Why Are Organizations Losing the Ransomware Battle?

COMMENTARY

Successful ransomware attacks are increasing, not necessarily because the attacks are more sophisticated in design but because cybercriminals have realized many of the world's largest enterprises lack sufficient resilience to basic cybersecurity practices. Despite massive investments in cybersecurity from the private and public sectors, many organizations continue to lack sufficient resistance to ransomware attacks.

Institutionalizing and Sustaining Foundational Cybersecurity Remains Challenging

More than 40 years of experience as a practitioner, researcher, and leader in the audit and cybersecurity professions leads me to conclude there are two key reasons for the lack of ransomware resilience that is overexposing organizations to otherwise controllable gaps in their ransomware defenses: 

In light of this, there are three simple actions organizations can take to improve basic resilience to ransomware:

1. Recommit to foundational practices.

According to Verizon's "2023 Data Breach Investigations Report," 61% of all breaches exploited user credentials. Two-factor authentication (2FA) is now considered an essential control for access management. Yet a failure to implement this additional layer of security is at the core of an unfolding ransomware disaster for UnitedHealth Group/Change Healthcare. Not only are patients affected by this hack, but service providers and clinicians are experiencing collateral damage, encountering significant obstacles in obtaining care authorizations and payments. An entire industry is under siege as a result of a major healthcare provider failing to implement this foundational control. 

2. Ensure foundational practices are "institutionalized."

There's a "set and forget" mentality that addresses cybersecurity at implementation but then fails to ensure practices, controls, and countermeasures are durable across the life of the infrastructure, especially as these infrastructures evolve and adapt to organizational change. For example, cybersecurity practices that are not actively implemented with features that ensure their institutionalization and durability run the risk of not holding up under evolving ransomware attack vectors. But what does institutionalization mean? Actions including documenting the practice; resourcing the practice with sufficiently skilled and accountable people, tools, and funding; supporting enforcement of the practice through policy; and measuring the effectiveness of the practice over time define higher maturity behaviors that fortify investments and extend their useful life. 

These "institutionalizing features" ensure that fundamental cybersecurity practices remain viable, and when they lose effectiveness, are improved. For example, basic encryption practices were not in place with the Change Healthcare ransomware hack, which rendered patient data vulnerable to hackers. This prompts questions about whether the requirement for data encryption at rest was institutionalized in policy, and if so, if responsibility for meeting such requirements was assigned to properly skilled practitioners. 

3. Measure and improve the effectiveness of foundational practices.

These questions must be asked: Are cybersecurity frameworks failing us? And are they making us less effective?

The use of a framework like the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) can guide program development and practice implementation, but use alone is not a good predictor or indicator of success. Why? Because the consistency of expected outcomes from framework practices are rarely measured. Maturity models — those that emphasize the institutionalizing features mentioned above — are an evolution toward this objective but continue to have limitations unless paired with an active performance management approach.

It's possible that an organization such as Change Healthcare may have implemented 2FA on critical servers in the past but, without regular observation or measurement, failed to recognize that this control was either intentionally or accidentally deprecated or in some way functioning inadequately. So, while the organization had the right intentions — to implement 2FA as a standard practice — without active performance management, it may have been misled into believing such a control was not only implemented but effective as well.

Additionally, gap assessments using cybersecurity frameworks can indicate areas for program improvement, but this alone will not result in an improvement of overall performance. Many organizations do these assessments to "prove" their programs are operating effectively when, in reality, an implemented and observable practice could be performing poorly, resulting in a dangerous overstatement of the organization's true capability. This is potentially why some organizations are "surprised" they have been the victim of a ransomware attack. Without performance measurement, effectiveness cannot be guaranteed, and until performance management becomes a front-and-center feature of cybersecurity frameworks, users run the risk of believing they are properly fortified against ransomware attacks without sufficiently testing that assumption. 

And senior management and boards of directors deserve reporting on performance management, not just the results of periodic framework assessments. Without metrics, these governors are left with the impression that the only deficiencies in the cybersecurity program are misalignments with frameworks, yet in reality, poorly performing practices and controls are more perilous.

More Security With Less by Focusing on the Basics

The challenge of institutionalizing and sustaining fundamental cybersecurity practices is multifaceted. It requires a commitment to ongoing vigilance, active management, and a comprehensive understanding of evolving threats. However, by addressing these challenges head-on and ensuring that cybersecurity practices are implemented, measured, and maintained with rigor, organizations can better protect themselves against the ever-present threat of ransomware attacks. Focusing on the basics first — such as implementing foundational controls like 2FA, fostering maintenance skills to integrate IT and security efforts, and adopting performance management practices — can lead to significant improvements in cybersecurity, providing robust protection with less investment.