Petya. WannaCry. Doxware. Ransomware news is going the way of baseball scores; check in every morning for a quick perusal of where things stand and find out who got hacked, how bad was it, and what game plan did the hackers use? This ain’t baseball, however, and business and technology managers can’t afford to take a loss with a few swats on rear ends and a stoic, “we’ll get ’em next time” attitude. If a hack is aggressive enough, there may not be another next time.
Like watching the Phillies this season, the state of ransomware isn’t pretty. What used to be considered an IT annoyance is now something we know is capable of roiling financial markets and threatening the very nature of how we live.
As reported by the Wall Street Journal, the Petya attack forced Maersk, the largest container ship operator on the planet, to halt operations around the globe, and French infrastructure company Saint Gobain moved to manually performing many of its factory operations. We even know of security vulnerabilities in pacemakers and insulin pumps manufactured by Johnson & Johnson and St. Jude, respectively.
If there’s any good news out of all this, it’s that damage hasn’t been more widespread. Whether that’s because the malicious code is limited, or because organizations are getting better at limiting damage from hacking attempts remains to be seen. But no one can deny what’s at stake. Hackers look for an opening, and once in, they take what they can grab. For an organization that has not made the necessary precautions to protect itself, or for one that’s ignorant to the constant security and compliance state of their operation, a hacker can potentially have a field day with customer data and product services. And it’s not just access to data that is at stake, it’s also the ability to manipulate digital products and services that can have an immediate and negative impact.
It comes as a constant surprise that these attacks wreak the havoc that they do. Whether it’s a failure of understanding on the part of executives about how to protect their assets, or just a organizational inertia, there is clearly something missing in the approach to security and compliance.
Ransomware doesn’t need to be the new normal, and an enterprise doesn’t have to re-engineer the way it works just to prevent it. Achieving some sense of control over bad actors and their criminal intentions isn’t simple, but it requires a game plan. The approach looks like this:
- Instill and use security best practices across all areas of the organization: This is mostly about human behavior, but when the notion of security is baked into people, they become vigilant and aware, which are probably the two most important ingredients of thwarting attacks. Besides keeping bad actors out of their applications, enterprises should make it hard to get into their buildings and insist that employees use complex passwords. Screen protectors that limit visibility to prying eyes, rules about “no piggybacking” into the office…these are all aspects of a group that truly cares about what they do acts in a way that supports that.
- Secure the cloud stack: All the benefits of the cloud…its agility, elasticity, scalability…all of this is built upon a flexible set of layers that make it a desirable solution for 21st Century enterprises. Inherent in that model are, by definition, multiple potential points of access that are best secured through behavioral requirements, policies, continuous monitoring and automation of detection and remediation. By paying attention to the different pieces of the cloud stack and addressing their unique security needs with these preparations, your environment will be far more resistant to ransomware threats.
- Use a security and compliance platform to provide continuous monitoring and automation: You can’t manage what you don’t know. Enterprises have to progress beyond the security frameworks of their legacy systems that governed on-premise environments if they want to truly protect their cloud environments. Even if you’ve secured all the layers of your cloud stack, unless you’re continuously monitoring it, you just don’t know where the potential risks are. Far too many organizations treat security as a one-and-done proposition, which could be a killer.
The great baseball impresario Bill Veeck once said, “Baseball is almost the only orderly thing in a very unorderly world.” There are times, indeed, when a public cloud mirrors the nine innings of the baseball universe: structured surface, layers of protection, and even crafty actors who focus on disruption (with names like slider or knuckleball). But the cloud can seem chaotic at times, and the way to address it is to apply an orderly framework; in this case, it’s a framework of security and compliance, one that doesn’t get called out of the dugout as needed, but goes the distance and protects your organization.