What’s missing from current approaches to ransomware prevention?

In terms of the tools and technology, every company that I've been with has a slew of them, including things for endpoint, intrusion detection, prevention, etc. But once they’re implemented, the question becomes: How do we check if it’s really working? Most companies also do an external assessment of their security posture based on certain benchmarks and ranking but what we’ve done is engage the company in a red teaming exercise, which is something that’s becoming more prevalent in the industry.

It's like kicking the tires. The red team has a target and as they attempt to breach the network, we can see whether they can get to our crown jewels. While they are doing malicious activities within your network, are you able to detect it? Are you able to prevent it? Are they going from one network to another network? There is another set of players involved in the exercise who run their campaign and don't tell us when they're running it. They look at the breach, look at people who have clicked on it, go through the environment and try to go as deep as they can. It's a double edged sword because if it is working, that's good; if it is not working, then we are all exposed.

When you’re presenting to the board, having all these initiatives looks good on paper but you also need a reality check. Doing these red teaming exercises shows that although we put these initiatives in place, we still have loopholes to work on. We do it periodically so it validates what our cybersecurity environment is. Otherwise, when you talk about most of these tools, it's just a point solution and bad actors are always one step ahead. It's an offensive way of looking at your cyber security posture.

I don't think there's a silver bullet for ransomware. But we're still dancing around the core issue: we have to think very differently about how we start to solve these problems. IT is notoriously bad at disaster recovery and business continuity. It's always been and it continues to be that way. Even with security or risk, there's always a decision to be made about what you can afford, and how much money you have to work with. And then you have to make judgments. Because if you were to protect everything, you'll either lock it up in a vault and disconnect it, or you'll go bankrupt. It’s one of those two outcomes. There is nothing in between.

You have to make risk value decisions on what to protect and how to protect it in a way that aligns with what the organization is prepared to do, just like any insurance or risk equation would. And this is not something that your CISO organization or IT organization should take lightly, nor should they be doing it solo. This is something that your risk or audit organization should be involved in. It can also help your relationship with the board. It has to be a team sport because there's just too much at stake now. You need to have a team discussion.

One of the great things about having 20 businesses use one company for their infrastructure management—versus 20 companies all trying to do their infrastructure management independently—is that one company can spend a lot more money on an aggregate and hire better people to support all that infrastructure than the 20 individual companies can. That being said, we still end up with employees who leave databases exposed to the internet. So as good as AWS or Google security might be, it still ends up being a training issue. Beyond tool creation and application or environment design—which may be a real opportunity for improvement—one of the biggest issues is the fact that if humans are involved, that's your biggest risk factor every single time, whether it's building servers inside of a data center, writing code to fix a problem or doing security.