ISACA survey: only a third of US organizations say they are highly prepared for a ransomware attack

Published: Tuesday, 25 May 2021 07:52

In the aftermath of the Colonial Pipeline attack, ISACA polled more than 1,200 members in the United States and found that 85 percent of respondents think that their organization is at least somewhat prepared for a ransomware attack, but just 32 percent say their organization is highly prepared. 84 percent of respondents believe ransomware attacks will become more prevalent in the second half of 2021.

The Colonial Pipeline attack caused massive disruptions to gasoline distribution in parts of the US this month. Colonial reportedly authorized a ransom payment of US $4.4 million. In the ISACA survey, four out of five survey respondents say they do not think their organization would pay the ransom if a ransomware attack hit their organization. Only 22 percent say a critical infrastructure organization should pay the ransom if attacked.

“In a vacuum, the guidance not to pay makes total sense. We don’t want to negotiate with criminals,” said Dustin Brewer, senior director of emerging technology and innovation at ISACA. “But when you need to get your business back online, a cost/benefit analysis is going to come into play, and a company is going to do what it needs to do to have continuity. Good cyber hygiene has to be a focus to avoid getting to this point.”

The survey’s other key findings included:

ISACA recommends 10 steps companies can take to be better prepared for, and help prevent, ransomware attacks:

Understand risk profiles
Organizations should have their risk assessed to accurately prepare for potential attacks. To do this, cyber security teams must take inventory of responsibilities, products and services, and the technical requirements affiliated with each. By defining these risk areas, cyber teams can better assess areas that require the most attention when allocating cyber security resources.

Realize data responsibilities
Each employee on a cyber security team should realize the types of data that they are responsible for storing, transmitting and protecting.

Test for incoming phishing attacks
Most attacks start with a phishing campaign, and they continue to be effective. Try testing filters by sending yourself de-weaponized phishing emails identified by others from an external test email account. How often will they make it through? Test it. It is possible that email filters need to be strengthened.

Assess all cyber security roles on a regular, event-controlled basis
Regularly assess and audit cyber security controls to ensure that they are applied and maintained appropriately. A truly mature organization will test these controls on both a time-based schedule and in response to incidents.

Evaluate patches on a timely basis
Ensure that patches are applied in an organized and methodical fashion. For vulnerable legacy systems that cannot be patched or updated, isolate them in the network and ensure that those systems do not have access to the Internet.

Perform regular policy reviews
Make sure that all pertinent cyber security policies not only exist, but are also regularly evaluated and updated based on the ever-changing cyber security landscape. Specifically, update these policies based on both time-based schedules and event-based instances.

Leverage threat intelligence appropriately
Reading and disseminating threat intelligence throughout a cyber security team can be overwhelming. Hacks and cyber attacks occur on a 24/7 basis, with different branches of similar attacks emerging overnight in many instances. Understanding which type of intelligence applies to your organization and parsing it out correctly increases understanding of what threats may pose the greatest danger.

Protect end-user devices
We often forget to ensure 100 percent protection of end-user devices—not only for devices within the network, but for all devices used by remote users to access systems. Exclusion lists should be minimal.

Communicate clearly with executive leadership and employees
To gain executive support, ensure that reporting and communication to the leadership level is clear and accurate. Once leadership understands the threat, the risk and its potential impacts, cyber security teams are more likely to receive the funding and support required to protect the organization.

Comprehend organizational cyber maturity
All points listed here are a part of comprehending an organization’s cyber maturity, or its developed defensive readiness against potential cyber attacks and exploitations. Tools like the ISACA CMMI Cybermaturity Platform can help organizations understand and improve their cyber maturity.