Ransomware cyberattacks are one of the fastest-growing attack methods globally, causing many organizations to ask themselves a critical question. Have we done enough to secure our institution against a ransomware attack?
Ransomware readiness is crucial in today’s cyber climate, but evaluating the processes and controls you have in place to prevent, recover from, and mitigate the effects of a ransomware attack can seem like a daunting task. Pair that with the abundance of ransomware readiness guidance available, and formulating a plan to assess your institution can make most of us want to turn around and go home.
If you want to assess your institution’s ransomware readiness and aren’t sure where to start, or maybe you’ve reviewed some of these sources already and are confused about which one to put your time into, don’t panic! We will review several references to help get you started.
In October 2020, the Conference of State Bank Supervisors released their Ransomware Self-Assessment Tool (R-SAT). The R-SAT was developed to help financial institutions assess their risk for ransomware and identify any gaps in their ransomware protection program. It was also designed to give executive management and the board of directors an overview of an institution’s preparedness in the event of a ransomware attack.
Then, in December 2020, SBS CyberSecurity released Top Six Controls to Mitigate a Ransomware Attack. This resource lists specific controls that can be put in place to protect your institution’s network and data from a ransomware attack.
Fast forward a year later, in August 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet titled, “Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches.” This fact sheet provides information on preventing and responding to ransomware-caused data breaches.
Let’s dig into each of these resources to see how using them together can help you build a strong ransomware protection program.
Who is the audience for each guide?
Right off the bat, the R-SAT lets you know its audience. From executives to directors, the R-SAT promotes valuable insight into an institution’s preparedness. For example, it can be used by an information security officer (ISO) to:
- Assess readiness
- Report on programs
- Identify gaps
Though the R-SAT can be used as a guide for mitigating gaps within protection programs, it’s also important to look elsewhere for additional guidance on best practices.
The CISA fact sheet provides information on preventing and responding to ransomware-caused data breaches. It is not an assessment or reporting tool but a general guide for building baseline best practices. ISOs and IT Managers, or anyone responsible for implementing and developing policies, would benefit from reviewing this.
The SBS CyberSecurity document is another fundamental guidebook, as it proves to be the most technical and granular of the three tools. It lists specific controls you can implement, along with an Incident Response Playbook on how to handle ransomware if you are attacked. Your in-house or outsourced network administrator would be responsible for implementing the controls in this guide.
What is in each guide?
The R-SAT addresses areas of ransomware risk utilizing the functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework; identify, protect, detect, respond, and recover. To assist in the reporting and reviewing process, it has a series of mostly yes or no questions and checklists for various controls.
The CISA fact sheet is a high-level guide for preventing, detecting, and responding to ransomware attacks. It lists general controls for prevention and detection, best practices for responding, and many links for more detailed guidance.
The SBS CyberSecurity guidance lists specific, granular controls. Rather than providing an overview of the types of controls that should be in place, it gives you detailed items to improve the security of your program and implement your policies.
Building a solid prevention program requires more insight than each guidance can give us individually. When used in conjunction, however, the three guides discussed can help you build a robust Ransomware Prevention Program.
That’s all great, but which one do I use?
All of them!
To assess and report on your ransomware readiness, start with the R-SAT. It will help you determine:
- Which controls your institution has implemented;
- What policies and procedures you have in place; and
- Any gaps that should be addressed.
Once you have identified the gaps, working through the CISA fact sheet is the next step. As the fact sheet only lists general controls and best practices, while skipping over more detailed controls, it is a great guide to assist in developing policies for your program. It also has many links to more in-depth information for building a robust prevention program, which leads us to step three.
After that, take a look at the SBS CyberSecurity guide, which lists specific practices and controls you can implement. These are not general guidelines but real-world practices to help secure your network and protect your institution. This guide will help you implement the policies you developed from the CISA fact sheet.
Building a solid prevention program requires more insight than each guidance can give us individually. When used in conjunction, however, the three guides discussed can help you build a robust Ransomware Prevention Program. Utilize the three as a step-by-step process:
- R-SAT — used to assess the program and identify gaps
- CISA fact sheet — assists in building policies and procedures with additional technical guidance provided by embedded links
- SBS CyberSecurity guide — provides specific, real-world controls to implement, as well as an Incident Response Playbook
Go forth and protect, my friends! It’s dangerous to go alone, so take this guide to help you along your way.
SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security, and education. Learn more at sbscyber.com.
