Cybersecurity — Identity and Access Management: Five steps towards getting a ransomware attack on your company

In day two of @AuManufacturing’s Cybersecurity – Identity and Access Management series, Ryan Ko offers some friendly advice to those who want to be victims of ransomware. 

In my experience working with the INTERPOL tracking digital payments towards ransomware, and research with antivirus companies understanding how ransomware works, I have seen ransomware in action and witnessed the crippling impact on business continuity. 

At the time of writing, many companies are still getting hit by ransomware at an exponential rate. You can join them too. 

Here are some golden rules which will guarantee your organisation becomes a ransomware attack victim. Relax, they do not affect your operational budget this year. 

1. Dedicate no human resource to cybersecurity, and continue to park cybersecurity responsibilities into the basement IT department. 

It all starts with leadership. If your board and executives view cybersecurity as a technical problem and ignore cyber security as a very real business risk, you will miss the impact a ransomware attack has on your business. The Norwegian company Norsk Hydro’s ransomware incident is a good example. As long as you have assets connecting to the Internet, you will be a target. If cost is an issue, you can explore affordable options such as sending your executives to cybersecurity training aimed at management, and hiring a virtual chief information security officer.

2. Assume that the cybercriminals are just some geeks also stuck in a basement. 

Ransomware perpetuators see themselves as entrepreneurs. Like us, they are motivated by profits and aspire to retire rich early. From the start-up to the established syndicate like Evil Corp, the entrepreneurs are opportunistic and have evolved. Past techniques of widespread ransomware across the world gathered a lot of attention and have a high risk of getting caught. They are now giving you a bespoke approach – company by company, sector by sector. They study your published annual reports and know how much money to extort from you based on simple economics. Be extra careful with how much open-source intelligence (e.g. an organisational chart) you are providing to them.

3. Have zero knowledge or control over your digital assets, staff identity management and privileged access rights.

Do you know how many computers and mobile devices you have in your organisation? Who manages them and ensures that they are patched regularly (see step 1)? Does a temporary staff or contractor have the same access to all systems and data as your finance department? It is human nature to reuse passwords, and as such, we would have some passwords exposed online. Consider adding another layer of authentication to key systems, and enquire about cost-effective identity management, “passwordless” protection and multi-factor authentication (MFA) solutions. If you have to choose one, start with an MFA solution implementation for all staff and contractors.

4. Have no backups and data management plans

How often do you back up your data? Or rather, when was the last time you backed up your data (even if this is done on a USB stick)? When you are hit by ransomware attacks, the easiest way to recover is to wipe and reinstall your computers, and then restore from your backups. This is why ransomware software specifically start their algorithms by scanning your computers to disable backups. You can see how ransomware does this in my TEDx talk below.

5. Focus your busy staff on only the profit-generating, business-as-usual activities, and neglect awareness training 

Does your receptionist or do your frontline employees have a script or are they trained to handle social engineering from cybercriminals? Do your staff practise cyber hygiene? Just like workplace health and safety training, organisations are recommended to conduct regular cyber awareness training and exercises. This is especially important in the current trend of staff working from home.

Bonus Step: If you get ransomware-attacked, pay the ransom and hope that they will not attack you again.

If you paid the ransom, I wish to congratulate you for being listed on the cybercriminal’s so-called “sucker list”. This list will be revisited by these cybercriminals for as long as their “businesses” operate. Sometimes, they will also share their lists with each other.  

If you are accomplishing the above, I congratulate you on being a very likely victim of ransomware. 

Prof Ryan Ko is the Chair and Director of Cyber Security at the University of Queensland. He has held scientific leadership roles at Hewlett-Packard Labs and academia, and board directorship and technical advisory roles for ministers, listed companies and the INTERPOL. 

@AuManufacturing’s Cybersecurity – Identity and Access Management series is brought to you through the support of Thales Cloud Protection & Licensing (CPL).

Subscribe to our free @AuManufacturing newsletter here.


Share this Story

Stay Informed

Go to Top