Every business is different. Some older and more established organizations have networks and infrastructure that have evolved through the years without security being a priority, and IT shops have traditionally just bolted on new technology without properly configuring it and/or decommissioning the old tech. 

Even startups who begin their lives in the cloud still have some local technology servers or infrastructure that need constant care and feeding. 

Some of the themes I see, and the most common mistakes made by companies, are:

1. No patch strategy or a strategy that is driven more by concerns over network unavailability and less on actual information assurance and security posture.

2. Not understanding [of] what normal traffic looks like on their networks and/or relying on software tools. Usually too many of them overlap and are misconfigured. The network architecture is the company’s pathway to security or vulnerability with misconfigured tools.

3. Relying too much on backups, and believing that a backup is enough to protect you. Backups that were not segmented from the network, were only designed to provide a method of restoring a point in time, and were never designed to be protected from an attacker. Backups need to be tested regularly to ensure the data is complete and not corrupted.

I worked a number of cyber investigations in my FBI career where the company was so focused on driving the next digital transformation idea forward and missing the security of their current infrastructure during the process. 

For example, I have seen many companies during their move to a cloud environment focus so intently on the cloud migration that they neglect the servers and infrastructure that are sitting in some closet they forgot about, collecting dust, not being patched, and still connected to the network. 

All it takes is one open port or one unpatched vulnerability for the threat actors to exploit. 

Shadow IT and shadow data repositories are a huge vulnerability, and they are exactly what the threat actors are looking for when they are probing your network endpoints.

Certainly, preparation is the key and not becoming a victim is always preferable to being victimized by ransomware. 

However, the best response strategies are found in these areas:

1. Know your networks and infrastructure well enough, or if you use a third-party managed service for this expertise, to be able to assess the damage as quickly as possible. It’s critical to understand the extent of the compromise, have the capability to conduct a root cause analysis, regain control of your environment, and determine if and what data may have been stolen.

2. Know where your data is, especially for the “Crown Jewels” of the organization. If those are properly segmented and you have adequate (clean) data back-up repositories, then responding to an attack is much less of a fire drill.

3. Make certain you have a robust Incident Response (IR) manual that specifically deals with ransomware, and practice, practice, practice, all the way up to the Board level.

4. Make certain you have, on retainer, any third-party expertise (outside counsel, forensics, PR and communications experts).

I have always said cybersecurity is more about people behind keyboards than the actual technology. 

As technology evolves, with the evolution of artificial intelligence (AI), machine learning (ML) and cloud migration, new skills must be brought to the playing field. No matter the size of the organizations, businesses that seek to innovate faster than their competitors are fighting for the same qualified talent. 

I want to emphasize the “Qualified” as there is not only a lack of people to do the work, but also a growing skills gap in those qualified to understand the complexities of modern networks. 

Gaps in technology skills can hold a business back from achieving further success and far more negative business impacts can occur if you have a CIO [Chief Information Office] or a CISO [Chief Information Security Officer] who is ill-equipped to secure the organization but claims to senior leadership that the company is safe.

One of the things I think companies miss is they tend to think these criminal threat actor groups are all independent and competing against each other. 

These organizations sometimes share data and intelligence about victims. Once data is exfiltrated from a company and posted or sold on a dark-web forum, other criminal threat actors are using that data from another actor’s previous attack to stair-step to additional victims and further exploits. 

With the advent of Ransomware-as-a-Service and Dark-Web malware shopping sites, like Silk Road and AlphaBay, the double extortion threat is real, and the threats are not just coming from single organizations, but sometimes criminal groups working together offering a malware service and Botnets to deploy the malware.

The threat of double-extortion is real, but with ransomware attacks there has always been the threat [that] cybercriminal attackers will leak the data exfiltrated from the victim, so I don’t see that threat as really new. 

Gone are the days when you could be a victim of a cyber-attack, either pay the ransom or restore your systems and not disclose the attack. Reporting requirements and future legislation will dictate transparency and disclosure.

I believe the move by AXA was based upon their view of the challenges in the current cyber insurance market, related to competing pressure in the regulatory environment and from law enforcement. 

There are cases I have worked where threat actors intentionally search through a victim’s infrastructure and data looking for whether the victim has cyber insurance. Some threat actors actually use the data from the victim’s own system in the ransomware notice indicating that there is no reason not to pay, because they are insured. 

An argument could be made that cyber insurance emboldens the attackers, so limiting payments and coverage could discourage future attacks. 

I believe the trend and the more likely response will be more to limiting cyber-ransomware payout amounts and certainly requiring policy holders to have and maintain a higher level of cyber maturity, conduct better and more regular risk assessments, and more closely align coverage to threats, which is in my opinion the better way to respond to cyber extortion than just simply halting payments.