Table of Contents
There are numerous threats that organizations need to account for and incorporate into their security programs. But ransomware remains top of mind for leaders and practitioners alike. Ransomware is widely reported and closely watched.
Often, its attacks make the news, impacting well-known companies and directly affecting individuals. It’s important to examine trends and identify lessons that can be applied to our own practices in response to the ransomware threat.
Why the Decline in Q2 Attacks Doesn’t Tell the Whole Story
The first thing that stands out from this quarter’s report is the overall drop in attacks. That’s great at first glance. One thousand fewer attacks, a 40% drop in attacks compared to Q1. However, organizations cannot simply take the top numbers and totals to draw a broad, general conclusion about the threat level decreasing when they see these initial numbers.
High-level trends can give false hope to an organization, which is why it’s important to examine the numbers themselves. As the report demonstrates throughout, a false sense of security would form if we focused just on the total numbers.
Don’t Think in Silos: Risks Cross Every Boundary
One trap we must avoid is thinking in our own silo. The reality is simple: threats are everywhere, and they’re constantly shifting. It’s vast and far-reaching, and much of it affects us directly. Even if we initially downplay the threat from certain risk groups based on perceived attack likelihood, that assumption can be misleading.
The past few years have heightened our collective awareness of third-party and supply-chain risks. These are closely related, and we have seen their impact on organizations, customers, and the general public reach a heightened level of awareness. We need to look beyond the borders of our organization when assessing threats and considering our risk awareness. That includes industry trends that may not be ones we exist within, but are highly impactful to our daily operation as a business.
Move Beyond Prevention: Resilience is the New Goal
This leads us back to the need to elevate our mindset and the lens through which we view our security program. It is no longer enough to think in terms of prevention and recovery. Yes, they are important components, but that can’t be where we focus all of our efforts and resources. Our focus and aim must be resilience.
How do we continue to operate at or near 100% in the event of a security incident? What are our dependencies on supply chains and third parties that, if they were to suffer an incident and be unable to fulfill their obligations, how could that impact our ability to operate normally? We need to look at those considerations.
Healthcare’s Vulnerability and Why It Should Concern You
Healthcare remains one of the most frequent targets for attacks by these threat groups. The report explains the reasoning behind that. What we, as organizations, need to do is account for where the healthcare industry intersects with our business vertical. Remember, healthcare is a broad field; it encompasses more than just hospitals.
It’s all elements of the healthcare system, so hospitals, billing companies, insurance records, and all of it are part of it. There is a potential impact on our organization, even if we’re not in healthcare. Even if healthcare isn’t a part of our supply chain.
The Broader Impacts of Breaches on Your Workforce
Our people likely have healthcare coverage through the organization and certainly maintain some form of medical records. So, when there’s a breach of that information, everyone may feel an impact. There is a mental toll that many individuals go through when they learn that personal information that they expect to maintain their privacy, health, or financial information, gets exposed.
They have no idea how bad the impact will be on them. Can we build any measures to mitigate that risk? Can we incorporate a part of our security program that allows for resilience when a large breach may affect a large swath of our organization’s personnel, causing their focus and performance to be impacted by this new stress?
Think Like a Business Leader: Customer Industry Risk = Your Risk
Now, let’s look at it through more of a business lens. Your organization isn’t in healthcare. However, a significant portion of your customer and client base may be healthcare organizations. We’re using healthcare, but it can be any other industry that you serve or rely on to generate revenue as part of your operations.
Let’s say your organization provides a non-healthcare service to the healthcare industry. It’s one of your largest customer verticals and a focus of your go-to-market strategy. If that industry is experiencing an increase in attacks, they will need to address it with their resources. That means a shift in budget priorities. That may cause you to lose out on deals, have current customers cancel at renewal, and deter prospective clients because the budget dollars are no longer available.
Take a Holistic View of Threats Across Industries
We need to take a holistic approach when evaluating potential threats across the broader ecosystem. That means understanding where our organization overlaps with different business verticals and how attack trends in those sectors could affect us.
There is one other focus from this quarter’s report. We mentioned resilience earlier, and it is also mentioned in the report itself. No longer is security just about prevention and recovery; it’s also about how we set ourselves up to maintain resilience in the face of an attack.
It’s not only about disaster recovery (DR), but also about business continuity (BC), and increasing our focus on maintaining operations in the face of adversity, regardless of the threat. And it’s really about ensuring we’re true to the basics. The old, tried-and-true solutions that we’ve been hearing about for ages.
Security Basics Still Work If You Use Them
Vectors change, industries of focus change, and even what’s being ransomed or threatened changes, but what we can do to help protect ourselves has remained relatively consistent.
Key foundational practices include:
- Implementing multifactor authentication (MFA/2FA) for all accounts, especially those accessible from the internet
- Establishing a strong backup-and-recovery program that includes regular testing and a version of backups isolated from the corporate network
- Developing and regularly testing incident response plans and protocols to ensure staff are prepared for evolving attacker tactics
- Maintaining a disciplined patching and vulnerability management program to reduce exposure from both new and older vulnerabilities
These are just a few of the security basics that have been recommended for years and remain highly effective to this day.
The Quiet Risk: Unpatched Vulnerabilities
Patching and vulnerability management often receive little attention. It isn’t necessarily exciting. It’s usually not the program that gets folks to jump out of bed looking to conquer. The latest and greatest vulnerability, the one that’s large enough to make the news cycle, is the one that gets noticed and prioritized.
It’s the one that everyone’s asking about; how are we with this, are we protected? What do we need to do to be protected right now? Exploit development takes time, and threat groups work under the same ideas as regular businesses. If this still works for us, why should we incur the expense of changing just to chase the latest trend?
If you look at some of the highlighted vulnerabilities in the report, you’ll notice that they are typically one to two years old. They may not be related to recent headlines, or even garnered headline attention when they were first discovered, but they’re still being exploited today. And the reason they’re still being exploited is that there are still environments where these vulnerabilities remain unpatched. Therefore, threat actors have a sufficient market where what they developed years ago continues to generate a profit.
Why change?
Yes, patching and vulnerability management do have their complications. Timing a patch, potential downtime of a system to apply the patch, and any number of other concerns organizations face when a vulnerability is discovered. However, it remains one of our most effective tools for securing environments and strengthening organizational resilience.
Understand the Story Behind the Numbers
The difference in the numbers between Q2 and Q1 appears to be favorable. You notice a significant decline in attacks at first glance. But that’s why we have to dive deeper than just the initial numbers. We have to see where they’re focused and what that can really tell us. We must seek to understand what all these numbers are telling us and what those implications are for our business.