What Can Government do about Ransomware?
Ransomware is the most significant cyberthreat faced by Canadians – and incidents are on the rise. During a ransomware attack, cybercriminals use malicious software to encrypt, steal, or delete data, then demand a ransom payment to restore it – resulting in downtime, data loss, privacy breaches, reputational damage, and expensive recovery costs.
Recently, IBM took part in the Ontario Leadership Forum hosted by IPAC to take a deep dive into the current state of ransomware, the steps the public sector can take to prepare and protect themselves, and how to best respond in the event of an attack.
The current state of ransomware
The Canadian Centre for Cyber Security warns that threat actors are becoming increasingly aggressive in targeting government. In 2021, more than half of the ransomware incidents against Canadian victims were critical infrastructure providers. Hospitals and universities are also increasingly under attack.
What’s going on? Several factors are at play. First, digital transformation technology has increased IT complexity, blind spots, and attack surfaces. In this environment, ransomware is seen as a very profitable and low-risk crime that is easy to execute. Finally, businesses are willing to pay the ransom to resume operations quickly, with the majority of attacks going unreported.
Since the start of the pandemic, ransomware attacks targeting academic institutions for research and healthcare have ballooned. Increasingly, threat actors are coordinating their activities and geopolitical players are organizing their efforts to attack specific entities based on a global agenda. The speed of attacks has also increased dramatically. Malware can encrypt systems or exfiltrate data in hours or minutes. It used to take days or weeks.
What motivates attackers?
Whether it’s low-level cyber criminals looking to make a quick payday or nation states supporting attacks targeted at critical infrastructure and operational technology, ransomware has become big business. Large cybercrime organizations even have service desks for people to contact when they’ve been hit with ransomware. (Strange but true!)
Threat actors may be attempting to gain access to intellectual property, or to generate intelligence or profiles for future attacks. This is a concern in academic and government institutions where there is a large depository of intellectual property, brain trust of our country.
Critical government infrastructure can be highly vulnerable. While hospitals, government and other public sector organizations are advised not to pay the ransom, they may choose to do so to keep critical infrastructure operational, to protect intellectual property or private information, to protect their reputation or because they don’t have a backup.
Why zero trust technologies are crucial
Knowledge of vulnerabilities, exposures, and associated risks is critical for any organization when establishing threat prevention and detection controls. Without this knowledge, blind spots can be exploited by threat actors.
Steve Fraser, Director of Information Security & CISO at Carleton University, was a featured speaker at the IPAC event. He explained that universities use shared intelligence as a tool for protecting themselves from attack. Furthermore, IT leaders in the higher education sector meet regularly with The Canadian Centre for Cyber Security to receive updated threat intelligence and to improve knowledge and awareness in the area of cybersecurity.
Because many university students, staff, faculty, and researchers connect to the network, IT and security teams use sophisticated risk management techniques to determine what levels of security are needed for different types of data and activities.
Currently in the third year of its five-year IT modernization program, Carleton is ensuring zero-trust technologies are foundational. As Steve explained, zero trust is a capability, not a tool or a single approach. A combination of processes and technology creates an end-to-end zero trust capability consisting of three core components:
- enabling least privilege/ segmentations vs an open approach.
- continued verification after access is granted with context aware access to applications, data, APIs, endpoints across the hybrid cloud environment
- automated monitoring, detection that enables fast detection and response to threats
4 steps to reduce your risk of a ransomware attack
Whether the motivation is financial or geopolitical, consider how your organization would respond to a ransomware attack. What technologies or tools are in place to identify a breach? Do you have a communications plan, an incident response plan, and a roster of key decision makers in place?
Carleton’s Steve Fraser shared four key steps that can reduce your risk:
- Focus on prevention. Ransomware often enters the network through email or messaging. Unfortunately, younger generations have an inherent trust in email. Train them to think critically. Institute proactive protection tools such as email filtering, additional security controls to provide endpoint protection, 24 x 7 monitoring and response, and security awareness training for users.
- Understand your business data, its context and capabilities. Know where your “crown jewel” data and applications are stored, and ensure they are protected appropriately. Ensure your backups are sufficient, encrypted, stored in a safe location, and regularly tested. Find the gaps in your defenses so you can identify, track, and address vulnerabilities.
- Create a cybersecurity strategy. This must reflect your business needs and goals, your data type and location, and potential risk level. Establish key decision-makers at the senior level.
- Be prepared with a tested incident response plan. Conduct drills. Teach staff to question everything. Practice simulated phishing and ransomware attacks. Run exercises that test your responses, then update your response plan across all policies, processes, identified stakeholders, communications workflows, incident definitions and playbooks.
Be informed, be prepared, be ready
How can public sector IT leaders protect their organizations against a threat as pervasive as ransomware? With stakes at an all-time high, ensure decision-makers are up to speed, be prepared, and follow your plan. The more prepared you are and the faster you can respond, the more protected you will be.
Awareness has increased – but so have the consequences of being unprepared for a ransomware attack. It can take less than an hour from the onset of a ransomware attack to complete compromise of a network, so you need to be able to act swiftly and intelligently. Tap into the resources provided by The Canadian Centre for Cyber Security. They offer playbooks, tools and information for both the management level and technical level.
Bottom line: Ransomware attacks are a matter of “when” not “if.” Having an effective cybersecurity strategy in place is much more protective than “putting out fires” after the fact. IBM can help.
Philip Fodchuk, National Cyber Threat Management Leader, IBM Canada