COMMENTARY

Successful ransomware attacks are increasing, not necessarily because the attacks are more sophisticated, but because cybercriminals are realizing that many of the world’s largest enterprises lack the resilience to employ basic cybersecurity practices. Despite massive investments in cybersecurity by the private and public sectors, many organizations still lack the resilience to ransomware attacks.

Institutionalizing and maintaining fundamental cybersecurity remains a challenge

Based on over 40 years of experience as a professional, researcher, and leader in the audit and cybersecurity industry, I conclude that there are two main reasons for the lack of resilience against ransomware, leaving organizations overexposed to otherwise manageable gaps in their ransomware defenses:

In light of this, there are three simple actions organizations can take to improve baseline resilience against ransomware:

1. Reaffirm basic practices.

According to Verizon’s “2023 Data Breach Investigations Report,” 61% of all breaches involved user credentials being compromised. Two-factor authentication (2FA) is now considered an essential control for access management. Yet, failing to implement this additional layer of security is at the heart of an unfolding Ransomware Disaster for UnitedHealth Group/Change Healthcare. Not only are patients affected by this hack, but providers and clinicians are also suffering collateral damage and facing significant obstacles in obtaining care authorizations and payment. An entire industry is under fire as a result of a major healthcare provider’s failure to implement this fundamental control.

2. Ensure that fundamental practices are ‘institutionalized’.

There is a “set and forget” mentality that addresses cybersecurity at implementation but then fails to ensure that practices, controls, and countermeasures are sustainable over the life of the infrastructure, especially as those infrastructures evolve and adapt to organizational change. For example, cybersecurity practices that are not actively implemented with features that ensure their institutionalization and sustainability risk not being resilient to evolving ransomware attack vectors. But what does institutionalization mean? Actions such as documenting the practice; providing the practice with sufficient skilled and accountable people, tools, and funding; supporting the practice’s enforcement through policy; and measuring the practice’s effectiveness over time define higher-maturity behaviors that strengthen investments and extend their useful life.

These “institutionalizing functions” ensure that core cybersecurity practices remain viable and are improved when they lose their effectiveness. For example, core encryption practices were not in place during the Change Healthcare ransomware hack, leaving patient data vulnerable to hackers. This raises questions about whether the requirement for encryption of data at rest was institutionalized in policy and, if so, whether the responsibility for meeting such requirements was assigned to properly trained professionals.

3. Measure and improve the effectiveness of fundamental practices.

These questions need to be asked: Are cybersecurity frameworks failing us? And are they making us less effective?

Using a framework such as the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF) can guide program development and practice implementation, but use alone is not a good predictor or indicator of success. Why? Because the consistency of expected outcomes of framework practices is rarely measured. Maturity models—which emphasize the institutionalizing characteristics noted above—are an evolution toward this goal, but continue to have limitations unless combined with an active performance management approach.

It is possible that an organization like Change Healthcare may have implemented 2FA on critical servers in the past, but without regular observation or measurement, failed to recognize that this control had been intentionally or accidentally overridden or was somehow not functioning properly. So while the organization may have had the right intentions — to implement 2FA as standard practice — without active performance management, it may have been misled into believing that such a control was not only implemented, but was also effective.

Additionally, gap assessments using cybersecurity frameworks can identify areas where program improvements are possible, but this alone will not result in an improvement in overall performance. Many organizations conduct these assessments to “prove” that their programs are working effectively, when in reality, an implemented and observable practice may be performing poorly, resulting in a dangerous exaggeration of the organization’s true capability. This may be why some organizations are “surprised” to find themselves the victim of a ransomware attack. Without performance measurement, effectiveness cannot be guaranteed, and until performance management becomes a central part of cybersecurity frameworks, users risk believing they are well-fortified against ransomware attacks without adequately testing that assumption.

And senior management and boards deserve reporting on performance management, not just the results of periodic framework reviews. Without metrics, these executives are left with the impression that the only deficiencies in the cybersecurity program are framework misalignments, when in reality, poorly performing practices and controls are more dangerous.

More safety with less by focusing on the basics

The challenge of institutionalizing and maintaining fundamental cybersecurity practices is multifaceted. It requires a commitment to constant vigilance, active management, and a comprehensive understanding of evolving threats. However, by addressing these challenges head-on and ensuring that cybersecurity practices are rigorously implemented, measured, and maintained, organizations can better protect themselves against the pervasive threat of ransomware attacks. Focusing on the fundamentals first, such as implementing foundational controls like 2FA, fostering maintenance skills to integrate IT and security efforts, and adopting performance management practices, can lead to significant improvements in cybersecurity, providing robust protection with less investment.