GUEST ESSAY: Stopping ransomware requires good governance, effective risk management

By Steven Minsky

The WannaCry attack, the biggest ransomware attack in history, is not over. Companies in at least 150 countries have been impacted, leaving organizations around the world wondering if they might be affected by subsequent waves.

It’s critical to keep in mind that effective mitigation of ransomware (and similar) attacks is accomplished with good governance and risk management, not with the acquisition of expensive security solutions.

Detecting and mitigating risks effectively requires an integrated approach. It requires understanding the dependencies and overlapping activities between entities or departments.

Related story: Most companies still lack a cyber risk management strategy

Technology necessary for a robust cybersecurity program already exists at most organizations. The missing piece, strong governance, is the key to putting internal policies into practice and maximizing the effectiveness of existing technology.

With that in mind, there are a few fundamental steps organizations should take. Enterprise-wide risk management procedures must be used to automate the assessment and monitoring of these processes. Timeliness and frequency are key to sustaining protection. The creation of corporate policies does not assure that those policies are followed equally across business areas out to the front lines. In fact, without enterprise risk management, they rarely are.

Back up data; use patches

The first step is to make sure off-site backups are kept up to date. Automatic notifications should alert the security team at preset intervals, reminding them to verify data is fully backed up at an off-site location. It’s critical to use a risk-based approach to prioritize which data needs monitoring and testing.

Once data has been protected, companies should ensure approved patches are implemented. Although most organizations have approval procedures to force implementation, inconsistency causes massive, preventable vulnerabilities. Without risk-based monitoring, critical assets are left unprotected as priorities interfere with one another.

Virus detection software is typically reviewed and updated in a similar manner. Security teams need the guidance of centralized governance so they can monitor systems effectively.

Limit access

Managing access rights—which can be achieved by first implementing internal password policies and asset management—is critical when minimizing cyber exposure. The “principle of least privilege,” by which the company grants employees only the access rights they need to perform their job responsibilities, is particularly important. This also should apply to vendors and other third parties. Conceptually this is simple, but in practice, a risk-based approach is needed to connect process owners to the security team. This is where most access rights programs fail.

Automated monitoring also should be applied to company virtual private networks. VPNs are important tools that sustain security and access, but if they are not managed correctly and don’t time out according to a preset timeframe, they create vulnerabilities that can be exploited. Once again, vendors should be held to similar standards.

Business continuity and disaster recovery (BC/DR) plans, much like data backups, must be tested (and optimized) at regular intervals. If a company has a plan in place but does not regularly test its ability to implement a “clean recovery,” it’s highly unlikely it will get back on its feet after an attack within the required time period.

Keep recovery time short

Centralized risk management allows subject-matter experts to assess each device, application and data store. Recovery time objectives, or RTOs, measure how long business objectives can be met without a particular asset. The security team, after receiving automatic notifications, should test to ensure the clean recovery timeframe is smaller than the shortest RTO.

The steps above remove cybersecurity vulnerabilities by improving governance, not by mandating the acquisition of new IT resources. Good governance enables the operationalization of security procedures, closing the gap between senior leadership and everyday activities. A risk-based approach reduces both exposure and the cost of effective security operations.

More risk-management related stories:
Underwriters, InfoSec officers must close gap on risk management
Companies should assess their risk profile and align it to a security solution
Organizations must see cybersecurity as a business risk, not just a technology issue

This article originally appeared on

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone