Zero trust strategy

The path of digital transformation, accelerated by the unique requirements of the COVID-19 pandemic, has led to untold efficiencies and revolutionary connectivity – but it has also ushered in an era of incredible threat. New, more devious ransomware puts data at more risk than ever, and the rise of remote and hybrid working means criminals now have a vast number of new avenues through which it can be deployed. Analysts are calling this the ‘golden age of ransomware’ – and it’s time for businesses to fight back.

Put simply, ransomware works, with 46 per cent of those hit with a ransomware attack paying the ransom, at an average of over US$800,000. Ransomware is no longer something reserved for the lone ranger or hacking collective: the money behind it means it’s an increasingly professional criminal endeavour.

Any prospective hacker, from business rival to international power, can now access Ransomware-as-a-Service (RaaS), which sees ransomware authors offering clients off-the-shelf malware variants, expertise from the cybercrime community and databases full of online credentials. Criminals are also getting bolder, moving from simply locking down data to also stealing and threatening to share it – known as double extortion – or even making ransom demands to a business’ third-party clients, called triple extortion. A modern attack could cause serious reputational and regulatory damage as well as an average of 20 days of business downtime, equating to a significant financial loss.

THE HUMAN ELEMENT

Ransomware’s rise has much to do with the vast growth in network-connected hardware and software. The Internet of Things (IoT) is likely to grow to over 22 billion devices by 2024, any one of which – particularly if not patched – could act as a gateway to an improperly secured network. The speed at which IT departments were forced to roll out remote access systems during the pandemic, often via common third-party tools or hastily compiled bespoke applications, left many inadvertent loopholes. And the subsequent sea change to commonplace home and hybrid working means employee hardware now routinely runs on insecure home networks, and often over public wi-fi in places like coffee shops.

VPNs are a target, shoulder-surfing passwords is a real threat, and a single lost or unattended laptop could be enough for a hacker to gain the credentials to launch an attack.

While Zero-day attacks, which exploit platform vulnerabilities known only to hackers, are a real and present threat, they aren’t something that can be easily prepared for. Moreover, phishing – a common method of network infiltration – has become ever more complex and devious over time. Phishers have mastered social engineering and confidence tricks to the point that two in three users open phishing emails, and a third will click the links or attachments within. Over half of those will then enter details into whatever lies at the other end – usually a fake login screen, passing their network credentials directly to the attacker.

ZERO TRUST APPROACH

Minimising the possibility of IT infrastructure attack means taking a Zero Trust approach – building a framework whereby no entity which interacts with your organisation earns any implicit trust. Every device, user, platform, tool or vendor must clearly demonstrate its security credentials, particularly as liability for data breaches is highly unlikely to be passed on to third parties. Employees must be trained to understand this, and a workplace culture must be built around cyber hygiene and resilience.

However, even savvy employees can slip up in a tired moment. Hackers with enough insider knowledge may be able to gather sufficient information to infiltrate a network regardless of an organisation’s policies.

The tactic now must be to secure the key asset of any business – its data – by implementing consistent encryption and employing a backup policy. Backups must be as protected as core data, ideally with strong encryption, and kept in triplicate online, offline, and off-site.

Key access must be protected by stringent policies. The Zero Trust philosophy is doubly important here: trusting keys to a cloud storage provider, for example, could result in the data and keys falling into the wrong hands in the event of a data centre breach. Moving encryption to a hardware module removes risk, and ensures that all moving data, from the cloud to email, can be properly protected end-to-end and rendered functionally useless as collateral for hackers. Using hardware encryption on backup drives or USB sticks further strengthens the protection in the case that the media itself is lost or stolen.

It might seem like preparing for the inevitable is a little defeatist, but there may be no real technological way to stop ransomware attacks from happening, particularly with the human element so vulnerable. True security comes from physical and logical separation between keys and data: if we can render ransomware attacks useless and have a plan in place for recovery, they will end up little more than a very temporary inconvenience.