- Companies need to take affirmative steps to protect data and assess their ability to continue operations following a ransomware attack, according to a presentation at the Rubrik Data Security Summit.
- The No.1 question companies need to ask when defending against ransomware attacks is whether there are people in harm's way, Kevin Mandia, CEO of cybersecurity firm FireEye/Mandiant, said during the session. The calculus for an entity at a medical facility may be far different than the needs of a retailer or another type of company, Mandia said.
- No company wants to pay a ransom, but there is a calculation they must make as to what the impact of a shutdown will be on their business. As part of that calculation, companies need to assess whether they can operate without essential assets, using a stop-gap, duct tape method.
There are two key considerations companies need to make in preparation for a potential ransomware attack, Mandia said.
Companies need to assess how they can reduce the blast radius of an attack. This includes looking at authentication methods used to get into a corporate network, reducing the number of privileged accounts that have high-level access as well as network segmentation.
"If ransomware does break out, the blast radius is small," Mandia said.
Companies also need to consider resilience, which will help determine how fast they can recover. Companies need to know what assets matter, which assets they need, and how fast they can recover those assets to get the business back up and running, Mandia said. The calculus in many ways for recovering a company in a critical industry from a ransomware attack is similar to withstanding a natural disaster.
"There are some industries that just have to operate, even if machines are encrypted," Mandia said. "They've got to come up with a backstop to that."
Most companies are not quite at the level where they can fully understand their resilience. But Mandia is optimistic that sometime by later this year or 2022 companies will be better prepared to assess what key systems they need to protect and whether they can get them back up and running within hours in the face of an attack.
"It's an ongoing business practice we can leverage when developing incident response," Mandia said.
The discussion comes at a time when ransomware attacks and data breaches have reached a level of frequency and sophistication that exceeds the capacity of most enterprises to manage under normal circumstances.