting until an attack or disaster takes place is certainly less than ideal, and testing out solutions and processes now will enable your team to fix any issues well in advance.
Detect – Understand your risks
Once you’re able to respond to an attack, it’s time to focus on Detect – understanding the current risks in your environment. This will enable you to focus your efforts accordingly and work to fix any current issues or vulnerabilities.
It’s vital that you have some kind of visualisation of your current security postures, where the gaps are and what might be missing, so you can protect your organisation from threats. A good place to start would be Microsoft’s Secure Score feature available in the M365 Defender portal: Microsoft Secure Score | Microsoft Docs.
Understanding the status of your servers and devices is critical, as is a robust update and patch management process . 60% of attacks successfully carried out in 2019 exploited vulnerabilities already had patches available, which hadn’t been applied.
Threat and vulnerability scanning can help you better understand your environment and any hidden risks, allowing you to take fast action where needed.
Clear line of sight over any upcoming End of Support deadlines across your IT estate is important to ensure new vulnerabilities are patched – this can include everything from firewalls to operating systems – so it’s vital that software and systems are updated regularly and on the latest available version.
Protect – Close security holes
Once these vulnerabilities are fixed, you can move on to Protect – proactively working to close security holes and implement robust strategies. This will protect your teams and devices from tailored, sophisticated attacks that put your business at risk.
The key to this is building an awareness of the new security risks that are emerging and keeping up to date with security news outlets. Likewise understanding what’s going on in your industry can give you advance warning. It’s fairly common for industries or sectors to experience targeted attacks from cyber criminal groups for a period of time; this knowledge can give you time to prepare against any attempts on your organisation.
Understanding your sector is vital as well – there may be processes or technologies unique to your sector that make you susceptible to certain types of attacks.
Another vital step is to understand where the gaps are in your environment – this can include fairly simple solutions such as ensuring adequate email and malware protection, improving on existing patch & update management processes, or making sure you have adequate control and visibility over user applications.
A common issue for many large organisations can be access management – studies show that once access is gained, intruders can move laterally within an environment to launch an attack within as little two hours. There’s a few different strategies to help with this; check out our recent blog series on Secure Access Frameworks for more info.
Building a holistic strategy is vital but takes time. Starting with the respond and recovery projects reduces immediate enterprise risk within your organisation whilst allowing you to build the foundations of a holistic ransomware defence framework.
If you need help getting started, our security experts are running a webinar discussing Protect, Detect, Respond and how to get started with the Respond phase: