Cyber compliance: your secret weapon against ransomware
Defend your organization from cyberattacks by ensuring compliance. Learn about evolving threats and how regulatory adherence can mitigate risks.
Ransomware continues to wreak havoc across the planet. As this cybersecurity threat evolves rapidly, security teams can benefit from various compliance frameworks when formulating their defense strategy.
Regulatory bodies around the planet continue to develop cyber compliance frameworks and standardize security best practices to combat various cyber threats, including ransomware. Using these industry-focused guidelines is a great starting point for security teams to formulate their ransomware defense strategy.
Why is it important?
According to Sophos, as many as 59%of organizations were infected with ransomware over the past year. In this scenario, 32% of these security events were attributed to exploited vulnerabilities and 29% to compromised credentials.
Surprisingly (or not), 32% of the ransomware attacks began with threat actors exploiting an unpatched vulnerability. Sophos also found that 94% of victims' backups were targeted, and as much as 57% of these attempts to compromise backups were successful.
How has ransomware evolved?
Ransomware today has evolved considerably and is more sophisticated than the notorious WannaCry ransomware which brought the UK's National Health Service (NHS) down to its knees.
WannaCry leveraged the EternalBlue exploit. This helped threat actors spread malware with a relatively simple encryption and demand process. Most notably, it also lacked data exfiltration capabilities. However, it did spread indiscriminately, causing chaos across industries.
Ransomware gangs today take on a more targeted approach. For example, they conduct extensive reconnaissance before initiating an attack. Threat actors are also known for double or even triple extortion.
In this scenario, cybercriminals exfiltrate data before encryption and then threaten to leak sensitive information. Some attackers also contact customers and partners to exert more pressure on the victim.
Going forward, Ransomware-as-a-Service (RaaS) models, longer dwell times (where attackers lurk in enterprise networks undetected for long periods), and the ability to exploit a broader range of vulnerabilities, including zero-day exploits and remote desktop protocols make it a severe threat.
To complicate matters, threat actors also leverage artificial intelligence (AI) to initiate AI-powered cyberattacks. Cybercriminals also exploit previously unknown vulnerabilities, using fileless techniques and AI-driven behavior to evade detection.
As criminal gangs target businesses of all sizes, a cyber-attack can devastate small and medium-sized businesses (SMBs). This, coupled with limited resources and a lack of best practices, can prove to be a recipe that leads to bankruptcy.
The average ransom demand was $2 million, and as much as 94% of victims paid the initial ransom. However, the average recovery cost (excluding the payment) was $2.73 million, with 34% of organizations taking over a month to recover from the security event.
How do we mitigate risk with regulatory compliance?
To achieve cyber compliance, organizations must adhere to established industry-specific regulatory frameworks. After all, these standards are designed to help companies develop robust cybersecurity best practices to mitigate risk and prevent security events.
Popular cybersecurity standards and frameworks in Europe include:
- Digital Operational Resilience Act (DORA)
- General Data Protection Regulation (GDPR)
- Network and Information Systems Directive (NIS-2 Directive)
Over in the US, we have:
- National Institute of Standards and Technology (NIST)
- Center for Internet Security (CIS) Controls
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
Additional considerations:
- International Organization for Standardization (ISO) 27001
- Control Objectives and Related Controls (COBIT) 5
Depending on the industry, location, and the type of data you're handling, you may have to comply with multiple frameworks or standards. A comprehensive cybersecurity strategy will combine these frameworks and standards for maximum effect.
Organizations can adapt to varying cybersecurity frameworks and standards, which differ in scope, focus, jurisdiction, and mandatory/voluntary nature. For example, GDPR focuses on privacy, while the NIS Directive aims for cybersecurity resilience.
Some standards, like HIPAA for healthcare, are mandatory, while others, such as the NIST Cybersecurity Framework, are voluntary. This adaptability should reassure your stakeholders of the organization's resilience and confidence in the face of evolving cybersecurity regulations and standards.
Organizations that adhere to these frameworks' guidelines and best practices can establish robust, industry-recognized cybersecurity programs that effectively reduce vulnerabilities, adapt to emerging ransomware threats, and effectively respond to security incidents.
Compliance frameworks also encourage regular risk assessments and audits. This is the best approach to ensure that security measures are consistently implemented and adhered to. A proactive cybersecurity approach is imperative for businesses in today's threat landscape to stay a step or two ahead of threat actors.
Strict adherence to cyber compliance standards demonstrates a commitment to security. As such, it can help foster trust with customers, partners, and regulatory bodies, reassuring them of your organization's dedication and competence in cybersecurity.
What are the challenges to implementing compliance frameworks?
Although cybersecurity frameworks, standards, and best practices are assets for all companies, implementing them can present several challenges. For example, the number of audits, controls, and different frameworks can quickly become overwhelming.
Some of the key challenges include:
- Complexity and overlap (it can quickly become difficult to understand and implement various requirements)
- Resource constraints (not everyone has the necessary frameworks, personnel, technology, or budget to achieve their compliance goals)
- Rapidly evolving threat landscape (can present a massive challenge for security and compliance teams to keep up)
- Measurement and evaluation (can be a challenge for larger organizations)
- Third-party risk management (can be tricky as it's difficult to ascertain if third-party vendors and suppliers also adhere to the same cybersecurity standards)
However, trying to overcome these challenges is better than dealing with the fallout of a data breach. Fines, reputational damage, or lawsuits almost always accompany a security event.
A proactive approach to cybersecurity is always necessary to build stakeholder trust and maintain a robust cybersecurity posture. The consequences of non-compliance are not to be taken lightly, and they underscore the urgency of the situation.