{"id":15000,"date":"2017-01-18T18:59:10","date_gmt":"2017-01-18T08:59:10","guid":{"rendered":"http:\/\/tomgrimshaw.com\/tomsblog\/?p=15000"},"modified":"2024-07-02T04:42:39","modified_gmt":"2024-07-01T18:42:39","slug":"3-ways-to-protect-your-business-from-ransomware","status":"publish","type":"post","link":"https:\/\/www.tomgrimshaw.com\/tomsblog\/?p=15000","title":{"rendered":"3 ways to protect your business from ransomware"},"content":{"rendered":"<p>In recent months, ransomware has been increasingly garnering headlines here and across the globe. If you\u2019ve been keeping your head down and believe that it won\u2019t happen to you or your business \u2013 now is a good time to think again.<\/p>\n<h3>Step 1. Prepare a recovery plan: Recover without paying<\/h3>\n<ul>\n<li><strong>What:<\/strong>\u00a0Plan for the worst-case scenario and expect that it will happen at any level of the organization.<\/li>\n<li><strong>Why:<\/strong>\u00a0This will help your organization:\n<ul>\n<li><strong>Limit damage for the worst-case scenario:<\/strong>\u00a0Restoring all systems from backups is highly disruptive to business, but it\u2019s still more efficient than trying to do recovery using low-quality attacker-provided decryption tools after paying to get the key.<em>\u00a0Remember:<\/em>\u00a0paying is an uncertain path; you have no guarantee that the attackers\u2019 key will work on all your files, that the tools will work effectively, or the attacker\u2014who may be an amateur using a professional\u2019s toolkit\u2014will act in good faith.<\/li>\n<li><strong>Limit the financial return for attackers:<\/strong>\u00a0If an organization can restore business operations without paying, the attack has effectively failed and resulted in zero return on investment for the attackers. This makes it less likely they will target your organization again in the future (and deprives them of funding to attack others).\u00a0<em>Remember:<\/em>\u00a0attackers may still attempt to extort your organization through data disclosure or abusing\/selling the stolen data, but this gives them less leverage than possessing the only means of accessing your data and systems.<\/li>\n<\/ul>\n<\/li>\n<li><strong>How:<\/strong>\u00a0Organizations should ensure they:\n<ul>\n<li><strong>Register risk.<\/strong>\u00a0Add ransomware to the risk register as a high-likelihood and high-impact scenario. Track mitigation status via your Enterprise Risk Management (ERM) assessment cycle.<\/li>\n<li><strong>Define and backup critical business assets.<\/strong>\u00a0Automatically back up critical assets on a regular schedule, including correct backup of critical dependencies, such as\u00a0<a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/active-directory\/\" target=\"_blank\" rel=\"noopener\">Microsoft Active Directory<\/a>.<\/li>\n<li><strong>Protect backups.<\/strong>\u00a0To safeguard against deliberate erasure and encryption, use offline storage, immutable storage, and\/or out-of-band steps (<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access-management\/mfa-multi-factor-authentication\" target=\"_blank\" rel=\"noopener\">multifactor authentication<\/a>\u00a0or PIN) before modifying or erasing online backups.<\/li>\n<li><strong>Test \u2018recover from zero\u2019 scenario.<\/strong>\u00a0Ensure that your\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/compliance\/assurance\/assurance-resiliency-and-continuity\" target=\"_blank\" rel=\"noopener\">business continuity and disaster recovery<\/a>\u00a0(BC\/DR) can rapidly bring critical business operations online from zero functionality (all systems down). Conduct practice exercises to validate cross-team processes and technical procedures, including out-of-band employee and customer communications (assume all email and chat are down).<em>\u00a0Important:<\/em>\u00a0protect (or print) supporting documents and systems required for recovery, including restoration-procedure documents, configuration management databases (CMDBs), network diagrams, and\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/07\/13\/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit\/\" target=\"_blank\" rel=\"noopener\">SolarWinds instances<\/a>. Attackers regularly destroy these documents.<\/li>\n<li><strong>Reduce on-premises exposure.<\/strong>\u00a0Move data to cloud services with automatic backup and self-service rollback.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Step 2. Limit the scope of damage: Protect privileged roles (starting with IT admins)<\/h3>\n<ul>\n<li><strong>What:<\/strong>\u00a0Ensure you have strong controls (prevent, detect, respond) for privileged accounts, such as IT admins and other roles with control of business-critical systems.<\/li>\n<li><strong>Why:<\/strong>\u00a0This slows or blocks attackers from gaining complete access to steal and encrypt your resources. Taking away the attacker\u2019s ability to use IT admin accounts as a shortcut to resources will drastically lower the chances that they\u2019ll be successful in controlling enough resources to impact your business and demand payment.<\/li>\n<li><strong>How:<\/strong>\u00a0Enable elevated security for privileged accounts\u2014tightly protect, closely monitor, and rapidly respond to incidents related to these roles. See\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/security-rapid-modernization-plan\" target=\"_blank\" rel=\"noopener\">Microsoft\u2019s recommended steps<\/a>\u00a0that:\n<ul>\n<li>Cover end-to-end session security (including multifactor authentication for admins).<\/li>\n<li>Protect and monitor identity systems.<\/li>\n<li>Mitigate lateral traversal.<\/li>\n<li>Promote rapid threat response.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Step 3. Make it harder to get in: Incrementally remove risks<\/h3>\n<ul>\n<li><strong>What:<\/strong>\u00a0Prevent a ransomware attacker from entering your environment, as well as rapidly respond to incidents and remove attacker access before they can steal and encrypt data.<\/li>\n<li><strong>Why:<\/strong>\u00a0This causes attackers to fail earlier and more often, undermining their profits. While prevention is the preferred outcome, it may not be possible to achieve 100 percent prevention and rapid response across a real-world organization with a complex multi-platform, multi-cloud estate and distributed IT responsibilities.<\/li>\n<li><strong>How:<\/strong>\u00a0Identify and execute quick wins that strengthen security controls to prevent entry and rapidly detect and evict attackers, while implementing a sustained program that helps you stay secure. Microsoft recommends following the principles outlined in the\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust\" target=\"_blank\" rel=\"noopener\">Zero Trust strategy<\/a>. Against ransomware, organizations should prioritize:\n<ul>\n<li><strong>Improving security hygiene<\/strong>\u00a0by reducing the attack surface and focusing on vulnerability management for assets in their estate.<\/li>\n<li><strong>Implementing protection, detection, and response controls<\/strong>\u00a0for digital assets, as well as providing visibility and alerting on attacker activity while responding to active threats.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>The takeaway<\/h2>\n<p>To counter the threat of ransomware, it\u2019s critical to identify, secure, and be ready to recover high-value assets\u2014whether data or infrastructure\u2014in the likely event of an attack. This requires a sustained effort involving obtaining buy-in from the top level of your organization (like the board) to get IT and security stakeholders working together asking nuanced questions. For example, what are the critical parts of the business that could be disrupted? Which digital assets map to these business segments (files, systems, databases)? How can we secure these assets? This process may be challenging, but it will help set up your organization to make impactful changes using the steps recommended above.<\/p>\n<p>To learn more, visit our page on\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/protect-against-ransomware\" target=\"_blank\" rel=\"noopener\">how to rapidly protect against ransomware and extortion<\/a>.<\/p>\n<p>To learn more about Microsoft Security solutions,\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\" target=\"_blank\" rel=\"noopener\">visit our\u00a0website<\/a>.\u00a0Bookmark the\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\" target=\"_blank\" rel=\"noopener\">Security blog<\/a>\u00a0to keep up with our expert coverage on security matters. Also, follow us at\u00a0<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener\">@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/07\/3-steps-to-prevent-and-recover-from-ransomware\/\">https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/07\/3-steps-to-prevent-and-recover-from-ransomware\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In recent months, ransomware has been increasingly garnering headlines here and across the globe. If you\u2019ve been keeping your head down and believe that it won\u2019t happen to you or your business \u2013 now is a good time to think again. Step 1. Prepare a recovery plan: Recover without paying What:\u00a0Plan for the worst-case scenario &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.tomgrimshaw.com\/tomsblog\/?p=15000\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;3 ways to protect your business from ransomware&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5],"tags":[],"class_list":["post-15000","post","type-post","status-publish","format-standard","hentry","category-computer-tips-basic","category-general-interest"],"_links":{"self":[{"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=\/wp\/v2\/posts\/15000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15000"}],"version-history":[{"count":3,"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=\/wp\/v2\/posts\/15000\/revisions"}],"predecessor-version":[{"id":52539,"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=\/wp\/v2\/posts\/15000\/revisions\/52539"}],"wp:attachment":[{"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tomgrimshaw.com\/tomsblog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}