Cybercriminals are becoming increasingly savvy and ransomware attacks have soared over the last decade. A recent PwC UK Cyber Threat Intelligence report revealed a spike in cybersecurity incidents which have significantly affected many organisations that are already dealing with challenges caused by the pandemic. It is likely the increase in the rate of attack has been fuelled by the influx of new ransomware actors, the expansion of existing affiliate schemes and pursuing improved revenues by established cyber-crime actors. And, unfortunately, no one is safe. Ransomware attacks can affect all business sectors and they are growing in intensity.  

It all comes down to opportunity costs. During the pandemic, cybercriminals have been capitalising on ransomware as more people are working remotely.  All it takes is a single vulnerable device.  The disappearing perimeter means that many more devices are exposed, and many are simultaneously connected to a corporate or government network, and the user’s personal home network. A single successful attack can result in cybercriminals making hundreds of thousands or even millions of dollars.  

Common avenues into public sector organisations

Despite ‘ransomware’ being the term that usually makes it into the headlines, social engineering, email phishing, and malicious email links are the major vectors that criminal organisations use to infiltrate environments and deploy their malware, and recent studies have shown that many successful attacks originate from a mobile device.

Getting rid of passwords in favour of multifactor, biometric or zero sign-on capabilities is the only way to stop cyber criminals harbouring credentials. Eliminating passwords should be tightly coupled with the ability to establish a contextual relationship between the user, the network, policy compliance, and the data that they are accessing.

Unpatched vulnerabilities and default configurations are another common point of entry into public sector organisations’ ecosystems. Underfunded public bodies typically struggle in prioritising the patch management process in IT, due in part to the resources needed to patch every vulnerability manually.

Unpatched vulnerabilities leave those organisations unprotected from malicious cyber threat actors exploiting known threat vectors to get a foothold into connected endpoints. They then move laterally up the cyber kill chain to evolve into an advanced persistent threat (ATP). These APTs are often undetected and living off the land within a victim company’s network.

Hyper-automation technologies that are powered by deep intelligence and use supervised and unsupervised machine learning algorithms can drastically improve IT defences. They provide organisations with visibility over all endpoints, applications, and data, and can effectively manage their security and self-healing capabilities with minimal human intervention.

Providing education to all levels of an enterprise

Ransomware attacks, like the one that hit Colonial Pipeline, are becoming increasingly common, but there are relatively simple steps businesses can take to avoid falling victim to a ransomware attack. 

Educating all levels of an enterprise is possibly the most important mitigator when protecting your business from Ransomware. Cybercriminals monitor employees’ online behaviour to gain access to an organization’s network. Creating an enterprise-wide cybersecurity education and training strategy is key to mitigating ransomware attacks. 

Organisations should start with the basics: educate employees to practice safe clicking, recognise phishing and social engineering attempts, and report suspicious emails and activity to the IT department. This should be treated like fire safety, schedule regular drills to test and monitor the efficacy of your employee training. Even offer rewards for spotting fake phishing emails.

Investing in a unified endpoint management platform with built in threat detection software is another must. This will allow public sector networks to detect policy violations and implement the correct response. IT should also enforce regular account access reviews to ensure that only the right people have access to sensitive company information. This not only protects sensitive data from internal threats but also stops malicious actors from using over-permissioned accounts to inflict damage on the business systems.

Paying ransom

Paying ransom doesn’t guarantee the recovery of your files or ensure the code is removed from your corporate systems. For that reason, government cybersecurity authorities, like the NCSC, don’t advocate emptying your wallet. Additionally, by paying ransom greedy cybercriminals will only be encouraged to continue their plight. But a ransomware strategy that priorities defence and thorough recovery should mean that you won’t need to pay.

If an organization doesn’t have a recovery plan in place, then the ability to not pay the ransom is highly jeopardised. Preparing for ransomware attacks with drills to make sure a thorough recovery plan is in place is crucial. Simply restoring data from a backup onto corrupted systems isn’t an option. You need to reimage hundreds or thousands of systems, prior to putting the data back on. A blue print will be needed for what can be a huge operation.