Why Are Organizations Losing the Ransomware Battle?

Institutionalizing and sustaining fundamental cybersecurity practices requires a commitment to ongoing vigilance, active management, and a comprehensive understanding of evolving threats.

Richard Caralli, Senior Cybersecurity Advisor, Axio

August 16, 2024

5 Min Read
Red word "Ransomware" hidden in the middle of a binary code sequence.
Source: Christophe Coat via Alamy Stock Photo

COMMENTARY

Successful ransomware attacks are increasing, not necessarily because the attacks are more sophisticated in design but because cybercriminals have realized many of the world's largest enterprises lack sufficient resilience to basic cybersecurity practices. Despite massive investments in cybersecurity from the private and public sectors, many organizations continue to lack sufficient resistance to ransomware attacks.

Institutionalizing and Sustaining Foundational Cybersecurity Remains Challenging

More than 40 years of experience as a practitioner, researcher, and leader in the audit and cybersecurity professions leads me to conclude there are two key reasons for the lack of ransomware resilience that is overexposing organizations to otherwise controllable gaps in their ransomware defenses: 

  • Recent newsworthy intrusions — such as the attacks on gaming organizations, consumer goods manufacturers, and healthcare providers — reinforce that some organizations may not have implemented foundational practices. 

  • For organizations that have implemented foundational practices, they may not sufficiently verify and validate the performance of those practices over time, allowing costly investments to depreciate in effectiveness more quickly. 

In light of this, there are three simple actions organizations can take to improve basic resilience to ransomware:

1. Recommit to foundational practices.

According to Verizon's "2023 Data Breach Investigations Report," 61% of all breaches exploited user credentials. Two-factor authentication (2FA) is now considered an essential control for access management. Yet a failure to implement this additional layer of security is at the core of an unfolding ransomware disaster for UnitedHealth Group/Change Healthcare. Not only are patients affected by this hack, but service providers and clinicians are experiencing collateral damage, encountering significant obstacles in obtaining care authorizations and payments. An entire industry is under siege as a result of a major healthcare provider failing to implement this foundational control. 

2. Ensure foundational practices are "institutionalized."

There's a "set and forget" mentality that addresses cybersecurity at implementation but then fails to ensure practices, controls, and countermeasures are durable across the life of the infrastructure, especially as these infrastructures evolve and adapt to organizational change. For example, cybersecurity practices that are not actively implemented with features that ensure their institutionalization and durability run the risk of not holding up under evolving ransomware attack vectors. But what does institutionalization mean? Actions including documenting the practice; resourcing the practice with sufficiently skilled and accountable people, tools, and funding; supporting enforcement of the practice through policy; and measuring the effectiveness of the practice over time define higher maturity behaviors that fortify investments and extend their useful life. 

These "institutionalizing features" ensure that fundamental cybersecurity practices remain viable, and when they lose effectiveness, are improved. For example, basic encryption practices were not in place with the Change Healthcare ransomware hack, which rendered patient data vulnerable to hackers. This prompts questions about whether the requirement for data encryption at rest was institutionalized in policy, and if so, if responsibility for meeting such requirements was assigned to properly skilled practitioners. 

3. Measure and improve the effectiveness of foundational practices.

These questions must be asked: Are cybersecurity frameworks failing us? And are they making us less effective?

The use of a framework like the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) can guide program development and practice implementation, but use alone is not a good predictor or indicator of success. Why? Because the consistency of expected outcomes from framework practices are rarely measured. Maturity models — those that emphasize the institutionalizing features mentioned above — are an evolution toward this objective but continue to have limitations unless paired with an active performance management approach.

It's possible that an organization such as Change Healthcare may have implemented 2FA on critical servers in the past but, without regular observation or measurement, failed to recognize that this control was either intentionally or accidentally deprecated or in some way functioning inadequately. So, while the organization had the right intentions — to implement 2FA as a standard practice — without active performance management, it may have been misled into believing such a control was not only implemented but effective as well.

Additionally, gap assessments using cybersecurity frameworks can indicate areas for program improvement, but this alone will not result in an improvement of overall performance. Many organizations do these assessments to "prove" their programs are operating effectively when, in reality, an implemented and observable practice could be performing poorly, resulting in a dangerous overstatement of the organization's true capability. This is potentially why some organizations are "surprised" they have been the victim of a ransomware attack. Without performance measurement, effectiveness cannot be guaranteed, and until performance management becomes a front-and-center feature of cybersecurity frameworks, users run the risk of believing they are properly fortified against ransomware attacks without sufficiently testing that assumption. 

And senior management and boards of directors deserve reporting on performance management, not just the results of periodic framework assessments. Without metrics, these governors are left with the impression that the only deficiencies in the cybersecurity program are misalignments with frameworks, yet in reality, poorly performing practices and controls are more perilous.

More Security With Less by Focusing on the Basics

The challenge of institutionalizing and sustaining fundamental cybersecurity practices is multifaceted. It requires a commitment to ongoing vigilance, active management, and a comprehensive understanding of evolving threats. However, by addressing these challenges head-on and ensuring that cybersecurity practices are implemented, measured, and maintained with rigor, organizations can better protect themselves against the ever-present threat of ransomware attacks. Focusing on the basics first — such as implementing foundational controls like 2FA, fostering maintenance skills to integrate IT and security efforts, and adopting performance management practices — can lead to significant improvements in cybersecurity, providing robust protection with less investment.

About the Author

Richard Caralli

Senior Cybersecurity Advisor, Axio, Richard Caralli

Richard Caralli is a senior cybersecurity advisor at Axio with significant executive-level experience in developing and leading cybersecurity and information technology organizations in academia, government, and industry. Caralli has 17 years of leadership experience in internal audit, cybersecurity, and IT in the natural gas industry, retiring in 2020 as the Senior Director –Cybersecurity at EQT/Equitrans. Previously, Caralli was the Technical Director of the Risk and Resilience program at Carnegie Mellon's Software Engineering Institute CERT Program, where he was the lead researcher and author of the CERT Resilience Management Model (CERT-RMM), providing a foundation for the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) and the emerging Cybersecurity Maturity Model Certification (CMMC). During his 15-year tenure at Carnegie Mellon, Caralli was also involved in creating educational and internship programs for Master's degree and continuing education students at the Heinz College.

Photo source: Dorota Szymczyk via Alamy Stock Photo

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights