Users’ training/awareness
The first step of your plan must include a communication plan that consists of a training or job aid to all the users within your network. The training should focus on the fundamentals of cybersecurity and how users must react to unknown recipients of an email, not clicking any unknown links, validating the links before downloading any software and etc. Providing monthly mockups and testing of user’s knowledge will be an advantage to have as part of the plan.
- Training courses – Cybersecurity 101
- Knowledge tests – mockups and activities to test user’s knowledge
Network protection
Now that you have made sure your users are educated; you have to protect the network by deploying a firewall or network protection appliances to make sure all the unknown traffic to your network is blocked. At the same time, the network protection device must be capable of providing you the monitoring capabilities so you can detect unknown traffic and block. The most recognized brand in north America so far has been the FortiGate network protection appliances that provides best in class protection to your network. Below are some of the major vendors that provide firewall devices.
- Bitdefender Box
- CUJO AI Smart Internet Security
- Firewalla
- FortiGate Next Generation
- Protectli
End point Protection
Still, we have to protect our end-user devices (laptops, mobile, printers, servers, workstations and etc..). In order to prevent ransomware attacks we must include endpoint protection in our plan it’s a must-have component. This will allow the ransomware to be isolated to one device and not propagate across the network to other devices. This step will enable you to have more flexibility and control over your network and devices. Info sys has been offering Sophos as the endpoint protection for its clients due to its incredible features that you can integrate your endpoints to a central cloud platform and can manage all your devices in a single location. While there are other vendors that offer the best endpoint protection solutions as well below are some of the top 5 endpoint protection providers:
Data backup/recovery
Many organizations that have paid a ransom did so because they did not properly back up their data. Your backup process must be documented. Include your recovery point objective (RPO) and recovery time objective (RTO) in your disaster recovery plan, and test it each year to verify the objectives can be met. It is essential for business leaders and stakeholders to provide input into what an acceptable RPO and RTO is. Without their input, the possibility of having to pay a ransom increases. You should test your backups regularly to verify all critical data is backed up. Also, it is important to make sure your backup data is protected from ransomware attacks. With the popularity of network-based backups, many organizations run their backup devices on the same network or VLAN as their standard production network. This should be avoided to prevent your backup data from being a victim of a ransomware attack.
Vulnerability assessment/Patching
Vulnerability assessments that holistically review the security posture of an organization are beneficial in preventing a ransomware attack. The assessor should be made aware of the concern of a ransomware attack and should consider vulnerabilities in not just applications or servers but also organizational procedures and policies. These assessments should verify that the appropriate procedures to prevent ransomware attacks are being followed consistently. Vulnerability assessments should be done on an annual basis.
Any plan to prevent a ransomware attack must include procedures for monitoring and alerting for suspicious activity. Monitoring a network is an ongoing process and must be done daily. Many organizations have very expensive security tools in their environment, but their logs or events are not monitored, making these tools ineffective. A process for having security staff review is important for detecting or preventing a ransomware attack.
Finally, a reactive plan to respond to the ransomware attacks.
You should document the precise steps that should be taken if a ransomware attack is detected. All steps should be documented in detail, and the goal should be to prevent the spread of the ransomware and recover any lost data. The plan should also include a process for notifying authorities. You may want to include in your ransomware response plan the need to gracefully shut down a device that is suspected of being infected by ransomware. That’s because many variants of ransomware do not encrypt the data until the device has been rebooted via an attacker’s script. If you gracefully shut down your machine, you can attempt to recover the data before it has been encrypted.
After your ransomware response plan is documented, perform a tabletop exercise to confirm it is being followed. This will assure stakeholders that the organization is prepared to respond appropriately in the event of a breach.
If you do not have a plan for protecting your network from ransomware, you must create one now. If you don’t have a plan, a successful attack will likely lead to lost customers and decreased revenue.
It is easier than ever for attackers to launch ransomware attacks, and it is up to each organization to document and test their plans to prevent them.