Building Cyber Resilience Against Ransomware

Tim SmitTimothy Smit
Sr. Global Privacy and Cyber Security Risk Leader, Lockton Companies

Timothy develops long-range strategies directing clients how to optimize their data effectively and responsibly.  He focuses on privacy compliance, data protection, and the use of or introduction to digital technology.  He assists in identifying data privacy risks, operational risk, process improvement, and conducting data flow mapping exercises.  Timothy conducts risk assessments and develop strategic solutions for managing those risks along with building incident response programs and plans to improve operational resiliency to a cyber or privacy event.

Over the past six months, ransomware attacks have increased exponentially.  In some reports, the figure is reported as a 700% increase since March 2020. (1)

Adding to the complexity of the ransomware difficulties, on October 1, 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding potential sanctions for facilitating ransom payments.  That same day, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on ransomware and the use of financial systems to facilitate payment.  Our summary of the Advisories and attendant issues can be found here.

Given that ransom payments may no longer be a viable option or at a minimum, paying ransom to threat actors may be more difficult, organizations need to focus on preventing, identifying, responding, and recovering which outlines the foundation of becoming resilient to ransomware attacks.

What can organizations do to minimize their risks of ransomware attacks? 

On September 23, 2020, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-53, Revision 5 entitled Security and Privacy Controls for Information Systems and Organizations. The SP contains 20 security and privacy control families.  While we do not address all 20 control families, we have highlighted several prioritized and focused controls that should be considered and potentially implemented by organizations from a ransomware loss control perspective.

The controls below will also map to possible questions insurance carriers are starting to ask in their cyber applications to better understand what proactive controls have been implemented at your organization, which may make you a better risk to them.

With more people working remotely, the increase in end point devices for organizations to manage and protect continue to grow.  Following the cyber kill chain model (2), here are a few ways to help your organization protect itself.

Identification and containing the incident is critical.  According to the 2020 Ponemon Institute Cost of a Data Breach Report (3), the average time to identify and contain an incident was 280 days.  That number has risen due to workforce members working remote and not necessarily identifying or reporting an incident to their organization.

Implementing tools that protect your workforce and their endpoint devices, or endpoint and device protection and response, is where we will begin.

Training & Education

Implement recurring security trainings for your workforce presented on their primary means of communication, i.e., desktops, laptops, mobile devices, or smart phones.  Focused trainings delivered on those devices will help your workforce identify phishing attempts on their primary communication tools.

One of the most common ways ransomware is launched within organizations is through a phishing attack.

Train and encourage your workforce to report anything suspicious in real time.  Your incident response teams need that information as soon as feasible to confirm the integrity of your systems and/or to start their investigation on how/where an attempt to infiltrate originated, so they can respond immediately and potentially eradicate the possibility of further attempts.

Technical Controls

Several technical controls for different endpoint protections that remove the likelihood of your organization succumbing to a targeted attack include:

  • implementing prescreen links in emails
  • scanning for files with exploits and,
  • stripping and detonation of attachments

These controls protect your organization, if malware circumvents your current controls in place, by identifying those infected files, attachments, etc., expediting your response to those issues rapidly, allowing you to contain incidents sooner, decreasing the probability of infected files cascading and propagating throughout your network, both internal and externally.

Segmentation of networks.  This control indirectly self-contains malware from cascading to your entire organization, as well, reducing the overall possible business interruption impact on your organization.

The implementation of configuration management, a patch management program, and intrusion detection and prevention systems alerting your security operations center (SOC) provides a quick reactionary force to engage and contain abnormal activity before it becomes a larger issue.

Vulnerabilities exploited by the threat actor leaves a digital footprint within your networks and should be captured, investigated and responded to, where needed.  Those efforts are improved with the implementation of security event logging solutions, applying threat intelligence to those events, conducting analysis of behaviors captured and respond to those incidents, prevent catastrophic losses to your organization.

Data inventories and data maps of information flow paths aid your organization in classifying critical data while overlaying the proper controls to protect that data based on its data classification. The data inventory sheds light on end-of-life (EOL) systems, operating systems, etc. that currently do not have additional security updates or patches available, which exposes your organization at a much higher rate to new threat agents making you non-compliant with most regulatory requirements that explicitly state you must protect your network and data.

One example of that is the HIPAA Security Rule 45 C.F.R. § 164.308 (a)(5)(ii)(B), which highlights that the entity must have protection from malicious software which implies you must apply patches on all systems.

Another example is the global PCI DSS standards that require each entity to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.” (4)

Best practices also address the following response and recovering control aspects to build a resilient organization to a ransom attack.

Data inventorying provides your organization with a catalog of systems, categorized on importance to business operations and organizational goals and objectives.  It provides your organization with a prioritized list of critical systems and assets to protect most, data being proactively backed up and protected while the data is at rest, and accessible only by authorized users.

Data must be backed up, protected from unauthorized access and alteration or deletion with a planned and tested restoration plan which empowers your organization to be resilient to cyber-attacks, including ransomware attacks.  Backups may be locally conducted and stored, or they may be virtual within a cloud environment.

Authentication Controls

Implementing multi-factor authentication (MFA) is critical to confirm the identity of those accessing your systems and/or devices.  For example, if your organization utilizes MS Office365 (O365), MFA implementation is free and available today to implement.  If your organization does utilize O365, ensure that the Advanced Threat Protection add-on is being utilized.

MFA should be applied to protect every account, including privileged accounts.  Also, if you allow work emails to be forwarded to personal email accounts, ensure that your workforce has enabled MFA on their personal accounts, especially in today’s work from home setting.

Even though MFA will not prevent phishing emails from being clicked on or executed, it can prevent a successful phishing attempt from exploiting credentials, by over 90%. (5)

Incident Response

Incident response is an organized approach to addressing and managing privacy and data incidents.  The goal is to identify, respond, contain, and recover from the incident limiting damages and reducing business interruptions.

Incorporating training to identify and how to and when to report an incident is one component of the incident response plan.  Investigating the digital footprints of a bad actor is another component of the incident response plan.

Your incident response plan is the cornerstone to building resilience within your organization, where building cyber resilience is a necessity today.

Cyber Insurance Carriers

Organization’s that currently purchase a cyber liability insurance program have access to all the above- mentioned recommendations and many other services that are provided either as complimentary or at a reduced cost.  The insurers are helping their clients proactively improve their overall risk posture while reducing the probability of a cyber event causing a loss, which triggers a claim.



Configuration Management – Configuration management is a system’s engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.

End-of-Life (EoL) – “End-of-life” (“EOL”) is a term used with respect to a product supplied to customers, indicating that the product is in the end of its useful life (from the vendor’s point of view), and a vendor stops marketing, selling, or rework sustaining it. (The vendor may simply intend to limit or end support for the product.)

Patch Management – Patch management is the process that helps acquire, test and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Segmentation of Networks – Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies.





Medical: Is it BI or BI?

Lynn Sessions will moderate a panel at the 2017 PLUS conference called “Medical: Is it BI or BI?,” which will discuss which policies should respond when multiple lines of insurance are affected at the same time.

Sessions is both an RN and a lawyer who focuses her practice specifically on healthcare law. She previously worked for Texas Children’s Hospital in a variety of different areas, and is now a partner at Baker & Hostetler LLP, and concentrates on healthcare privacy.

The panel will focus specifically on ransom-ware attacks on medical facilities, and how they could potentially cause both business interruption and bodily injury claims. The panel will consist of lawyers and insurance professionals who will discuss cyber liability insurance policies, and whether business interruption and bodily injury would be covered under them, and how to respond if they aren’t covered.

“These are a little bit different, and more novel issues than what we’ve seen on the cyber liability front up until now,” Sessions said. In the past, Sessions said, the main concern with cyber attacks in medical facilities was information breaches, but as cyber attacks have evolved to targeting medical devices, the concern has become patients not being able to receive the care they need, which is where the bodily injury issues come into play.

Sessions believes that a cyber attack on a medical facility is one of the most misunderstood risks for both insurance companies and medical facilities, and because it is misunderstood, becomes a big risk.

Sessions hopes that the panel opens the audience’s eyes to risks that they may not have thought about before, and prompts underwriters and insurers to revisit their cyber liability policies to make sure business interruption and bodily injury is covered. She said that underwriters and brokers would benefit the most from attending the panel, because they’ll hopefully become aware of gaps in cyber liability policies and will start to think about how to create products that meet the needs of healthcare organizations.

“I think as we’re looking at what the emerging risks are in healthcare with a cyber event, that this is something that I think underwriters, and brokers, and frankly insurers are going to have to start thinking about, because the policies- at least in the past- have not been, would not perfectly match up to be able to cover these types of events,” Sessions said.

As insurers begin to consider the risks to healthcare organizations in the event of a cyber attack, Sessions hopes the panel will give them more information about the type of coverage that is needed.

“Hopefully a light bulb will go off that this is a needed response to healthcare organizations with an emerging risk that frankly, all of them are in the process of considering or they’ve actually already faced it,” Sessions said.

Don’t miss this fascinating and informative panel. Register now for the 2017 PLUS Conference, taking place November 1-3 in Atlanta, GA.

BI or BI Sessions image

Why is Cyber Crime Here to Stay?

From the 2016 PLUS Professional Risk Symposium session “Fraud & Extortion: Using Technological Means – Crime or Cyber?,” Christopher Arehart (Chubb Group) asks the question “why is cyber crime here to stay?” and discusses how it works to impact your business or inured.

PLUS Symposia are known for this type of in-depth, leading-edge analysis. Our next educational symposium is the 2016 PLUS Cyber Liability Symposium, September 27 in New York City. This event sold out last year, so don’t get left out… register today and claim your seat!

PLUS members can view this entire session in the PLUS Multimedia Library.