As the security and related privacy concerns for organisations are getting more complex over a period, one of the malicious cyber-enabled activities threatening the cyber security ecosystem and fast gaining traction is ransomware. An increasing number of businesses and critical infrastructure are being targeted with a new wave of ransomware, with a research suggesting that the number of such attacks has almost doubled in the first half of 2021, compared to last year. Overall, organisations across the world have experience an increase by 29% in the number of such attacks, with significant numbers from EMEA (36%) and Americas (24%). Reportedly, globally the banking industry experienced an increase by 1318% in ransomware attacks in the year 2021.
Increasingly sophisticated ransomware attacks can adversely impact an organisation, particularly leading to loss of critical data, impacting the overall operations, revenue and trust within the company by stakeholders. For example, the National Cyber Security Centre in Ireland detected a ransomware attack connected to the country’s Health Service Executive, leading to critical medical data being compromised and impacting healthcare operations. This makes it an issue worth taking cognisance for businesses (big or small), especially when majority of them are ensuring compliance with data security and privacy regulations and standards, along with working on data management strategies.
Data Privacy compliance to aid ransomware mitigation
Though ransomware may primarily seem to be a cybersecurity threat for businesses, it is important to highlight how the General Data Protection Regulation (the key legislation governing privacy and data protection practices in Europe with global implications) specifically calls for having adequate technical and organisational security measures to be in place to ensure protection of personal data being processed. One of the most prominent legislations in this domain in the USA i.e. the California Consumer Privacy Act CCPA and its amendment (i.e. the California Privacy Rights Act) also emphasis on businesses collecting a consumer’s personal information to implement reasonable security procedures and practices in order to prevent unauthorised access, destruction, modification, or disclosure. As every business model these days involves the probability of processing personal data in some form, including sensitive data, compliance with these regulations not only involves implementation of privacy controls, but adequate security procedures as well. With a high risk of personal data being compromised can pose a serious threat to data integrity and availability, raising concerns regarding compliance with data privacy principles by an organisation. With the growing number of ransomwares, such companies stand at a huge risk if subjected to such an attack, also raising concerns regarding their compliance efforts from a privacy standpoint. Therefore, compliance with privacy measures can help a company face comparatively less amount of damage in terms of loss of essential data, less financial implications, and the overall reputation of the organisation in the market.
Data Security controls for the rescue
As companies try to create confidence about their security processes by adopting global standards like ISO 27001 for sound information security management, it becomes important for organisations to keep updating the existing controls or introducing new measures to combat risks and threats posed by ransomware attacks. Strong cryptographic controls (as many ransomware attackers tend to encrypt data, holding organisations at a ransom to allow decryption, leading to non-availability of critical data), regular risk assessments in a structured approach including regular security audits, having sound incident management response plans in place, regular backups of critical data, user authentication controls and other necessary software are some of the essentials that an organisation could aim for to mitigate risks. Additionally, trained personnel in security management via trainings and awareness and implementation of ISO 27002 controls for improved ISMS can be another beneficial approach. Pro-active detection and mitigation of such security threats calls for businesses to improve necessary information security controls being adopted, especially to ensure the serious threats from ransomware posed to confidentiality, integrity and availability of datasets are addressed in time. Other measures include adoption of updated techniques and a well-planned incident management and response plan to ensure the business continues to operate in case of an unplanned disruption, including a crisis communication plan to instantly help the company communicate and prevent future crisis in a formalised manner.
Data Management considerations
Risks posed by a ransomware attack can significantly be reduced if the company has its data management practices in place. This would involve working on a data management strategy outlining key principles that would guide formulation of a plan. Additionally, defining roles and responsibilities within the organisation of data would ensure the protection of critical data and the architecture. An overview of data life cycle as part of such a strategy can save time, effort and help an organisation act in time in case of an attack. Mature practices regarding storage, archiving and retention of data as per formal policies and procedures and timely monitoring of the same can be an essential tool to deal with an unpleasant situation arising due to a ransomware attack. Therefore, besides complying with privacy regulations and adopting security controls, have a data management strategy can also help organisations facing a ransomware attack as it will help the stakeholder act in time, in accordance with a formal policy, saving time in collecting additional information about how the affected data is already being handled.
Vanya Rakesh is a privacy and security consultant at CRANIUM Netherlands. In her role as a consultant and Data Protection Officer, she has been advising clients based globally on privacy and related security matters to aid compliance with the GDPR specifically and relevant regulations.
Is your organisation at a risk of a ransomware attack? Or do want to gain insight into what it would mean for your organisation? As CRANIUM has already supported clients internationally on such cybersecurity threats, we shall be happy to support you further with regards to information security! Contact us now.