The impact of ongoing ransomware events in the healthcare and broader business communities compel us both professionally and personally to self-reflect and to ask tough questions like “how ready are we?” “can we really do anything to prevent it from happening to us?” and "what if it happens, then what?".
There is no one-size-fits-all approach, but there are some relatively easy proactive measures that can help narrow an organization's attack surface, despite their cyber-maturity. These measures can additionally mitigate the likelihood of falling subject to a ransomware event.
Organizations should focus on allocating resources to create robust incident response, disaster recovery, and business continuity plans and effective governance structures to support them. In addition, organizations should audit their existing network security as there are many opportunities for vulnerabilities. Luckily, these potential vulnerabilities can be prevented if your organization takes the proper steps. Some key points to consider regarding the security of your organization are:
• Proper segmentation or end point encryption
• Remote Desktop Protocol (one of the most dominant attack vectors)
• Explore running services on a non-default port for higher security
• Controls around change management and patching processes
• Data retention & data loss prevention
• Identifying access management and vendor management.
• Unsecure servers hosted by third parties.
In addition to monitoring network security and keeping systems and applications up to date, organizations should address their "end of life" problem. If it is impractical or even impossible to update systems, it is critical to take additional steps to mitigate your risks. If your business has technology that is embedded in the fabric of your operations, segment end-of-life systems and software and develop a minimum-necessary access policy. This is particularly important with regard to medical devices, as many are still running outdated operating systems that simply cannot be updated. Remember, where preventative controls are not possible, develop detective controls and perform real-time monitoring to mitigate risks.
Another measure your organization can take are restorable backups. Restorable backups may appear to be an easy process but there are many seemingly mature organizations that do not have a full backup of all critical data. Although restorable backups require data categorization or classification effort, it is equally important that an organization maintain an off-line, 100% off-network back-up instance. A good place for this is in an organization’s asset inventory. Organizations should also test the ability to restore their backups. In a worst-case scenario, a victim organization will have to rely on the availability of backed-up data. Restorable backups are something every security framework requires. Do you align with an industry recognized framework? If you have not adopted a security framework, it is critical to do so as soon as possible.
Your organization should have well documented policies and procedures that meet legal requirements and provide a legally defensible posture. Every organization has different needs and different legal standards which they need to abide by, therefore it is bad security hygiene to copy and paste policies found online. You may be subjecting yourself to laws and standards that do not apply or leaving your company legally exposed. Every well-planned policy taxonomy will have both a sustainable governance framework that serves to keep your policies current and relevant, and a mechanism in place to enforce the policies.
Our Beckage team leverages their deep experience to assist organizations of various sizes and complexities in building efficient, longstanding and scalable IT due diligence programs. Our team of attorneys are seasoned technology professionals with backgrounds that include risk management, in-house counsel, governmental agencies, and information security and technology leadership. We work with businesses across channels and industries to facilitate the design and implementation of enterprise-wide security programs and perform ongoing “health checks” to evaluate the appropriateness of controls and alignment with business requirements. As we continue through 2020, there has never been a better time to operationalize a risk-based methodology.
*Attorney Advertising. Prior results do not guarantee future outcomes.