Ransomware risk management (RRM) is an important effort in our current business climate. The following link takes you to an article on the subject to Data Breach Today that provides a roadmap for RRM.
The article states that RRM begins with “Determining where your vulnerabilities are and fixing them – and implementing attack-pathway countermeasures such as anti-phishing technologies – are components of an ongoing process requirement for continually improving cybersecurity hygiene. Slapping some software in place and scheduling a few classes is not going to prevent a ransomware attack. To mount an effective cyber defense, you will have to engage and commit your entire enterprise to a mission.”
One quote I particularly liked – “The advertising budget for 2019 for just the Atlanta City Council, not the entire city, was $103,000. Do you think the city could shave 25 percent off their city council PR campaign to get this done? Ironically, all of the advertising and PR in the world will not help the city council’s image now.”
The article covers
- Ransomware as a service
- Performing a PEN test to uncover vulnerabilities (Or in our case it would be a vulnerability assessment without the red-team for less $$)
- Security Awareness
- Encouraging use of an MSSP
And then a list of to do’s
- Backup locally and the cloud
- Segment your network access
- Use least privilege
- Implement detection systems
- Use anti-ransomware software
- Train employees
- Strong passwords
- Use email filters and blocking
- Manage vulnerable plugins like java and flash
- Buy cyber insurance
- Don’t pay the ransom unless your insurance covers it
This article also goes on to state that small businesses should expect to pay $35,000-$110,000/year for all of this.
“Using a risk-adjusted cost of future events formula to determine whether to spend money on preventive measures, buy insurance – or do nothing at all – usually yields rational results. For example, the risk-adjusted cost of a fire (high cost, reasonable likelihood) makes it cost-effective to buy a fire insurance policy. Calculating the risk-adjusted cost of ransomware will determine if it’s worth investing in prevention.”
Director of Security Services
Mainstream Technologies Inc.