Expect the Best, but Prepare for the Worst: 5 Practical Steps to Take Before a Ransomware Attack
Last month, we wrote about steps to take after experiencing a ransomware event. This month, as ransomware events continue to grow in number and severity, we now share the following five practical tips to implement before a ransomware event. These tips should help you bolster your defenses and reduce the havoc a ransomware attack can have on your business.
1. Obtain Cyber Insurance
Obtain cyber insurance to protect yourself from potentially devastating losses associated with a ransomware attack. In addition to the financial peace of mind cyber insurance provides, your cyber insurance carrier will be your first point of contact should your business ever experience a ransomware attack. Your cyber insurance carrier can connect you to the appropriate resources and experts to assist you in responding to an attack. But please make sure that you obtain adequate cyber insurance coverage, or else the exceptionally high costs associated with a ransomware attack may quickly make inadequate cyber insurance coverage feel like no cyber insurance coverage at all.
2. Use Off-Site Backups
Off-site backups are an effective way to recover from a ransomware attack and restore operations if a ransomware attack encrypts your on-site data. Ensure that your off-site backups back up as often as necessary based upon your business’ needs. Also, test and check your backups regularly to ensure that they are functioning as intended.
3. Enable Logging
Log files contain a record of events from certain systems and software, including firewalls, operating systems, and email. Unfortunately, some systems do not automatically enable logging. Log data provides vital information about a ransomware attack, including how the threat actor(s) gained access to a network and whether data was accessed or acquired without authorization during the attack. Without relevant log data available, you may not be able to find the answers to these important questions. So, make sure your systems are set up to retain log data for an appropriate amount of time (the more, the better).
4. Secure Remote Access Tools
Ransomware threat actors often gain initial access to a network via exposed or poorly secured remote access tools and services. Thus, make sure that no Remote Desktop Protocol (RDP) ports are exposed to the internet. Also, apply multi-factor authentication (MFA) to any remote access services and force account lockouts after a specified number of failed login attempts.
5. Implement a Written Information Security Program
A written information security program (WISP) details a business’s security controls, processes, and policies. Key elements of a WISP include incident response procedures and regular cybersecurity assessments to identify and address vulnerabilities. In addition to providing you with security procedures to reduce the risk of a ransomware attack and improve your response to an attack, a WISP may also limit your liability if one were to occur. For example, Utah just passed a bill providing certain affirmative defenses, including an affirmative defense to a claim that your organization failed to: (i) implement reasonable information security controls; (ii) appropriately respond to a breach of a security system; or (iii) appropriately notify an individual whose personal information was compromised in a breach. Utah Code Ann. § 78B-4-702.
While implementing these steps cannot prevent a ransomware attack, doing so will certainly reduce the likelihood of an attack occurring and will assist in reducing the impact of a ransomware attack, should one occur.
**Lewis Brisbois has been nominated for two Advisen Cyber Risk Awards! Vote for Lewis Brisbois as “Cyber Risk Event Response Team of the Year” and “Cyber Law Firm of the Year” here.**