Ransomware: Building Cyber Resilience

In our first article, we defined a ransomware attack and its impact on non-profit organisations, and we made some recommendations for preventing such attacks. In this article, we look at ransomware in more depth to provide a better understanding of how to build cyber resilience. There is a growing threat to cyber-security in various dimensions but especially in the form of “ransomware.” Multi-dimensional cyber threats are emerging from cross-modal attacks facilitating further virtual disruptions, such as cybercrime and virtual terrorism. This situation results from the failure of organisations and governments to establish an adequate and effective cyber-security resilience shield. Such a shield employs multiple technical tools and human approaches like extensive and holistic awareness programs in conjunction with a culture of cyber security consciousness. Many lack the expertise to maintain cyber-security assurance and address risks that jeopardise the integrity and reputation of trusted governments and organisations. We argue that a combination of security awareness with a comprehensive plan embedded in organisational culture would serve as a solid foundation on which to build more effective cyber security resilience. This approach goes beyond the current high-level policies and standards in widespread use, and it addresses the more detailed security challenges that threaten the cyber-security of trusted systems and organisations.

Cyber Resilience and Business Resilience

Business resilience ensures a rapid response to disruptions while maintaining continuous business operations. Cyber resilience is closely linked to business resilience and is a requirement organisations should have in the digital era. The scope of cyber resilience also encompasses the ability to reduce the magnitude, impact, or duration of a disruption to critical infrastructure from cyber threats, so that essential services can be recovered quickly and effectively if they are damaged or destroyed. It is clear that cyber security processes are vital for managing risks, fixing, and patching vulnerabilities and improving system resilience. Therefore, it follows that an adequate cyber resilience plan should entail sufficient co-ordination between the risk management process, well-qualified people, hardened technology, and dependable assurance processes. IT Departments should be central to a cyber resilience initiative, proactively collecting security intelligence. For this purpose, IT can use security controls and technologies that already exist in the IT ecosystem. The information generated allows organisations to respond to attacks whilst assisting in measuring their capability to ward off threats with the result that executive management are able to make well-informed decisions regarding their cyber security strategy.

Cyber Resilience and People 

Technological solutions for dealing with issues arising from cyber security threats are relatively similar globally. But the real challenges are posed by non-technical forces including human and organisational issues.¹ Human behaviours combined with organisational forces can negatively impact cyber security initiatives and associated risks.² Whether intentionally or naively, people can compromise organisational assets. Malicious activities from within (insider threats) have always been a major headache for corporations. The threat posed to organisations from insiders is unlikely to disappear quickly or easily.³ In response to such threats and to mitigate the risks organisations face, additional security controls are needed with an extended vetting process for new employees. However, this may impact productivity, which on its own is a major issue in ever-increasingly competitive markets. Corporations should consider a trade-off by accepting and transferring some risks in order to remain competitive for this purpose. Hence, it is imperative for organisations to know whether everyone who works for them is sufficiently competent to enable the organisation to recognise, respond to, and recover from a cyber-attack. It is clear that a cyber awareness program is crucial for reducing and mitigating the risks to information security.

Awareness Program

Many cyber-attacks succeed by exploiting people and human factors. These factors include lack of awareness, insufficient technical skills, inadequate communication skills, lack of supervision and insufficient involvement of management.⁴ Awareness programs play a vital role in reducing the engineering of human social interactions for exploitation purposes and for gaining access to organisational assets. They can help to mitigate risks to organisations in the age of cyber security challenges. Awareness programs should be directly relevant to roles and responsibilities, so training must be tailored and include role-based activities to ensure staff are aware of techniques used when targeting specific stakeholders. For example, anyone who has access to the corporate network should receive training on spotting a phishing attack. The cyber awareness program is just as relevant to boards and senior executive teams as it is to the most junior members of staff. For multi-national corporations, the awareness training should take into account the host country’s ethics, culture and regulations as they vary from one country to another. The real challenge is that in many organisations, the crucial information about cyber resilience awareness program gets less priority than other important matters. Staff can get overwhelmed by the volume of organisational policies and other communications. For organisations to make a success of cyber security training, these steps should be followed:

1. Set objectives for cyber security awareness and base these on problems, objectives and metrics
2. Scope and design the process through stakeholder analysis, defining driving and resisting forces and clarifying the right action steps
3. Deliver the program by clearly setting out the message; using the right language' providing accessible and flexible training, education, and awareness; ensuring that users are engaging; and setting the organisational communication policies and activities right. Make sure the right message is going to be delivered with the right tool
4. Evaluate the effectiveness of the training, revise it, seek feedback, and then run it again.

An effective cyber security awareness program like any other organisational initiative must be supported by senior management and be allocated adequate funding. The board and senior management should be equipped to understand the importance of such programs for an adequate response to cyber breaches and in addition, for assisting them, and for a sound and strategic decision-making process.

Conclusion

Cyber-resilience is a journey, not a destination. It is never going to be easy to fight cyber-crime and protect sensitive data, intellectual property, and one's reputation. And there are no guarantees. Cyber criminals are inevitably one step ahead of the good guys, and where valuable information assets are involved, the budgets provided to cyber attackers to achieve their mission are almost infinite. However, as we have demonstrated, organisations can put in place measures providing highly effective protection. These must be designed with cooperation from Board members and methodically planned to create as much resilience as possible, encompassing both technical and human factors. The principles are the same although each organisation is different. A sufficient budget must be allocated annually, and once made, plans need to be regularly reviewed and updated as the threat landscape develops and changes. Progress must be monitored and plans adapted. Human factors must never be overlooked, and awareness programs must be comprehensive and constant as the old-fashioned confidence trick is an essential part of the toolkit of the modern cyber-criminal. Following these steps will equip organisations to stay resilient.

---

References:

1. Alavi, R, et al. "Analyzing human factors for an effective information security management system." International Journal Of Secure Software Engineering (IJSSE)1 (2013): 50-74.
2. Alavi, R. “Human Factors in Information Security Management System.” Infosec Institute. http://resources.infosecinstitute.com/human-factors-information-security-management-systems/#gref
3. Threat Horizon 2017: Dangers accelerate. Published by Information Security Forum Limited https://www.securityforum.org/research/threat-horizon-2017-dangers-accelerate/
4. Alavi, R., Islam, S. and Mouratidis, H., 2015. Managing Social Engineering Attacks- Considering Human Factors and Security Investment. Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015). Plymouth, University of Plymouth.

  About the Authors:

Image

Reza has been working in various IT positions in the last 27 years and currently working as an information security consultant. He worked as International Marketing Manager in two companies, which specialise in wide range of consultancy services such as information security, risk management, business continuity and IT governance in the Middle East. His current work as security consultant includes, specialising in information security coaching, helping his clients to become more effective and efficient typically through the strategic of information systems, risk management and security governance. Having significant experience of the commercial and financial sectors in various parts of the globe working with variety of cultures and work ethics enables him to understand current security requirements and threat landscape to achieve better outcome in GRC environment. Reza is the Managing Director of “Information Security and Audit Control Consultancy (ISACC)” whilst chairing the “Information Risk Management and Assurance (IRMA)” specialist group in BCS and sits on the RM/1 Risk Management Committee at “British Standard Institution (BSI)”. Juliet Flavell formerly worked in the high pressure environment of IT project management and service provision within the legal sector. In 2016 she became accredited as a Chartered IT Professional and currently runs a technology non-profit organisation. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.