A Career & More. Click here to explore opportunities with TBG today!

Ransomware Concerns and Risk Mitigation

All organizations can face a disastrous outcome to a ransomware event, including the governmental entities. An outbreak is a painful event especially with the critical role these agencies have. The disruption of essential services to the public, health care, water & sewerage, education, transportation, and other vital amenities can be catastrophic. It’s not just the agency that would suffer, the threat to them affects many people as well, either directly or indirectly. It is known that there were 79 ransomware attacks that targeted at federal, state, and local governments last year, in those attacks 71 million US citizens were potentially affected. Ransomware attacks impacting local governments are catastrophic not only for the organizations themselves, but also for the constituents they serve. So, what can you do? Read on to find out.

Advanced and ever-changing ransomware infections (the malicious software (malware) that fully encrypts data on the computer device and/or those that steal data and then require you to pay for the decryption key) have been advanced to the point of daily prevalence. The costs associated with these attacks and the damage done is more costly every day. Cybercriminals have advanced the capabilities of malware to not only encrypt your data, but they can send the accessed data externally. Even if you pay, they have the ability to come back to you again and again to extort funds to keep them from releasing your information and causing additional data breaches.

A recent U.S. Government interagency report indicates that, on average, there are thousands of daily ransomware attacks, and they expect cybercrime damages to exceed $6 Trillion annually in the next 12 months.

You may be aware that ransomware exploits human and technical weaknesses to gain access to an organization’s data and technical infrastructure in order to deny the organization access to its own data by encrypting that data. Ransomware likewise is known to carry additional malware infections with other malicious payloads including spyware applications that may be installed, including ones that steal, and then exfiltrate usernames and passwords, non-public information (NPI), and other confidential information about the computer, the user, and the data used by the organization. Given how lucrative it is for those who deploy it, one can assume these attacks will continue to grow for the foreseeable future.

Fortunately, there are measures known to be effective in preventing the introduction of ransomware and recovering from a ransomware attack. We will highlight several areas that, with proper implementation and ongoing assessment, will help support your efforts in ransomware attack prevention and recovery from a general data privacy and cybersecurity perspective.

Complying with Data Privacy and Cybersecurity Laws

The data you use must be assessed at least annually to confirm you are meeting the laws and regulations for utilizing that data. It is mandatory that covered organizations and their business associates (vendors, third-party, etc.) conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the protected data the entity creates, receives, maintains, or transmits or otherwise interacts with. It is expected that organizations will use a documented and standard process of risk analysis and risk management that satisfies the specific standards and implementation specifications of the laws. It is likewise expected the organization is implementing security measures throughout to a reasonable and appropriate level to protect that data.

Vendors and other Third-Party Contracts

An effective vendor management program is key in your ongoing protections. You need to know how, where, and when your vendor will protect your data. Not all contracts with a vendor share the protections with you and many times they place the full burden on you. It is critical that you understand what both your responsibilities are and that you bind them via those contracts to meet your needs. A program with at least annual vendor audits is required in many instances and should be in place now.

Changes to Laws and Regulations and Standards

It is imperative that you monitor and adjust your cybersecurity and data privacy programs considering any changes to your environment and the changes in the overall cyber industry. An annual assessment of the controls and changes is mandatory!

In addition to the guidance above, the following are some controls and schemes that warrant consideration.

Ongoing Prevention Controls

1. Conduct Ongoing, Documented, Thorough Information Security Risk Assessments

    Maintain an ongoing information security risk assessment program that considers new and evolving threats to protected data and adjusts to changing standards for user authentication, layered security, and other controls in response to identified risks.

    Identify, prioritize, and assess the risk to critical systems, including threats to applications that control various system parameters and other security and fraud prevention measures. In addition, ensure that third party service providers meet your expectations, not theirs.

    2. Securely Configure Systems and Services

      Protections such as patch management, logical network segmentation, offline backups, air gapping, maintaining an inventory of authorized devices and software, consistency in configuration, physical segmentation of critical systems, and other controls may mitigate the impact of a cyber-attack involving ransomware.

      3. Protect Against Unauthorized Access

        Limit the number of credentials with elevated privileges across the organization, especially administrator accounts and the ability to easily assign elevated privileges that access critical systems. Review access rights twice a year to reconfirm access approvals are appropriate to the job function.

        Establish stringent expiration periods for unused credentials, monitor logs for use of old credentials, and promptly terminate unused or unwarranted credentials. Implement multifactor authentication protocols for systems and services (e.g., virtual private networks) and access to any data.

        4. Perform Security Monitoring, Prevention, and Risk Mitigation

          Monitor system alerts to identify, prevent, and contain attack attempts from all sources. Wherever possible, implement an Endpoint Detection & Response (EDR) solution.

          5. Update Information Security Awareness Training Programs

            Conduct at hire and at least annually, mandatory information security awareness training across the organization. This should include how to identify, prevent, and report phishing attempts and other potential security incidents. Ensure the training reflects the functions performed by employees, and if possible, include random email phishing and social engineering tests.

            6. Implement and Regularly Test Controls Around Critical Systems

              Ensure that appropriate controls, such as access control, segregation of duties, audit, fraud detection, and monitoring systems are implemented for systems based on risk.

              Limit the number of sign-on attempts for critical systems and lock accounts once such thresholds are exceeded. Implement alert systems to notify employees when baseline controls are changed on critical systems.

              Test the effectiveness and adequacy of controls at least annually.

              Encrypt sensitive data on all portable, internal, and external facing data storage devices and systems, for data in transit and, where appropriate, at rest.

              7. Document, Review, Update, And Test Computer Security Incident Response and Business Continuity Plans Periodically but No Less Than Twice Annually

                Test the effectiveness of incident response plans at the organization and with third party service providers to ensure that all employees, including individuals responsible for managing risk, information security, vendor management, fraud detection, and customer inquiries, understand their respective responsibilities and their organization’s protocols.

                Ensure processes are in place to update, review, and test incident response and business continuity plans addressing cybersecurity threats involving extortion.

                Ensure that incident response and business continuity plans are updated to address notification of service providers, including Internet service providers (lSP), as appropriate, if the organization suspects that a DDoS attack is occurring.

                8. Utilize The Standard Practice for Backing Up Data Is Known as the 3-2-1 Rule

                  • Create up to at least three copies of the data.
                  • In two different storage formats.
                  • With at least one copy located offsite and if needed, air gapped.

                  9. Participate In Industry Information-Sharing Forums

                    Incorporate information sharing with other organizations and service providers into risk mitigation strategies to identify, respond to, and mitigate cybersecurity threats and incidents. Since threats and tactics change rapidly, participating in information-sharing organizations can improve an organization’s ability to identify attack tactics and to mitigate cyber-attacks involving ransomware malware on its systems successfully. In addition, there are government resources, such as the U.S. Computer Emergency Readiness Team (US-CERT), that provide information on vulnerabilities.

                    There is no one silver bullet that will protect you and your data. The programs and processes noted above must work in concert with all your other controls to help in effectiveness; however, you must still be prepared to respond to an event or breach, and that requires auditing, assessing, training, and testing diligence across your environment.

                    This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.