Safeguarding Against Digital Threats

Preparing for Ransomware

Estimated read time: 1:20

    Summary

    In a world increasingly threatened by ransomware attacks, cybersecurity experts stress the importance of preparation. In a recent seminar, experts discussed the growing impact of ransomware on cities and hospitals, emphasizing the crucial steps necessary to protect against these potent threats. These entities have been reeling from the devastating effects of data encryption and demands for hefty payments, underscoring the need for advanced planning and robust security measures. As ransomware attacks become more frequent and destructive, there is an urgent need for businesses and institutions to adopt comprehensive strategies, including high-level email filtering, endpoint protection, and robust backup recovery plans. Through a combination of informed investment and strategic planning, organizations can better secure themselves against this looming digital menace.

      Highlights

      • The city of Wichita and a major hospital are grappling with recent ransomware attacks, highlighting the urgency of preparedness. πŸš‘
      • Webinars and detailed handouts are provided to help organizations build better defense mechanisms against ransomware. πŸ›‘οΈ
      • Ransomware often infiltrates systems via malicious email linksβ€”a reminder of the human element in cybersecurity. πŸ“§
      • The average cost of a ransomware incident is $1.85 million, often causing business operations to stop for 22 days. πŸ’Έ
      • Chubb's Cyber Risk Calculator offers a realistic assessment of potential financial risk from ransomware. πŸ“Š
      • Even comprehensive cyber insurance may not cover all losses if policy criteria, like having MFA, are not met. ⚠️
      • Robust backup strategies, including immutable backups, are vital to keeping data safe from ransomware deletion. πŸ—„οΈ
      • Communication planning for all stakeholders is essential in mitigating the fallout from ransomware attacks. πŸ“ž

      Key Takeaways

      • Ransomware is a rising and relevant threat, affecting cities, hospitals, and various organizations across the state. 🚨
      • Paying ransom does not guarantee data recovery and could lead to the exposure of sensitive information on the dark web. 🚫
      • Implementing high-level email filtering and endpoint protection are crucial preventative measures. πŸ”’
      • Creating an effective backup recovery plan can save organizations from devastating financial losses. πŸ’Ύ
      • Understanding your cyber insurance policy's requirements is vital to ensure coverage during an incident. πŸ“‹
      • Developing a detailed incident response plan is crucial for swift action during ransomware attacks. πŸ“ˆ
      • Regular training and awareness can help minimize the risk of ransomware intrusion by human error. 🧠

      Overview

      Ransomware is a critical issue plaguing organizations today, affecting cities, hospitals, and other essential services. Recent incidents in Wichita alongside global trends, show that no one is immune to these digital threats as encryption tactics evolve and ransom demands increase. As a result, cybersecurity experts are doubling down on the importance of proper preparation as well as implementing stringent security protocols.

        During a recent cybersecurity webinar, experts shared insights and practical advice on protecting against ransomware. Emphasizing the need to secure buy-in from organizational leaders, they highlighted the cost-effectiveness of proactive measures over reactive responses. Key strategies include implementing sophisticated email filtering and endpoint protection systems that can identify and neutralize threats before they infiltrate networks.

          Effective ransomware preparedness requires a combination of robust backup solutions and comprehensive cyber insurance policies tailored to meet stringent requirements. Organizations must also develop detailed incident response plans and ensure staff are trained to recognize and avoid potential threats. Through these vigilant tactics, entities can mitigate the financial and operational impacts of ransomware, ensuring resilience against future attacks.

            Chapters

            • 00:00 - 01:00: Introduction to Ransomware The chapter introduces the topic of ransomware, highlighting its current relevance and impact. The speaker sets the stage for a seminar on ransomware, noting personal conversations and recent news involving ransomware attacks on Wichita and a major hospital, as well as other organizations within the state. This introduction serves to underline the widespread nature and severity of ransomware threats.
            • 01:00 - 05:00: Understanding Ransomware This chapter, titled 'Understanding Ransomware,' covers the essential measures needed to protect against ransomware attacks and prepare for potential threats. It informs the audience that the session is recorded, and links will be provided for accessing the recording. Furthermore, participants will receive a presentation or handout containing detailed notes through email. The chapter emphasizes the importance of understanding ransomware and being prepared.
            • 05:00 - 09:00: Impact of Ransomware The webinar is structured to last around 20 minutes, followed by a 10-minute Q&A session. Participants are encouraged to use the Q&A box to submit questions throughout the event, which will be monitored and addressed toward the end. The session begins with an introduction to the topic of ransomware.
            • 09:00 - 15:00: Preparing for Ransomware: Executive Buy-in The chapter opens by raising the essential question: What exactly is ransomware? This question is crucial for setting the stage for understanding the topic. It is defined as a type of malware that encrypts files and demands a payment to restore access. The misconception that merely paying the ransom will solve the issue is highlighted as a common misunderstanding.
            • 15:00 - 20:00: Preparing the Network The chapter 'Preparing the Network' discusses the challenges of dealing with data theft, particularly focusing on the issue of paying ransoms to data thieves. It highlights two main problems: first, the unreliability of receiving a valid decryptor key after payment, as some instances report receiving a faulty decryptor key or none at all even after paying substantial amounts. Second, it raises the issue of data theft where thieves might have already downloaded sensitive data, making the ransom payment less effective.
            • 20:00 - 26:00: Backup and Recovery Plan The chapter focuses on the implications and challenges of dealing with a ransomware attack. It discusses how paying the ransom does not guarantee that your data is safe from being sold on the dark web. Even after decryption, there's a risk of having exposed sensitive client information, which can be accessed by malicious entities. Additionally, the transcript highlights a recent incident where a vendor was also hit by an attack, underscoring the widespread threat and critical importance of having a robust backup and recovery plan.
            • 26:00 - 31:00: Cyber Insurance The chapter titled 'Cyber Insurance' discusses ransomware, emphasizing the significance of the human element in its propagation. It highlights that ransomware often infiltrates systems when users click on malicious links in emails or visit unsafe websites. The chapter suggests that educating users about these common entry points can help mitigate ransomware risks.
            • 31:00 - 38:00: Incident Response Plan The chapter titled 'Incident Response Plan' discusses the risks and implications of ransomware attacks that often occur due to user actions, such as clicking on malicious ads on websites like Facebook. It highlights the importance of understanding user behavior and the prevalence of these incidents, with references to relevant statistics. The transcript suggests a further discussion on user actions in the context of incident response.
            • 38:00 - 43:00: Resources and Closing Remarks The closing chapter highlights the significant financial impact of ransomware incidents, citing that the average cost is $1.85 million per incident. Additionally, such attacks typically result in businesses being non-operational for an average of 22 days, underscoring the critical importance of cybersecurity measures to mitigate these risks.

            Preparing for Ransomware Transcription

            • 00:00 - 00:30 good morning and Welcome to our seminar on preparing for ransomware I was talking to my wife about this this morning that we was going to do a seminar on ransomware and she kind of laughed and said you couldn't have picked a more relevant topic if you've been watching the news you've seen where the city of Witchita is struggling with ransomware right now you may have also seen where a major Hospital in the area is likewise struggling with ransomware and then there's lots of other organizations around the state who have also been fighting The Scourge so if we're talking about ransomware what in
            • 00:30 - 01:00 the world do we need to do to protect from it and how can we help ourselves be ready now a couple of housekeeping thing before we get into the webinar this morning first off this is recorded and there will be uh links sent out about how you can see the recording and get that likewise most of the notes that are here are compiled into a presentation or into a handout which you will be receiving in an email shortly after this is over also so there's a lot to go over
            • 01:00 - 01:30 our goal is to make this about a 20 minute webinar and then to leave a about 10 minutes at the end for questions if you have questions during the event feel free to use the Q&A box up at the top sha is going to be monitoring the Q&A box for us and helping run that so as different questions come up feel free to go ahead and type those in and we'll go ahead and take a look at those as we come down closer to the end of the webinar but let's start out if we're talking about r someware this morning
            • 01:30 - 02:00 probably the first question that all of us need to set back and begin with is the question what exactly is ransomware well ransomware goes by a couple of different definitions but here's what we're going to use for our purposes this morning that ransomware is going to be a type of malware that encrypts files and then Demands a payment to restore access a lot of people are under the mistaken thought that if you simply pay the rent Rome
            • 02:00 - 02:30 you'll get all your stuff back but there's two problems with that number one can we really trust a thief and so there have been lots of cases where people have paid the ransom and then either received a bad decryptor key or no decryptor key at all or something like that so even though they paid maybe multiple millions of dollars they were still unable to restore their data the second problem with that is that if your Thief has downloaded a bunch of data uh
            • 02:30 - 03:00 as part of the ransom they will likely go ahead and sell that on the dark web or make it available anyhow so even though you paid the ransom and even if you got your data decrypted you can't guarantee that you actually protected at all you may have exposed hundreds or even thousands of clients and have all their information out there available on the dark web because of what happened to you it was interesting we received notice just this morning from a vendor that they too had been hit by an attack
            • 03:00 - 03:30 like this and notifying us that their data was out on the dark web and stuff the second thing we're going to say about what ransomware is though is that it often comes by clicking a link in a bad email or on a bad website ransomware is one of those unique things where the human element is really important and so if we can get our users to understand how ransomware comes in most often through a bad email or by by surfing
            • 03:30 - 04:00 someplace on their work computers Facebook who knows where else clicking on an ad those often can download ransomware too and so we're talking about stuff that often comes as a result of some action that a user does we'll come back to that topic in just a few minutes but also when we talk about what ransomware is it's interesting to note that as you look at statistics and these statistics are going to come from the URL the is at the bottom of your slide
            • 04:00 - 04:30 from veronis when you look at statistics right now the average cost for a ransomware instant is $1.85 million I don't know about you but that would more than break my budget personally 1.85 million that put us we couldn't handle it and on top of that the average cost being 1.85 million per instant also the average ransomware incident leads to a business being down for an average of 22 days
            • 04:30 - 05:00 now just think through your organization if you were down and had no income and no business for 22 days could you survive what would happen would you be able to recover interestingly enough there are a lot of companies that are hit by ransomware a lot of businesses that are never able to recover just because of these costs like that so as we begin we're talking about something that has a really major potential impact for your organization
            • 05:00 - 05:30 something that could honestly damage your organization almost irreparably so if we know that that's there and we know that this risk exists how do we go about preparing to preparing for it so that we can avoid it or so that we can manage it in some way what do we do I'm going to present five steps these are the major five that that I see as I've talked with people and worked with them the first thing to
            • 05:30 - 06:00 understand when we talk about preparing for ransomware is that this is going to be a risk that your board or your Chief Executives have to buy into and they have to buy into it because the cost for preparing to defend against it is far less than the cost of trying to walk through the incident so for example if we're talking about an incident with an average cost of 1.85 million if we're talking about a type of risk where the average business businesses down for 22
            • 06:00 - 06:30 days those are topics that your board or your executive should know those are statistics that your board executive should understand so that as they think about do we spend money on ransomware Preparation or not they can understand that this is the risk we're talking about another stat that I did not put in because I couldn't find the definitive background for today but I've seen data that shows that in any given year you've
            • 06:30 - 07:00 got between a 20 and 25% chance of getting hit by ransomware so if you take that 1.85 million cost and you advertise it across a potential risk of five years you can see that your potential per year risk is $400,000 roughly that's something that your board Executives should look at and if your Co risk cost is $400,000 and yet you're only going to spend 15,000 10,000 whatever to prepare
            • 07:00 - 07:30 for it that's pretty good return on investment for a person to have these numbers are also made more real when you use certain tools that are out there one that I like to help show the risk that an organization faces is from the chub cyber index and using the chub cyber index cyber risk calculator I'd like to take just a minute to demo this for you so that you can see how this works so let me take just a minute to get my screen being shifted around here on this
            • 07:30 - 08:00 um okay chub cyber risk calculator okay so this comes from the chub Insurance Group and they're a major cyber Insurance Risk Management Group uh that's who we ourselves have our insurance through and others students and so when you look at the chub cyber
            • 08:00 - 08:30 index they let you calculate in the real-time method what your potential risk is so let's go ahead and take a look at this we're going to go ahead and hit enter agree to the terms we're going to choose cyber risk calculator over here on the left and when we choose the Cyber risk calculator it gives us say it allows us to walk down through our industry and just figure out a little bit so since um there was a major healthc Care Organization hit by Ransom where in
            • 08:30 - 09:00 witch yesterday let's choose that just for fun and let's say that we're going to say that um we'll just pick some kind of a health care facility we'll leave it like that and let's say that we've got an average revenue this is going to be small for a lot of them let's say 10 mil all right and if we're a health care facility let's say we've got number of patient records um 5,000 I know that's probably small but that's use that so if
            • 09:00 - 09:30 I update my calculation on those parameters chub estimates that our average risk for that is going to be roughly 2 and a half million now the interesting thing about that 2 and a half million is that that does not actually include all of the costs that you may end up happening but notice at the bottom it shows your business Interruption cost not all cyber insurance policies cover business Interruption um we've had the opportunity to look at a whole bunch of them over the last year and that's not been in everything that is there so
            • 09:30 - 10:00 that's a tool that is pretty helpful and it can help you as you make your case before your Executives or your board whichever you have as you talk about what the risk is and how you're going to go ahead and try to prepare and get ready for so let's come back to our discussion then so if we can use the Cyber Risk Index I'm sorry we can use the chiber chub cyber risk index calculator to help us get an idea of
            • 10:00 - 10:30 what's going on and what our potential risk is and I personally think that's a very good tool but as you're looking at Cyber Insurance a lot of organizations think well I have cyber insurance that will cover everything that I have to do if I get hit by ransomware that's not true cyber Insurance often only covers a portion of the cost and that comes from a couple of different ways sometimes it comes because cyber Insurance maybe you wrote it for a million dollars and your total cost cost come out to be 10 mil
            • 10:30 - 11:00 sometimes cyber insurance only covers a portion because you've got all these deductibles that are in there sometimes a person or an organization doesn't go through all the right steps that insurance wants and so because of that insurance won't go ahead and cover the entire costs that are there but there's also another reason which I I see a lot of times cyber Insurance may not cover everything because they may have their own requirements depending on your policy some of your cyber policies may
            • 11:00 - 11:30 have certain requirements that you have to have things like multiactor authentication or things about guaranteed backups and certain things and if you have not met those prerequisites for your cyber insurance policy it is quite likely that insurance will use that as a reason for not to pay so as we prepare for ransomware step number one we need to get board and executive Buy in before we're going to do this but step number two as we
            • 11:30 - 12:00 prepare for cyber insurance we need to prepare our Network now I'm assuming as we go through this that your organization is doing regular updates okay that you're updating your windows your Mac your Android devices your firewalls have current signatures all those kinds of things I'm assuming that base is there if that's not that's the absolute first thing you need to do even though it's not listed on the slide here but because spr somewhere often comes in
            • 12:00 - 12:30 either through email or through clicking on a bad link on a website one of the first things we need to do is to implement highlevel email filtering and URL scanning now I fully realize everybody likes cheap okay I fully realize everybody likes cheap and when we talk about email everybody likes cheap email I understand that completely but what most people don't understand is that cheap comes with a very expensive cost
            • 12:30 - 13:00 and in this case the very expensive cost is if you're getting cheap email filtering that means a cheap email service that means they're not going through the steps to filter your emails for URLs that are bad to scan for inspected infected attachments or to do any of those things to protect you and yet because email is your number one vector by which ransomware enters your organization if you're going to say we want cheap email and yet that is the
            • 13:00 - 13:30 highest risk factor that's a pretty expensive cheap email service that you've got so as we talk about preparing our Network against ransomware first thing we're going to talk about is implementing email protection with URL scanning and affected attachments yes it costs more no it is not free but yes it is worth the money the second thing we're going to talk about there is that we also Implement high level endpoint protection so by endpoints we're talking
            • 13:30 - 14:00 about your Windows computers or your Mac's computers or your Androids those that are out there that your people use that you use once again everybody likes free and so it's not uncommon for us to see organizations that want to use free antivirus or cheap antivirus well there's a couple of problems first off free antivirus almost always I've never seen this happen otherwise every free antivirus license
            • 14:00 - 14:30 terms I've ever looked at always says that free is not available fore use in businesses number one issue but number two issue free is not going to have all your most current protections and all your most current stuff so yes does it cost more but yes is it worth it we use Windows Defender Advanced threat protection they recently rebranded that but that's our goto for implementing higher security if you want to talk about that more drop me a note when the webinar is over and we can freely chat
            • 14:30 - 15:00 about that but besides implementing email filtering high level endpoint protection the third thing is we prepare our network is to implement policies and procedures to keep staff off sketchy websites it is okay to implement staff policy that says you can't use your work computer to go surfing Etc it is okay to use your firewall to implement content filtering policies so that all sorts of different sites aren't allowed to be accessed on your business now Network
            • 15:00 - 15:30 because we talked about how email being the number one entry point for ransomware but the number two entry point is clicking clicking on links on sketchy websites or ads so as we talk about preparing our Network we Implement policies and procedures to protect everybody from clicking on sketchy stuff like that number three the third most important thing we can do is we prepare for ransomware is that we can create a backup recovery plan that we know works
            • 15:30 - 16:00 when I talk about that that really includes four phases that we're going to develop it or plan what we want that we're going to turn around and implement the backup plan and then we're going to test to be sure that what we think we backed up really can be recoverable um seen cases where people thought they were backing up a complete system and discovered that a folder or a set of files were unavailable didn't get included in the backup seeing things
            • 16:00 - 16:30 where the backups were being made only to discover when they tried to restore that the removable media was no longer good and so no longer had data that could be recovered so as we develop it and we implement it and then we test to be sure we can recover we need to then monitor that backup recovery plan software fails updates make things break and so we have to constantly watch this stuff to be sure that that the backups
            • 16:30 - 17:00 that we're making are indeed doing what we think they should do and that they are indeed running regularly but also when we make backups we need to follow the current 321 backup standard the current 321 backup standard says that we're going to have three copies of our data now I know I've talked to people think that's an awful lot of copies why should we need it and believe me I've seen time many times when the primary backup wasn't available a secondary backup copy saved our bacon okay so we
            • 17:00 - 17:30 make three different copies of our data in places but on that three different copies of data we use at least two different media a lot of people don't realize that removable media like flash drives or removable disc they have a limited lifespan so you need at least two different kinds of media maybe a hard drive someplace and a backup or whatever and along with that at least one of those media should be in the cloud so it's offsite so that it is away from from your organization reason is a lot
            • 17:30 - 18:00 of your ransomware now goes around and tries to delete your backups so if you're leaving your removable Drive always attached to your computer you can almost guarantee that when ransomware hits it's going to delete your removable the data on your removable drive because it's attached to your computer so sticking one in the cloud gives us that air gap if you will that protection but along with that air gap protection we also want to use use what's called immutable backups immutable means it
            • 18:00 - 18:30 can't be changed this is kind of a a newer option that's available and if you want to talk about backups more and how to use immutable give us a holler our team would be happy to help you out on that but by writing data to your mutable backups you're guaranteeing that ransomware is able to a get in there and delete the stuff or B infect the backups with ransomware again so that it just recovers when you restore so mutable
            • 18:30 - 19:00 backups are definitely worth the money and worth the effort then once you get your plan everything created you're going to regularly test your backups so that you know what you've got is working like you think fourth step as we prepare for ransomware is to take a look at our cyber insurance now we've seen all kinds of cyber insurance policies out there some policies basically say we cover and have really no specifications some policies have really really low coverage
            • 19:00 - 19:30 amounts what they get in there and I understand that everybody wants cheap cyber insurance I know that but once again this is one of those cases where you get what you pay for so if you buy really cheap cyber Insurance you probably are getting what you pay for couple of things that I would encourage you to look for as we think about cyber insurance is that number one I would want you to know if your cyber insurance has certain Network requirements you have to maintain I understand reading
            • 19:30 - 20:00 through the fine print can get tedious I know that but if your cyber insurance has certain requirements like I've seen policies that require you to use MFA on everything if you've got policies that have certain requirements and you're not meeting those you can guarantee that they're not going to cover you when you come to an event and a situation so know if your network if your cyber insurance policy has Network requirements likewise take a look at your cyber
            • 20:00 - 20:30 policy sometimes your cyber policies uh chub would be one of them that we just talked about sometimes your cyber policies your insurer will offer resources at cheap or discounted rates to help you stay safe it's in their interest to negotiate good rates so that you can use these tools so I would contact your carrier and see exactly what they have and then the third thing I would ask with regard to cyber insurance is that I would understand
            • 20:30 - 21:00 what my requirements are in the event of an incident most of your cyber policies have a requirement that if you are if you are hit by an instant that you have to cut contact them first and then they basically manage the recovery process so I've seen places where people got hit by ransomware where they in all good faith tried to go through things themselves to make the recovery and then because they hadn't contacted their insurance first their insurance carrier
            • 21:00 - 21:30 either a greatly reduced what they would pay out to help that or B wouldn't pay anything out at all so my recommendation is that in a cyber incident stabilize the system that may be as simple as pulling the plug so the ransomware is locked do whatever stabilize and then contact your carrier and follow their guidance for Recovery um our cyber Insurance our organization is through chub and they State playing in their policy that if we use policies and
            • 21:30 - 22:00 practices outside of what they have if I remember right it cuts their help by 50% Cuts their payback by 50% so it's worth it to know what your what your policy states fifth thing last I would develop a plan I would encourage every company to develop a plan and that plan involves how you're going to recover that includes assigning responsibilities like who's going to be responsible for for various things to get to to get stuff in
            • 22:00 - 22:30 place to make it work contacting the insurance company contacting whatever legal you have any of those different things in your instant response plan but along with that what a lot of times people Miss in the instant response plan is that you need to know how to procure new hardware there was a cyber incident within the past month here in the state of Kansas where the rant the malware that hit actually destroyed the hardware and so this massive Public Safety
            • 22:30 - 23:00 organization had to bring on in all new servers and hardware and rebuild this whole system from scratch all the way up that took time to get new Hardware in and new stuff in and if your organization is using some kind of equipment like some OT equipment for example that may be older and hard to replace or plc's or a special version of Windows you know Thousand and One things know how you're going to handle those
            • 23:00 - 23:30 particular uniquenesses so that you can make make plans to recover your processes we've already talked about this to understand your cyber Insurance processes as they want you they want to be involved in helping you recover but what a lot of people Miss also is that you need to know your legal responsibilities if you're under some kind of guidelines everything from the FTC Safeguard rules to um to notification laws from various States if
            • 23:30 - 24:00 you're in one state but you've got customer records from a different state that puts you under their responsibilities all of these things may come into play as you prepare for recovery and how you're going to work and so along with that you need to begin planning your Communications to all of your stakeholders everything from your customers are going to want to know how in the world do they pay their bills now that your systems are down to to um media that wants to know how many
            • 24:00 - 24:30 records were were released and how bad things were and how long it's going to take to recover and you know all these things can take a lot of time uh just look at the Kansas judicial system and how many months that whole process has been ongoing so there's a lot going on now I've got something for you if you were on this webinar you're going to receive an email shortly that's going to have a copy of this document with you
            • 24:30 - 25:00 basically it covers most of the points that we had if you're watching this webinar on YouTube you'll find the link in the uh information box below on how you likewise can get a copy of this handout and you may find that this as useful as you plan and as you help make your case before your leadership teams on why and how you should prepare for ransomware now I'm sure there's some questions if you have questions feel free to type them into the question and
            • 25:00 - 25:30 answer box there on teams there's going to be a webinar replay available coming out an email to you guys that were on live it will be posted shortly to our practical cyber security YouTube channel you can get that there the summary handout will be available at this link that you see and likewise you guys live are going to find it if there are any questions our phone number email contact web access that we'd love to hear any questions and be able to help you out if there was anything came to your mind okay so as we talked through this I
            • 25:30 - 26:00 know this is a huge topic for all of us to consider does anybody have any questions or any comments about this as we brought it that you'd like to add into the Q&A box any thoughts now it's your time guys okay well then for every one of you that attended I want to thank you very much for being here this morning we're going to be off offering these webinars on a monthly basis for free feel free to
            • 26:00 - 26:30 yes Shauna just put into the chat box and typed in a note about please put your questions here Karen thank you very much I'm glad you found the I'm glad you found the webinar very helpful if we can help you out as all as you prepare for ransomware give us a shout you've got our contact information there and for all of you that were on thank you very much for attending I really appreciate you taking the time all right goodbye