Ransomware poses a threat to all businesses, regardless of size. The number of attacks has increased significantly in recent years. In addition, the methods of organized cyber criminals have become more sophisticated and refined.
In 2021, the total number of malware programs increased by 144 million malware variants, according to the current status report of the German Federal Office for Information Security (BSI).
Cyber criminals have specialized and often take a division of labor approach
The cybercriminal scene has become increasingly specialized in recent years and often takes a division of labor approach. Cybercrime as a Service (CCaaS) and Ransomware as a Service (RaaS) have become a profitable line of business in the criminal world. Specialized organizations offer CCaaS or RaaS as a rental model with regular updates that can be used by actual attackers without their own expertise. As a result, there is an increase in hard-to-detect attack variants that pose new challenges to enterprises.
In addition to the known risk of encrypting entire corporate networks, there are further risks. Attackers often move around the corporate network for a long period of time before any visible activity occurs. Other possible risks are
- Sensitive corporate data is intercepted before the network is encrypted. Attackers threaten disclosure if payment is not made in a timely manner.
- The information obtained is used to prepare further attacks on customers and partners of the attacked company.
- The attackers build additional backdoors for future attacks on the corporate network.
- As a result of successful attacks, there is loss of reputation and customers.
- Possible violations of data protection regulations can be prosecuted with substantial fines.
… and counter defense
The goals of a counterstrategy should be:
- make life as difficult as possible for potential attackers. Attackers often look for easy targets and move on when the effort required for a successful attack is too high.
- minimize potential damage and
- restore the ability to act as quickly as possible in the event of a successful attack
A successful defense strategy combines technical and organizational measures in a coherent resilience and prevention concept. It is often possible to achieve a higher level of security with comparatively simple and inexpensive means.
4 factors favor corporate resilience
Charlie Edwards’ 4-R model (Reslient Nation, 2009) includes four factors that can be critical to corporate resilience in the context of cyberattacks:
- Robustness: Ability of systems to withstand a (foreseeable or unforeseeable) load.
- Redundancy: Ability to maintain the functionality of the system by means of alternative courses of action.
- Resourcefulness: Ability to be creative in unforeseen, surprising situations.
- Speed: Ability to react quickly in a crisis situation.
The model developed by Edwards can certainly be transferred from the level of governmental organizations to companies.
Organizational resilience is the ability of an organization to absorb and adapt to a changing environment in order to achieve its goals and survive and thrive. More resilient organizations can anticipate and respond to threats and opportunities that arise from sudden or gradual changes in their internal and external environments. Improving resilience can be a strategic goal of the organization and is the result of good business practices and effective risk management.
(Source: ISO 22316, translated from English)
Resilient organizations cannot fend off every attack, but can respond to crises in a risk-minimizing way
Robustness and redundancy fall into the category of preventing an attack, while resourcefulness and speed fall into the category of responding to a successful attack. All four factors work in concert to help organizations survive crises.
Data security and data protection assurance goals
The assurance goals of data security and data protection complement each other and are primarily assigned to the preventive categories of robustness and redundancy. The practical implementation of the assurance objectives helps to reduce the risk of successful attacks. However, companies should also have concepts in place for crisis situations. The Standard Data Protection Model (SDM) of the Data Protection Conference provides some organizational and technical guidance here.
Resilience can be trained
An organization’s ability to respond adequately to the challenges of cyberattacks can be trained. Like a good soccer team, procedures can be rehearsed and automated. Before the striker starts running, the midfielder knows which running path his team partner will take and can play the decisive pass.
Crisis and emergency plans that just lie in a drawer are of little help. Processes can and must be trained and internalized. Incident response teams are established in larger companies; in medium-sized companies, there is potential here that should be exploited.