CTO and Cofounder of Black Kite.
In 2023, we saw an unprecedented number of ransomware attacks impacting nearly every industry. From healthcare and manufacturing to critical infrastructure and financial services, attackers found ways to infiltrate systems and wreak havoc on organizations for financial gain.
Although it sometimes may feel like ransomware attacks are out of a company’s control, there are things that security leaders should consider when evaluating their risk. Before coming up with an effective security strategy, it’s important to take note of what your organization’s weaknesses are and how they could be exploited. Here are three ways companies can be susceptible to ransomware attacks and what leaders can do to mitigate risk.
1. Not adequately training employees is a security risk.
In the age of remote offices and digital work environments, ransomware groups have found that employees can be a potential attack vector. Breached credentials and “stealer logs” are some of the most frequent ways hackers gain access to systems and initiate ransomware attacks. Because nearly all organizations have had stolen credentials on the internet at some point, it can make them susceptible to later attacks—especially if the exposure happened within 90 days and the information is current.
Phishing domains are commonly used to target employees and trick them into revealing sensitive information—login details, financial data or other company or personal information—which can be used to exploit company networks. Phishing domains look like trusted web or email sources, but, in reality, they’re forged by threat actors with malicious intent.
To reinforce employees as a layer of security versus susceptibility in your organization, it’s critical to engage in comprehensive training. Regular phishing training for employees at every level—even the C-suite and more technical roles—must be mandatory, as attacks are always evolving and new technology, such as generative AI, has made it harder to distinguish between what’s real and what’s not. Employees are also the one area where organizations can’t use technology to patch vulnerabilities or automate remediation, which makes training even more critical. Prevention reduces the likelihood of simple mistakes that leave your organization open to an attack.
2. Not updating systems and software makes organizations vulnerable.
According to the Cybersecurity & Infrastructure Security Agency (CISA), “outdated applications and operating systems are the target of most [ransomware] attacks.” At Black Kite, we see firsthand that most companies that are hit with ransomware attacks are using out-of-date or end-of-life products that are still running on publicly-facing systems. This scenario can be compared to driving a car with an expired license and registration. You may not get caught right away, but eventually, you’ll get pulled over and have to face the consequences. Outdated solutions—particularly those not receiving continuous support from the vendor—are more likely to have vulnerabilities, making them prime targets for malicious actors to exploit. Not updating and replacing these solutions could create entryways for threat actors that could have catastrophic results.
Although the obvious solution is to make sure to patch your systems, it isn’t always as easy as it sounds because it usually isn’t a one-off problem. Automated patching systems to manage all global assets are effective for remedying this issue and can provide real-time fixes to mitigate risk better than with just a human eye. Additionally, organizations need to be aware of their responsibility for patching on larger networks, such as AWS or Microsoft. Although the machines or operating systems may be provided by those companies, there is a shared responsibility to upkeep and manage these systems that isn’t always understood. It’s on the user to ensure regular updates and patches to have the most secure environment to work on.
3. Not properly implementing zero-trust leaves security gaps.
There’s a myth that if companies can defend their external parameters properly, hackers won’t be able to infiltrate. Unfortunately, this isn’t true. Hackers will always be able to penetrate networks, including air-gapped systems. It just depends on how motivated they are. This is why the zero-trust concept exists and has quickly risen in popularity. However, it often isn’t implemented fully or properly, leaving security gaps in organizations.
Properly implementing zero-trust practices will ensure that no one inside or outside your organization will be automatically trusted, and multiple layers of verification will be required to gain access to resources that are on the company’s network. Some zero-trust best practices include isolating and segmenting networks with multiple firewalls in between, applying the least privilege for each employee and conducting regular audits on all network traffic.
Being prepared for security risks starts with knowing where weaknesses are. Once security leaders consider where they can be exploited, an effective security strategy can be created. Properly training employees, reviewing systems and patching tools, and implementing zero-trust practices are excellent ways to ensure protection. By focusing on prevention, your organization can save the time, money and resources required to remediate an attack.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
