Preventing Ransomware Attacks: 30 Ways to Protect Your Organisation

Views, News & more

Your organisation is under-prepared for a ransomware attack. Almost all organisations are.

Luckily, it's likely you'll have time to fix many security problems before they are exploited.

IT vendors and service providers love to imply they have a unique, advanced, push-button solution that will magically solve your security/ransomware problems. Sadly, the real solution is far more complicated. You need a multi-layered approach to cybersecurity with many lines of defence.

 

 

1. Patch, Systematically, in an Appropriately Timely Fashion, Prioritising Your Work

  • Prioritise your patching. Common public-facing attack points such as Firewalls, VPN gateways and publicly accessible web and email servers should be patched rapidly. If a patch isn't available, apply vendor-suggested mediations as a temporary fix.
  • Maintain an IT asset register - know what you have, including the major software versions used by devices. This information should cover physical Servers, physical PCs and Macs, Firewalls, VPN Concentrators, Routers/Switches, Printers, Print Servers, Data Storage Devices, Backup Devices, Web Filtering Devices, Email Filtering Devices, Door Access Systems that are on the LAN/WAN, CCTV devices on the LAN/WAN, Video Conferencing equipment, and IP Phones on desks, in conference rooms and in Reception. For the servers/desktops, know the major OS version at least, the middleware, and any applications that aren't in your standard PC build. If you have cloud-hosted infrastructure, include that too. If you've virtualised your servers, know all your VMs - what OS version are they running, what applications are they running? Bear in mind, it's not just PCs that need patching. As far as your network goes, know the Mac addresses of employer owned devices.
  • Where feasible, use automated patching. In some cases, you may be able to outsource patching to suppliers who know more about the hardware than you do, e.g. to channel partners of the hardware vendor.
  • Patching everything immediately is seldom viable, nice as it may be in theory. There WILL be a window of vulnerability. Firewalls, network segmentation, Zero Trust Network Access and multi-factor authentication can buy time for patching, so you don't continually have to drop everything to implement the latest patch.
  • At least yearly, check the 'end of support' date for your organisation's older software/hardware. If security patches are going to come to an end, you ought to think about replacing or decommissioning those systems before then. In some cases, you may be able to pay for support beyond the 'end of life' date.

Back to top.

 

2. Implement End-Point Protection

  • Make sure ALL devices that have access to your real corporate data have anti-virus and anti-malware software, with regular signature updates. We're not just talking about having that software on employer-managed desktops and laptops. Don't forget any self--hosted servers you may have, plus cloud servers, cloud-hosted virtual machines and machines used for development. It's not just Windows boxes, either. Linux boxes and Macs aren't immune to needing protection. Note, you'll need regular automatic downloads of anti-virus/anti-malware signatures for such software to remain effective. If users are allowed to use their own computers, insist they have anti-malware software that includes anti-virus.
  • Ideally, don't just get anti-virus protection, but 'End-Point Detection and Response' that can spot dodgy behaviour and automatically self-isolate compromised end-points.
  • Disable AutoPlay/AutoRun, so software doesn't run just because someone physically pressed the button on a desktop machine and inserted a CD/DVD.
  • Disabling copying to/from USB media is a good default policy. Users shouldn't be stupid enough to plug in USB media given out at trade shows or found lying on the floor, but some users will do stupid things like that. Most of them shouldn't be able to copy account lists to USB sticks for convenience either.

Back to top.

 

3. Use Multi-Factor Authentication and Single Sign-On

  • Multi-factor authentication (MFA) ought to be used to protect important user accounts, such as users' email accounts, CRM systems, financial systems, and email systems used to communicate with customers en-mass.
  • Multi-factor authentication should be even more rigorously applied to privileged accounts, such as those of IT administrators, senior developers, and senior organisational leaders.
  • Having MFA prompts every time anyone logs on to a new system is just going to annoy everyone, so it's important to implement Single Sign On (SSO), where feasible, to make security less frustrating.
  • Use mobile-phone authenticator apps or physical security tokens rather than have the user enter codes sent to them by SMS. The latter option isn't as secure.
  • Bear in mind that Microsoft 365 comes with Azure AD, including basic support for multi-factor authentication.
  • It's particularly important that MFA be enforced when it comes to remote access.
  • Never assume MFA is bullet-proof. There are ways around it and many high profile hacks have succeeded despite MFA being in use.

Back to top.

 

4. Implement Zero Trust Network Access (ZTNA) with Identity and Access Management (IAM) Integration

  • Consider implementing Zero Trust Network Access (ZTNA). This forces users to authenticate themselves before being granted network access and gives you more granular control over what users can see and do. It does away with the naive assumption that any device or user on the LAN can be trusted to see and communicate with any hostname on the same subnet.
  • Many ransomware attacks involve compromising an end-point, such as a user's laptop, and then laterally traversing the network. The ZTNA proxy acts as an intermediary, hiding much of your network from users who don't have a need to see it.
  • The traditional approach of segmenting your network with different subnets isn't as granular as ZTNA, but it still has its uses. While we're on the topic of network segmentation, your office's guest WiFi should be on a different network to the one used by your staff, so guests - intended and unintended - can't abuse your digital hospitality.
  • Ideally, ban personal devices not managed by your firm from being connected to the staff WiFi network. Ideally, use technical means (e.g. device MAC address whitelisting) to ensure people can't breach this prohibition. If staff insist on using their own personal devices, make them use the (relatively untrusted) Guest WiFi network instead.

Back to top.

 

5. Improve User Credential Management

  • Ensure users have access to an employer-controlled password manager. One that can generate secure passwords and warn users and admins whether the passwords users are insecure - due to password shortness or popularity. In some cases, password managers can warn about the re-use of credentials across multiple accounts and can warn if that username/password combination has been known to have leaked previously.
  • Have a password policy. It should advise people to use a lengthy random password generated by the password manager. Or three random words if the user needs to type or remember the password. Set more stringent requirements for admin accounts relating to Microsoft 365, cloud providers, corporate website content management systems, or server root users, such as requiring passwords to include a number, upper case and lower case letters and symbols.
  • . Where reasonable-length passwords are possible, they should be at least eight characters long if you block common passwords and at least 12 characters long if there's no such filtering. If the user is using a password manager, there's seldom a reason to set such short passwords.
  • The UK's National Cyber Security Centre (NCSC) - part of GCHQ - advises against the historically common practice of enforcing regular expiry of passwords because, given the number of accounts users have, they tend to respond by choosing weaker, more-memorable passwords and re-using passwords on multiple accounts - reducing rather than increasing security.
  • Put in place a policy for suspending and deleting user accounts when employees are placed on gardening leave as a good leaver, on gardening leave as a bad leaver, or when they have left full stop. Who needs to tell whom about leavers (e.g. does HR needs to tell an IT administrator)? What happens if the IT contact is on leave at that time? Basically, when people leave, you want to be able to shut them out of everything ASAP while still allowing their boss or successor to access emails that come into their account. Periodically double-check that user accounts that SHOULD have been suspended have been.
  • In larger organisations, it's sensible to put in place a policy to review employees' user permissions when their line manager changes. Sometimes, employees move laterally and no longer need access to the same resources as before.
  • Make it corporate policy that work-related credentials need to be stored in the password manager and need to be associated with an employer-controlled email address. Make it corporate policy to list every single cloud service used. The finance and legal departments may be able to provide some pointers where individuals 'forget' about the shadow IT service they signed up for! Wherever these services support single sign-on, get the users to switch to it. The idea? When users' accounts are locked out, they lose access to most of their SaaS accounts instantaneously too.
  • Where accounts (including SaaS accounts) aren't tied to the user's single sign-on credentials, you will probably need to arrange to disable any accounts tied to the departing user's email address and change the password of any account tied to a generic email address to which they had access.
  • Ensure privileged users such as IT admins have separate accounts for everyday work and any work requiring elevated privileges. Ideally, these privileged accounts should be used solely for privileged work, not for visiting websites linked to by search engine results pages or untrusted emails.
  • Create suitably precise user groups, with carefully honed user permissions based on user roles. The idea is that no one should have access to anything non-public they don't need to have access to. Not everyone in the Finance department will need the same permissions. Not everyone in the Sales department will need access to everything about Sales. Be less generous in granting permission and more paranoid. That way, if more junior employees' devices get compromised, there's less data available for bad actors to steal. Consider whether people need read access to things or whether they need permission to write to the directory too. You're trying to implement the principle of 'least privilege.' If it turns out you've been overly restrictive, you can always extend further permissions later.
  • Discourage users from using their work email account for personal use. That way, if they re-use the same password for work and personal accounts, the attacker is less likely to know to try their firstname.surname@employer.com email account with that same leaked/cracked password.
  • Check that your office network's WiFi password is secure. Change the default passwords on anything public-facing or wirelessly accessible, including WiFi access points, CCTV systems and door entry systems. If any of your devices only accept short passwords that are easily crackable, replace them, especially if accommodating those devices would require setting a weak WiFi password.

Back to top.

 

6. Backup Your Data Properly

  • Review what data you have and where it is. Don't just think about your self-hosted servers but also end-user desktops, cloud servers, web servers, SaaS services and development servers. Consider what needs to be backed up and how often.
  • Data hosted on SaaS services (other than Microsoft 365 and Salesforce) can be difficult to back up, but you really do need to consider it, even if it requires the business department responsible to manually request period data dumps that can be backed up.
  • Scan the data for malware BEFORE backing it up. Ideally, this should be automatic. Malware writers often delay their ransom demands until after months have passed and most (if not all backups) have been slowly overwritten with ransomware-encrypted versions.
  • Test your backups regularly. Can you restore them? Are they as recent as you expected? Can you restore earlier generations of files? Can you restore earlier point-in-time backups? How long does a full system recovery take? Is that 'time to recovery' acceptable? If not, would it be worth signing up for a Disaster-Recovery-as-a-Service (DRaaS) service to speed up recovery?
  • Storing multiple generations and aged point-in-time backups can cause backup bills to rise. Strongly consider whether everything you've backed up needs to be backed up. Consider how often data needs to be backed up.
  • You need backups whether you plan to pay any ransom or not. Even if you did pay, there's no guarantee the attacker will be able to decrypt your encrypted files.
  • Ransomware gangs go after backups now, i.e. seeking to corrupt and delete them, so it's important to protect against this. One partial way is to create an 'air gap', e.g. to physically store backup media in a way that's disconnected from the network with the data being backed up. That's one solution. However, it adds to recovery times. For most organisations, a better solution is backup 'immutability' where data can be backed up and restored starting immediately, but can't be changed. Much enterprise backup software is moving in the direction of supporting immutability. Our own backup service already offers it.
  • Ransomware-proof backups are not a pragmatic alternative to getting your house in order with regard to security. Whether or not you pay the ransom, you may still need to declare the attack to the Information Commissioner's Office. In some jurisdictions, you will have a duty to tell customers (or 'data subjects') that their data has been leaked. Even if you pay the ransom and get your data back, there's no guarantee you won't get a further demand for money - with a warning that if you don't pay, the unencrypted data will be released to the public.
  • Your backup archives should be encrypted at rest. If backup data is travelling over your network, it should be encrypted in transit.

Back to top.

 

7. Train (and Retrain) Users on Phishing, Malware, Password Hygiene, Social Engineering and General Cybersecurity

  • This stuff may be obvious to YOU. But you are not the average end-user. You know about brute-force attacks, credential stuffing, web browser vulnerabilities, evil twin WiFi networks, and the dangers of allowing unknown people to tailgate into the office while carrying things. Such basic cybersecurity will be new to many of your colleagues. If you're using multi-factor authentication, make sure you (or your training provider) cover MFA fatigue as well, as well as proxy attacks.
  • Ideally, the training firm should send fake phishing emails to your employees periodically to keep them on their toes.
  • We have found KnowBe4 to be an excellent choice for training and spoofing phishing attacks to raise employee security awareness.
  • Training should highlight that there can be in-person and phone-based attacks, not just internet-based ones.

Back to top.

 

8. Be Cautious About Using BYOD for Desktops Unless You Use VDI

  • A 'Bring Your Own Device' policy can save your organisation money. However, on desktops at least, it involves accepting worse security. Your users can install any application they like (it's their device), including insecure ones. You may have no visibility or control over what's installed. Users can also sync data without your approval, for example, from their desktop to their personal Dropbox account.
  • If you must allow BYOD in relation to desktops, consider limiting it to just those users who will massively object to being forced to use your mediocre standard-issue locked-down computers. For example, senior directors that are Mac users, software developers, etc. Even then, you might be better off buying them a work MacBook or allowing them extra user privileges than allowing them to access work files from their personal PC.
  • An alternative option if you must allow BYOD is to implement Virtual Desktop Infrastructure (such as Windows 365 or Azure Desktop, or by using Citrix). This ensures that only screenshots and keystrokes can be taken from a compromised user-managed device. VDI is often insisted upon by organisations trying to combine hybrid working with high levels of data security. For example, it's a common choice for healthcare organisations. Of course, for even better security, access VDI from an employer-managed locked-down device.
  • It's far less problematic to allow BYOD when it comes to personal mobile phones, as often the only privileged information on these is email, and it's possible to segregate the work and non-work apps and data in some cases. For example, Samsung Knox allows the employer to control the installation of 'work' apps and mandate encryption for work data stored on a managed Samsung device. This allows employers to wipe WORK email and apps from departing employees' phones while leaving personal apps and data untouched.
  • BYOD (in regard to mobile phones) is essential to security if many staff don't have work-issued mobile phones or security tokens. Most modern mobile phones support biometric scanning - of fingerprints or faces - so can play an important role in supporting multi-factor authentication.

Back to top.

 

9. Make Some Security Updates Your Suppliers' Problem

  • In some cases, you can make day-to-day security someone else's problems by judiciously using cloud services, including SaaS. For example, instead of running your own web server running Linux, Apache, MySQL, PHP and WordPress, just sign up for a Managed WordPress service and let them worry about securing your site.
  • Managed Service Providers may be able to patch the equipment (servers, firewalls, web filtering devices etc) they supply. But rule oversight remains your responsibility - especially regarding firewalls, remote access etc.
  • Do you have IP phones on desks, in meeting rooms and at Reception? If so, who is going to patch them? Your IP telephony provider?
  • Clarify who will patch your internet router. Perhaps your Internet Service Provider will. In some cases, the device may be set to patch itself automatically. In others, it will be your responsibility to log on to the device to patch it.

Back to top.

 

10. Minimise Unnecessary Data Retention

  • Ransomware gangs can't extort you with the threat to leak data you no longer store.
  • To be slightly more cynical, if you get rid of old contact data, like you're supposed to under the UK General Data Protection Regulation (UK GDPR), you won't have to tell those individuals about the data security breach, and any breach you might have to tell the Information Commissioner's Office about will be smaller. The same goes for reporting the breach to your corporate insurers.
  • Now that storage is cheap, it's easy to store things forever, especially now cloud storage services such as OneDrive do away with the need to buy bigger network drives. However, storing personal data that long is a mistake.
  • Periodically, feign concern over storage volumes, asking line-of-business managers to delete any folders or data no longer needed. You may be able to provide a report from your backup software showing which files haven't been updated in the past six years, for example. This might involve deleting the user directories of ex-employees, older marketing department files etc.
  • Data often decays over time. It's often cheaper to lease or generate new data than to fix old data, especially when it contains contact information.
  • Even if you had permission to email a customer/prospect/supplier in the past, the Informational Commissioner's Office and most email service providers will take a dim view of you emailing old contacts after a six-year gap for anything other than a final opt-in-if-you-want-to-still-hear-from-us pitch, especially if the recipient complains.

Back to top.

 

11. Integrate IT Systems That Need to Exchange Data at Scale

  • It's the 2020s. Where you can avoid it, you really shouldn't be exporting customer contact data in large unencrypted CSV files then importing it into other systems such as SaaS services.
  • Have code that uses APIs to accomplish the same thing without human manual action. Provide a user interface for humans to see, select and sort the data they ought to be able to see.
  • Zapier, Microsoft Power Automate and similar services can handle more minor integrations.
  • There are often email-related options for integrating systems that don't have APIs
  • Key outcome: There aren't CSV and Excel files full of customer contact data lying around on Dropbox/OneDrive/SharePoint/Email, just waiting to be leaked by hackers or internal threats (such as employees leaving for a rival firm). That data should be in databases or data warehouses.
  • By transferring data from peripheral systems to authoritative ones, you're left free to delete the data (no longer needed) on those peripheral systems. Ideally, you should arrange for that data deletion to be automatic.
  • Integrating your major systems with peripheral data sources also allows you to just back up those key systems and not have to worry about backing up the peripheral data sources that fed them automatically via an integration.
  • Email can also be used to integrate systems where APIs aren't available.

Back to top.

 

12. Add Fake Entries to Important Contact Databases So You Can Detect (and Prove) Unauthorised Use of Your Organisation's Data

  • Even if you pay a ransom, there's no guarantee your data won't be leaked anyway. Some potential misuse is preventable, however, if you can spot it and take action.
  • Add unique but non-suspicious fake entries to your customer database. If you have a significant volume of prospects and employees, add fake entries there too, where you receive their email/mail/phone calls.
  • This will give you a heads-up if anyone steals your data and starts using it for spamming/phishing.
  • If the guilty party is a rival firm (rather than a hacker), you'll likely have all the proof you need to send a cease-and-desist letter that puts a rapid end to such activities.
  • If you update some seeds regularly, automatically, you may be able to determine when a data leak occurred. That may help with any investigation into the breach.
  • Don't make it obvious which entries are the fake entries. Joke company names and staff personal email addresses aren't good enough.
  • For larger firms, you may want to consider getting 'Canary' accounts. If any attempt is made to use these special credentials or access these special servers, this triggers an alert viewable by IT admins.

Back to top.

 

13. Use Firewalls with Unified Threat Management and Intrusion Prevention System Functions

  • You need firewalls to help obscure what you have from external parties scanning for vulnerabilities. This reduces your attack surface and buys time for you to apply security patches and vendor-suggested vulnerability mitigations.
  • The default should be to lock down all ports for everyone and then make exceptions where justified.
  • Consider whether exemptions ought to be more narrowly defined. If this requires segmenting your network further, do it.
  • For your offices, you'll want a 'next generation' firewall, such as a Unified Threat Management device that gets signature updates based on threat intelligence. What this means is that big ISPs share traffic flow with security firms in return for attack data. These share the data with firewall/network vendors. These, in turn, feed attack data back to their data providers. The result is firewalls being forewarned of some attack signatures, even though the attack hasn't got as far as their network yet.
  • Your cloud also needs a firewall. Unless you've got VDI, you're protecting infrequently-used browsers on locked-down servers, so you don't necessarily need the full UTM/IPS stuff.
  • Review your firewall rules at least yearly and when there are major network architecture or supplier changes.
  • Make sure the IT team is automatically notified of serious intrusion attempts, i.e. the firewall isn't just blocking attacks but letting you know about the more serious ones.

Back to top.

 

14. Stop Assuming You Have 'Security By Obscurity'

  • If you have servers that are only accessed by internal users or developers, it can be tempting to think 'only trusted people know about the existence of this, so I don't need to worry about patching it or hiding it.' The problem is, that's not necessarily true.
  • Most of your internal web applications have a website address (typically a subdomain). Where a non-wildcard SSL certificate has been registered (even for free, automatically, by Let's Encrypt), that information goes on the public record and is publicly searchable via CRT.SH.
  • If your internal (or customer-facing) web app has its own domain name, it's almost certain that domain name will be in a list of domain names and associated name servers that's widely available - known as a 'zone file.' In particular, most .COM and .CO.UK domains end up listed in these files.
  • If your server is on an IP address that's publicly reachable, there's a good chance someone has already scanned to see what's there, enabling hackers to easily find hosts with particular software vulnerabilities. You can see an example of the information that's found by scanning by visiting the Shodan search engine. Sometimes, reverse DNS has been set up so that people can turn an IP address into a hostname that hints that the site might belong to your organisation.
  • Search engines often accidentally stumble upon hostnames - particularly subdomains - that shouldn't have been linked to publicly, as often no one has added a firewall rule blocking external access or a robots.txt file discouraging indexing.
  • Many of the subdomains you set up may be guessable, such as exchange.somecompany.co.uk or jira.somecompany.co.uk .
  • Bear in mind that in the absence of separate email filtering, your mail server hostname is public, intentionally pointed to by your domain's MX record. Sender Permitted From (SPF) text records for your domain may also give away which email servers and services you're using.

Back to top.

 

15. Give Server Applications Their Own Individual VM or Container

  • Rather than run multiple unrelated applications on the same server or virtual server, give them each their own separate virtual machine. That way if one application is compromised only one application is compromised directly.
  • If you're deploying your own server applications, consider using containerisation to reduce the number of guest operating system installations that need to be maintained.

Back to top.

 

16. Have Remote Users use a Virtual Private Network (VPN) - Encrypt All Corporate Traffic Off the LAN

  • VPNs protect your traffic from being snooped upon in transit. Their functionality is essential if staff work from home, coworking spaces or coffee shops - where you can't be sure that the WiFi network is trustworthy.
  • Go with a corporate VPN service. Consumer-focused VPNs - as a group - have a terrible record of lying about the location of servers, lying about whether they keep logs and obscuring who owns/operates the VPN.
  • Make sure strong encryption settings are used. Err on the side of using overly large encryption keys.
  • If you have cloud-hosted resources, privileged access should only be possible via a VPN, your WAN or a cloud link (e.g. AWS Direct Connect / Azure ExpressRoute)

Back to top.

 

17. Review Error Log Highlights and Access Log Highlights Regularly

  • Parse error logs for signs of intrusion attempts, unexpected error messages etc. If you have lots of error logs, consider getting a Security Information and Event Management (SIEM) service that collects log data and highlights the most interesting results, including from any cloud hosting you may have.
  • Review access logs for logins from unexpected countries and at unexpected times. Look to see if privileged accounts are being used more frequently than ought to be the case.

Back to top.

 

18. Use Email Filtering to Reduce Exposure to Phishing Emails

  • Imperfect email filtering is better than no filtering.
  • Phishing emails will become more original and personalised as generative AI gains ground. Network-level filtering services that have visibility over millions of mailboxes will have the best chance of telling which emails are phishing attempts.

Back to top.

 

19. Filter Your LAN's Web Traffic. Monitor Your LAN Traffic Too.

  • You should be filtering out malware-infested websites and phishing sites at the network level, not just hoping that end-point security will step in to save the day.
  • This filtering should be applied to most users on your corporate LAN, your WAN and your VPN.
  • This can mean that users are still able to visit some sites, just that they get a big warning before doing so.
  • It's helpful to have network use monitoring in place even if you don't typically plan to use it much. This is especially important if you have a BYOD policy which allows staff to directly connect their personal laptops to the office network.
  • You're looking for signs of problematic shadow IT, e.g. unauthorised file syncing apps, unauthorised communications apps, unauthorised backup apps, unauthorised P2P file-sharing apps.
  • You may also wish to monitor your WAN traffic for suspicious traffic patterns, not just your LAN.
  • Network monitoring solutions may be able to spot security breaches that snuck under the nose of your end-point protection software, i.e. breaches may leave clues in your network traffic, e.g. trying to 'phone home' to a botnet command-and-control host.

Back to top.

 

20. Encrypt Your Data at Rest

  • All your servers, desktops and laptops should have their hard drives encrypted by default, so your data can't easily be accessed if hardware is stolen.
  • Your cloud-hosted VMs should ideally have encryption too.

Back to top.

 

21. Securely Wipe Data Prior to the Disposal or Sale of IT Hardware

  • Ideally, the wiping should happen at your office, so no personal data - including usernames, passwords, emails, certificates etc can be retrieved, and you're sure of that.

Back to top.

 

22. Run Penetration Tests

  • If you can afford it, get 'penetration testing,' where you pay ethical hackers to try to uncover exploitable security flaws. If you can't afford it, there are software tools that can help you discover some of your IT system's vulnerabilities for yourself. Bear in mind you will want to check from external IP addresses, not just from your office LAN.

Back to top.

 

23. Have 'Break Glass' Accounts. Secure Them Carefully.

  • You need a 'Plan B' in case your really important administrator accounts get locked out. Great care needs to be taken to limit access to these accounts. The usernames must not be easily guessable. Any passwords must be secure and changed regularly. You may want to lock down access to a particular IP address range - so they can only be used at your organisation's HQ. You may choose to split up 'break glass' passwords so that emergency access is only possible with the cooperation of several trusted members of staff (and their stand-ins). Note that these accounts may need to be excluded from policies that apply to everyone else, so privileged users can fix problems that lock out most other users - such as an Active Directory server crashing and refusing to start, the VPN going down, or wired Internet access being loss or mobile phone networks being temporarily down.

Back to top.

 

24. Minimise the Risk of Supply Chain Attacks

  • Sometimes, if you're a high-value target, hackers may try to get information via your suppliers. One answer to this is to weigh supplier security considerations more strongly as you enter into new supply contracts - especially with regard to any supplier that may get access to sensitive data or systems. For example, you might insist that any IT service provider have a certification such as Cyber Essentials Plus or ISO 27001. You may want to ask questions about your suppliers' use of multi-factor authentication and their staff vetting procedures, especially if they have privileged access to systems that host your data.
  • It may not be practical to ensure that all your IT suppliers have security credentials. However, it's practical to ensure that key IT suppliers do. This may involve changing suppliers gradually as contracts come up for renewal.
  • If you're signing multi-year contracts, keep an eye on changes to suppliers' security accreditations during the contract period e.g. check annually that suppliers still have the certification you require.
  • Bear in mind that the 'supply chain' suppliers most likely to cause you security problems are software suppliers - especially those whose software is reliant on poorly maintained open-source libraries.

Back to top.

 

25. Limit Remote Desktop Protocol Use

  • Most of your users shouldn't be able to connect to desktops or servers on your LAN via Remote Desktop Protocol. The exception? If those internet users are connecting via your VPN and are members of a user group given special permission to connect to desktops, servers or both. Ideally, access to the VPN should be partially secured using multi-factor authentication.
  • Don't forget to lock down your cloud-hosted servers and virtual machines, so, generally, they can't be accessed using RDP, except from your LAN/WAN/VPN by duly-authorised users or your cloud provider/IT support firm. Simply making servers inaccessible to most of the Internet goes a long way to protecting them from ransomware attacks. For even more granular control, deploy a Zero Trust Network Access (ZTNA) solution. Instead of allowing connections from your LAN or a subnet just for senior staff, you make those restrictions user-specific.

Back to top.

 

26. Lock Down Your Cloud Hosting Too

  • It's understandable if your thoughts of security turn to your LAN, your WAN, your VPN, your office firewalls etc. However, if you make use of cloud hosting, you may have a whole new area you also need to protect. It also needs firewalls, VPNs, OS patching, server application patching and anti-malware software.
  • Hosting websites puts a target on your server's front, especially if they host sites that are guessable from domain names in widely available zone files. The same goes if you set up reverse-DNS in a way that gives away what's being hosted on a given IP address, e.g. if an IP address resolves to exchange.yourdomain.co.uk . It may be worth deploying a Web Application Firewall (WAF) if you regularly find your web servers coming under low-traffic attacks that WAFs are designed to thwart. This can help protect your site even when it's not fully patched.
  • If you have a SIEM (Security Information and Event Management) solution, make sure it's keeping an eye on your cloud hosting logs too.
  • Needless to say, your data backups should be backing up your cloud too. Your IT asset inventory should include your cloud-based hosts.

Back to top.

 

27. Restrict Bulk Access to Sensitive Data, including Customer Data, Contracts etc.

  • Few people in your organisation need bulk access to your data. Those that do only need that access rarely. Set up web applications, systems and CRM/ERP reports so employees can just see the data they need without having to download and process customer data at scale first. Where individuals need bulk access, consider whether they ought not to have multiple accounts - an everyday account with fewer privileges and an elevated privilege account to be used only when required to access the bulk data.
  • For example, junior customer service agents should be able to pull up individual customer records via a search function but shouldn't be able to download a full list of customers.
  • This isn't just about whether you trust the individual but about taking pre-emptive steps to minimise the degree to which a phishing attack or social engineering attack is likely to lead to a material data leak.
  • Good questions to ask are 'Are we relying on exported/imported CSV or Excel files? If so, could we not set up a report or an integration to eliminate the need for that?'
  • Another good question is 'Are we storing things on a network drive or SharePoint site that really ought to have access made more gated?'
  • Common mistakes include taking a simplistic departmental approach, e.g. giving every salesmen access to a shared 'Sales' folder with confidential customer data relating to customers of every salesperson employed since the directory was created.

Back to top.

 

28. Use Mobile Device Management Software

  • Only allow staff to view work emails on their phones/tablets if those devices are running Mobile Device Management software that enables you to wipe those emails in the event of the phone being lost/stolen. They should also set stringent 'phone locking' requirements, so phones have to be unlocked after even a short period of inactivity.

Back to top.

 

29. Consider Getting Cyber-Insurance

  • This could cover your reasonable costs in remediating any ransomware attack.
  • You'll need to ensure your cyber-security practices are good enough to meet the policy requirements. If you implement the security measures on this page, you'll likely have covered most requirements.
  • To be candid, some insurers may reimburse you for the ransom. Check with your insurer.
  • It doesn't necessarily need to be a stand-alone cyber insurance policy. Some cover might be provided as part of business interruption insurance.

Back to top.

 

30. Take Advantage of Microsoft 365's Information Protection Features

  • If you're using Microsoft 365, look into making use of its information protection capabilities. These allow you to classify and protect sensitive information. Microsoft labels these features 'Azure Information Protection' and 'advanced threat protection'.

Back to top.

Bonus Security Measures

  • Configure your web servers to hide the web server version number, their OS version number and their content-management-system version number. Public IP address space is routinely scanned for signs of which software is in use on a given host. This can be used later to attack such hosts should a vulnerability be published for that particular version of the software. Hiding version numbers makes it less likely you'll appear on such lists of 'vulnerable' hosts.
  • If you're a high-value target, consider setting up decoys/honey traps to i) distract attackers ii) warn you that attackers from particular IP addresses are probing your systems.
  • Update your VM templates, so they don't become outdated. It's important that any new VMs you create are secure from the get-go.
  • Create an IT Configuration Database. Use config file changes to make changes, rather than WYSIWYG visual user interfaces, so any configuration changes can be backed up and reverted, and so you can consistently reproduce changes you've made to settings.
  • Have a 'lab' where you can test things out IT changes (such as patches) without impacting live systems.
  • Uninstall or disable unwanted services so there's a narrower attack surface and you don't have to patch as much software.
  • Improve physical security - so accessing more sensitive areas (e.g. server rooms) isn't possible except by staff who need such access. You should also ensure there's good CCTV coverage of entry/exit points to your office.
  • WiFi networks should use at least WPA2, and if the hardware connecting to the network is relatively modern, WPA3. The latter may require replacing older wireless access points and IoT devices that can't be updated.
  • Add a Ransomware / Hacking plan to your existing Business Continuity Plan. If you lose access to your systems, think about who in your organisation needs to be involved in your security incident response. Have you got their phone numbers and alternative email addresses for them should anything happen to your work systems? You should think about this before you're attacked. Make sure you include senior business leaders with authority to i) spend money ii) change business processes as needed.
  • Have your own proprietary apps? Make testing - including security testing - part of your development process. Test your APIs, not just the front ends. Distrust user input, including from logged-in users. Inputs, including those that are supposed to just be parroted back from data you supplied, need to be validated - including in relation to what that particular user ought to be able to see or do. If the APIs give access to confidential data, consider locking down to whitelisted IP addresses and systems in possession of an appropriate certificate.
  • If you're a large firm, consider subscribing to an outsourced Security Operations Centre (SOC) service, so there's always someone on duty ready to respond rapidly to serious attacks.
  • If you're in Healthcare, Finance or Government, expect the risk of a ransomware attack to be elevated.
  • If your industry is highly likely to be targeted by cyber attackers, look into whether there is a sector-specific 'Information Sharing and Analysis Centre' (ISAC) which could give you a heads-up on cyber threats experienced by others in your industry.
  • If you are a UK organisation with static IP addresses and/or domains, register for the National CyberSecurity Centre's free Early Warning service.
  • If you have multiple IT admins in-house, try to ensure that at least one is contactable in the event of a serious security incident, i.e. be careful over scheduling IT staff leave that you're not left without any cover.
  • Ideally, set up your email settings so internal emails are signed automatically.
  • Take a quick look at NoMoreRansom.org . If you are hit by a ransomware attack, there's an outside chance there's free software that could help you undo the damage without paying.

Back to top.

 

“That's a Lot to Do!”

Although the measures listed can look overwhelming, you don't have to fix everything at once. Few organisations have the time or money to do so.

Just look over the security measures above to familiarise yourself with what you could be doing, prioritise your changes and keep making incremental improvements.

You will probably have implemented some of the measures already.

Bear in mind that you're not just trying to prevent ransomware attacks compromising end-points, but also to limit lateral movement from compromised end-points to more sensitive areas of your IT estate.

You're trying to speed up detection of any attack and put in place systems that will help you recover faster, without paying a ransom. And you are trying to limit the amount of sensitive data that could leak in the event of a successful attack.

Back to top.

 

hSo Can Help Your Organisation Improve its IT Security

We've lots of services that can help you protect your organisation from ransomware:

  • Business VPNs - Our Virtual Private Network (VPN) can help you lock down remote access to only authorised users, encrypting their traffic. The VPNs can be integrated with popular Identity and Access Management systems, so users lose VPN access as soon as their primary user account has been blocked or deleted.
  • Data Backup - Our automated cloud backup service can ensure you have multiple generations of your important files, VM images and databases. There is an immutability option, so you can get the benefits of air-gapped backups, without the delays in data restoration such air-gaps can involve.
  • Zero Trust Network Access - Our ZTNA service can help you lock down access to your network in a granular way, using a proxy to mediate network access requests. Unlike a traditional VPN, it can protect the users on your LAN, not just your remote users.
  • Managed Cloud Hosting - This service takes care of patching your guest OS and the underlying virtualisation layer and hardware.
  • Managed Firewalls - These help protect your network from unwanted external probing. They can also block outbound traffic you don't want.
  • Unified Threat Management - UTM uses deep packet inspection to keep tabs on how your network is really being used. It can neutralise many threats and allow you to kill unwanted network traffic streams that present a security threat.
  • Disaster Recovery as a Service - This allows you to bounce back from an attack quicker, with a cloud-based clone of your server estate kept on ice, ready to be reanimated should you lose your primary hosting platform.
  • Microsoft 365 - As a Microsoft partner, we're able to provide licences for Microsoft 365. This doesn't just provide the Microsoft Office apps but also Azure AD with multi-factor authentication to help protect user accounts. Some product tiers also include Microsoft Intune, Microsoft's Mobile Device Management solution, both of which can support your effort to boost security.

 

To find out more about hSo's services for UK-based organisations, call 020 7847 4510 or fill in the form below.

Get in touch

 020 7847 4510

 info@hso.co.uk

We may process your personal information in order to send you information you request, measure and improve our marketing campaigns, and further our legitimate interests. For further details, see our privacy policy.

Contact us

hSo ISO 9001 Seal
hSo ISO 14001 Seal
hSo ISO 20000 Seal
hSo ISO 27001 Seal
Cyber Essentials logo
Internet Service Providers Association logo
Internet Telephony Service Providers Association logo
LINX logo
RIPE logo
AWS Partner Network logo
Microsoft Partner logo
Crown Commercial Service supplier logo