Ransomware attacks have become increasingly more sophisticated and pervasive with the latest incidents at Colonial Pipeline and JBS being prime examples.
It’s pretty clear that even the most sophisticated cybersecurity defenses can be penetrated, even at tech firms that are loaded with cyber talent and all the latest tools. To wit: Intel, Microsoft, and Cisco, which were hacked during the SolarWinds attack last year.
So how in the world is it possible for companies to defend themselves against ransomware attacks?
After an exhaustive assessment study, Colonial Pipeline had the opportunity to implement an IG program in 2018, but Management chose not to. And this is what a lot of companies do: they kick the can down the road and focus on short term profits. Management doesn’t want to hear about how hard it is for their employees to find the information they need to do their job. Or how long it takes to produce records for regulators. Or how valuable company information could be compromised. Or that having all their work and emails captured on Legal Hold because their corporate information stores are so disorganized they can’t place a granular Hold on specific information relevant to a lawsuit.
So Management just ignores it, so long as profits keep coming in. In Colonial’s case, they have a virtual monopoly, and were regularly bringing in profits of $100M-$400M per year, based on about $1B in Revenues. So Management was Fat & Happy, and didn’t want to hear about the trivialities of their employees’ plight to navigate the information jungle that was created. After all, “Look at these profits – we must be doing something right!” they probably told each other with a big slap on the back.
Who can blame them? IG programs are hard work; it takes a great deal of effort to inventory your information assets, identify those files that are most sensitive and lock them down with encryption or other tools like information rights management (IRM). It is also tedious to move files from a messy shared drive environment to a managed content services or content management platform. Creating an enterprise-wide taxonomy and standardizing metadata to manage files in an orderly fashion is challenging. It’s tough to decide which information to dispose of, get approval from Legal, and regularly follow an updated record retention schedule (RRS). And implementing a Security Information and Event Management (SIEM) requires a sophisticated cybersecurity staff to properly configure and maintain, and it may slow down system access.
Organizations must have formal a IG program in place to counter not only potential hacking and ransomware attacks, but also to improve compliance capabilities while lowering costs and increasing operational efficiency. Oh, and BTW – increasing profits.
What exactly is an IG program, and how can it help offset the risks of these attacks?
An IG program is a formal, ongoing program aimed at minimizing information risks and costs, while maximizing its value. IG is, in short, a program to “secure, control & optimize” information. Think of it as akin to a workplace safety program which is constantly reinforced and expanded to ensure the proper governance of information.
But how does IG protect against ransomware attacks?
There are three basic levels or types of ransomware demands:
1) Encrypt all your data and demand a payment for a decryption tool;
2) Threaten to release confidential information to the public or on the dark web, which could be employee or patient information;
3) Threaten to release confidential information from your partners and alliances.
Companies can protect themselves from the initial ransomware attack by deploying a SIEM system that can detect anomalies such as when files start to be encrypted. So that could enable a response that quickly limits the damage of the attack.
However, even if the bad guys do get in, if your company has locked down its most important and confidential information with encryption, then the threats to release your confidential information to the public are hollow. They can’t get to that information. And the same goes for the threat of releasing confidential information on your partners.
In fact, we all know that robbers choose the easiest targets. Hackers work the same way; if they find a system that is going to be a lot of extra work to hack, and they aren’t assured of getting to your most valuable information, they will simply move to the next target.
So, here is a message for CEOs from their Board of Directors: What is the status of your IG Program?