The threat situation is becoming more and more critical and 2,650 risk management experts worldwide classify cyber attacks as the greatest risk for the economy. This shows the current survey of the industrial insurer AGCS. “The danger is real, as cybercriminals are strongly motivated by the growing profits of ransomware,” comments Eric Waltert, Regional Vice President DACH at Veritas Technologies. “In order to grow their business, they are looking for new methods and vulnerabilities that allow them to bypass the first line of defense – the security systems – and stealthily break into computers and encrypt all data there.”
Companies become vulnerable to blackmail if they install these patches late or not at all, thereby breaking a basic security rule. If you want to install the repair kits quickly, you have to know exactly what to patch, when, where and how. “The large number of actors launch masses of new ransomware attacks against fresh security gaps, for which further patches have to be developed and installed – a vicious circle in which the IT manager is always behind,” explains Waltert. Many companies are therefore not in a position to close their security gaps in good time.
Once broken in, cybercriminals become more and more skilful against their victims in order to extract even more profit. One example is double blackmail: instead of just encrypting the data with ransomware and demanding a ransom, hackers steal sensitive data and later threaten to publish it. Another variant: The scammers offer their encryption software as ransomware-as-a-service, so that “hobby criminals” can also get into the business. Their timing is also becoming increasingly sophisticated. Hackers attack companies precisely when they are most vulnerable, such as attacking the Ferrara Candy Company before Halloween last year. “Many companies invest large sums in defense against cyber attacks. But every wall, no matter how high, can be overcome if the applications open back doors due to software errors. That’s why I advise you not to calculate whether you will be the victim of an attack, but when,” says Waltert. “Cyber security should always be the first line of defense in the fight against ransomware – but not the last. Nobody should neglect the fact that working backups and a pre-tested recovery plan are the strongest defenses against ransomware.” If an attack is successful and the malware encrypts the data, the data can be reliably restored from the backups – the last line of defense: “The company then doesn’t have to pay a ransom to buy the decryption codes from the criminals.”
The outsourcing of risk management is not functional
Some entrepreneurs believe that their cyber insurance will cover the damage and they will get their ransom, or at least part of it, back. However, some insurance companies have already increased their policies significantly and others have changed their strategy. AXA, for example, announced last year that it would no longer take out cyber insurance policies in France that reimburse extortion payments. Another problem, according to Waltert: “It is quite understandable that a company prefers the easy way and pays off the hackers. However, there is no guarantee that it will then get all the data back. Rather, it may happen that the information is nevertheless published on the World Wide Web. In addition to the high financial damage, the company’s reputation is also at risk, and it can take years for it to recover from the ransomware attack. The question therefore arises as to why many organizations neglect their data protection and backup plan.”
Data backup: The ideal time is before the attack
In addition to cyber security measures, companies should implement a comprehensive and multi-level backup strategy and distribute the copies isolated from each other and across different environments. The 3-2-1-1 rule is important: There must be three copies or versions that are saved on two different storage media. In addition to this, tools for endpoint data protection for desktop PCs and laptops should also be implemented. In this way, data is continuously stored regardless of the security standard of the employees. It is also advisable to strongly encrypt the backup information and the communication between the backup systems and to control access to the systems with strong authentication procedures. This makes it considerably more difficult for attackers to penetrate the backup infrastructure and corrupt data there if the break-in is successful. Another important measure is to pre-test recovery plans to find out if they are really effective during and after an attack.
A backup remains the last line of defense and serves as the primary defense against any ransomware extortion attempt. It complements the security architecture of anti-malware solutions and other security technologies in a meaningful way. “Because an IT manager will never be able to say that his network is 100 percent secure from attacks and ransomware. After all, attackers always find ways and means of breaking into a system, even if it is through a clever social engineering attack on individual employees. It is all the more important to be prepared and to have clean copies of the data in case of an emergency, with which the entire operation can be restored,” concludes Waltert.