{"id":4907,"date":"2024-08-16T09:00:00","date_gmt":"2024-08-16T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/why-are-organizations-losing-ransomware-battle"},"modified":"2024-08-16T09:00:00","modified_gmt":"2024-08-16T14:00:00","slug":"why-are-organizations-losing-the-ransomware-battle","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/16\/why-are-organizations-losing-the-ransomware-battle\/","title":{"rendered":"Why Are Organizations Losing the Ransomware Battle?"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/blt8d9db4aa7e614745\/66bd070fef381a842b25a5d8\/Ransomware%281800%29_Christophe_Coat_Alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">COMMENTARY<\/span><\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Successful <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/synnovis-ransomware-attack-disrupts-operations-london-hospitals\" rel=\"noopener\">ransomware attacks<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> are increasing, not necessarily because the attacks are more sophisticated in design but because cybercriminals have realized many of the world&#8217;s largest enterprises lack sufficient resilience to basic cybersecurity practices. Despite massive investments in cybersecurity from the private and public sectors, many organizations continue to lack sufficient resistance to ransomware attacks.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"Institutionalizing and Sustaining Foundational Cybersecurity Remains Challenging\">Institutionalizing and Sustaining Foundational Cybersecurity Remains Challenging<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">More than 40 years of experience as a practitioner, researcher, and leader in the audit and cybersecurity professions leads me to conclude there are two key reasons for the lack of ransomware resilience that is overexposing organizations to otherwise controllable gaps in their ransomware defenses:&nbsp;<\/span><\/p>\n<div data-component=\"basic-list\" class=\"BasicList BasicList_nestedLevel_0 BasicList_variant_unordered BasicList_limited\">\n<ul data-testid=\"basic-list-unordered\" class=\"BasicList-UnorderedList\">\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6.552036199095\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"9.0090497737557\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Recent newsworthy intrusions \u2014 such as the attacks on <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/endpoint-security\/mgm-restores-casino-operations-10-days-after-cyberattack\" rel=\"noopener\">gaming organizations<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">, consumer goods manufacturers, and <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/endpoint-security\/healthcare-providers-must-plan-for-ransomware-attacks-on-third-party-suppliers\" rel=\"noopener\">healthcare providers<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> \u2014 reinforce that some organizations may not have implemented foundational practices.&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"8\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"11\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">For organizations that have implemented foundational practices, they may not sufficiently verify and validate the performance of those practices over time, allowing costly investments to depreciate in effectiveness more quickly.&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">In light of this, there are three simple actions organizations can take to improve basic resilience to ransomware:<\/span><\/p>\n<h3 class=\"ContentText ContentText_variant_h3 ContentText_align_left\" data-testid=\"content-text\" id=\"1. Recommit to foundational practices.\">1. Recommit to foundational practices.<\/h3>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">According to Verizon&#8217;s &#8220;2023 Data Breach Investigations Report,&#8221; 61% of all breaches exploited user credentials. Two-factor authentication (2FA) is now considered an essential control for access management. Yet a failure to implement this additional layer of security is at the core of an unfolding <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/round-2-change-healthcare-targeted-second-ransomware-attack\" rel=\"noopener\">ransomware disaster for UnitedHealth Group\/Change Healthcare<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">. Not only are patients affected by this hack, but service providers and clinicians are experiencing collateral damage, encountering significant obstacles in obtaining care authorizations and payments. An entire industry is under siege as a result of a major healthcare provider failing to implement this foundational control.&nbsp;<\/span><\/p>\n<h3 class=\"ContentText ContentText_variant_h3 ContentText_align_left\" data-testid=\"content-text\" id=\"2. Ensure foundational practices are &quot;institutionalized.&quot;\">2. Ensure foundational practices are &#8220;institutionalized.&#8221;<\/h3>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">There&#8217;s a &#8220;set and forget&#8221; mentality that addresses cybersecurity at implementation but then fails to ensure practices, controls, and countermeasures are durable across the life of the infrastructure, especially as these infrastructures evolve and adapt to organizational change. For example, cybersecurity practices that are not actively implemented with features that ensure their institutionalization and durability run the risk of not holding up under evolving ransomware attack vectors. But what does institutionalization mean? Actions including documenting the practice; resourcing the practice with sufficiently skilled and accountable people, tools, and funding; supporting enforcement of the practice through policy; and measuring the effectiveness of the practice over time define higher maturity behaviors that fortify investments and extend their useful life.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">These &#8220;institutionalizing features&#8221; ensure that fundamental cybersecurity practices remain viable, and when they lose effectiveness, are improved. For example, basic encryption practices were not in place with the Change Healthcare ransomware hack, which rendered patient data vulnerable to hackers. This prompts questions about whether the requirement for data encryption at rest was institutionalized in policy, and if so, if responsibility for meeting such requirements was assigned to properly skilled practitioners.&nbsp;<\/span><\/p>\n<h3 class=\"ContentText ContentText_variant_h3 ContentText_align_left\" data-testid=\"content-text\" id=\"3. Measure and improve the effectiveness of foundational practices.\">3. Measure and improve the effectiveness of foundational practices.<\/h3>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">These questions must be asked: Are cybersecurity frameworks failing us? And are they making us less effective?<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The use of a framework like the&nbsp;<\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/ics-ot-security\/nist-releases-cybersecurity-framework-2-0\" rel=\"noopener\">National Institute of Standards and Technology Cybersecurity Framework<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&nbsp;(NIST CSF) can guide program development and practice implementation, but use alone is not a good predictor or indicator of success. Why? Because the consistency of expected outcomes from framework practices are rarely measured. Maturity models \u2014 those that emphasize the institutionalizing features mentioned above \u2014 are an evolution toward this objective but continue to have limitations unless paired with an active performance management approach.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">It&#8217;s possible that an organization such as Change Healthcare may have implemented 2FA on critical servers in the past but, without regular observation or measurement, failed to recognize that this control was either intentionally or accidentally deprecated or in some way functioning inadequately. So, while the organization had the right intentions \u2014 to implement 2FA as a standard practice \u2014 without active performance management, it may have been misled into believing such a control was not only implemented but effective as well.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Additionally, gap assessments using cybersecurity frameworks can indicate areas for program improvement, but this alone will not result in an improvement of overall performance. Many organizations do these assessments to &#8220;prove&#8221; their programs are operating effectively when, in reality, an implemented and observable practice could be performing poorly, resulting in a dangerous overstatement of the organization&#8217;s true capability. This is potentially why some organizations are &#8220;surprised&#8221; they have been the victim of a ransomware attack. Without performance measurement, effectiveness cannot be guaranteed, and until performance management becomes a front-and-center feature of cybersecurity frameworks, users run the risk of believing they are properly fortified against ransomware attacks without sufficiently testing that assumption.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">And senior management and boards of directors deserve reporting on performance management, not just the results of periodic framework assessments. Without metrics, these governors are left with the impression that the only deficiencies in the cybersecurity program are misalignments with frameworks, yet in reality, poorly performing practices and controls are more perilous.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"More Security With Less by Focusing on the Basics\">More Security With Less by Focusing on the Basics<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The challenge of institutionalizing and sustaining fundamental cybersecurity practices is multifaceted. It requires a commitment to ongoing vigilance, active management, and a comprehensive understanding of evolving threats. However, by addressing these challenges head-on and ensuring that cybersecurity practices are implemented, measured, and maintained with rigor, organizations can better protect themselves against the ever-present threat of ransomware attacks. Focusing on the basics first \u2014 such as implementing foundational controls like 2FA, fostering maintenance skills to integrate IT and security efforts, and adopting performance management practices \u2014 can lead to significant improvements in cybersecurity, providing robust protection with less investment.<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/why-are-organizations-losing-ransomware-battle\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>COMMENTARY Successful ransomware attacks are increasing, not necessarily because the<\/p>\n","protected":false},"author":12,"featured_media":4908,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4907","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?fit=1800%2C1013&ssl=1",1800,1013,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?fit=1800%2C1013&ssl=1",1800,1013,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/why-are-organizations-losing-the-ransomware-battle.jpg?fit=1800%2C1013&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4907"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4907\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4908"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}