Learn the latest about NIST’s new preliminary draft for a ransomware risk management framework.

Cyberattacks against businesses of all sizes are at all-time highs. Data from 2021 and projections for the future of cybersecurity suggest that the frequency and intensity of these attacks will only continue to grow.

At the forefront of most cyberattacks in 2020 was ransomware, a type of malicious malware attack where attackers encrypt your organization’s data and demand payment in exchange for a decryption key to restore access.

In response to that steady increase of ransomware attacks, the National Institute of Standards and Technology (NIST) has published a preliminary draft of a ransomware risk management framework.

The document is intended to help organizations prevent, respond to, and recover from ransomware events. It also includes a “Ransomware Profile” to help organizations gauge their level of readiness to counter ransomware threats, and to deal with the potential consequences of a ransomware attack.

The preliminary draft was published in June 2021 and was open for public comment until mid-July. The document will have at least one more comment period before it is formally adopted.

This guidance is yet another indication that ransomware is the emerging leader in the rise of cyberattacks, and that your organization must take action to keep your data safe. Creating an effective security risk management program requires staying current with the latest threats, and then planning accordingly.

While ransomware may be the biggest cyber threat facing your organization today, that could well change in the future. Even the risk of ransomware itself has evolved since it took the spotlight as the preferred method of cyberattack for many cybercriminals.

What Is Ransomware?

Typically criminals conduct ransomware attacks via phishing emails: emails that appear to be from credible or reputable sources, but actually are from hackers pretending to be someone else so they can gain access to your organization’s network. Phishing emails often include a link that will send whoever opens it to a website that asks for login credentials or other administrative information.

Using that information, criminals can then infiltrate your organization’s system and encrypt your critical data. Lately, however, a new twist has arisen. Malicious actors are also likely to demand additional payment in exchange for not disclosing or exposing your data on the dark web, to authorities, to your competitors, or to the public.

Similarly, the rise in Ransomware-as-a-Service (RaaS) means that almost anyone can launch a ransomware attack using previously developed ransomware tools purchased from ransomware developers.

Customized RaaS campaigns allow criminals to shift away from mass ransomware attacks targeting a large number of firms; toward targeting fewer, larger organizations with more customized ransomware. It is a more precise strategy, which can yield more lucrative results.

These developments indicate that ransomware is becoming a more serious cyber risk for businesses of all industries — but particularly for the healthcare industry.

Research from a Verizon 2021 Data Breach Investigations Report shows that in 2020, ransomware attacks increased globally by 6 percent. The most popular target among hackers was the healthcare industry.

Healthcare organizations are particularly vulnerable to ransomware attacks because criminals know that healthcare facilities can’t spare precious time to crack ransomware codes when lives are at stake. This sense of urgency means that healthcare organizations are more likely just to pay the ransom so that they can resume operations as quickly as possible.

Other industries that operate with a similar sense of urgency (usually organizations providing critical services) are also especially vulnerable to ransomware attacks.

For instance, the recent ransomware attack on Colonial Pipeline illustrates how vulnerable to cyberattacks our critical infrastructure really is. The company, responsible for most of the gas distribution in the southeastern United States, had to shut down its distribution system for days when a ransomware attack brought operations to a standstill.

That attack led to shortages and long lines at gas stations throughout the region, and gained nationwide attention from the press. Colonial Pipeline eventually paid nearly $5 million to the attackers in exchange for the decryption key, which worked so slowly that the company had to rely on its own backups to restore service anyway.

The FBI explicitly recommends against paying ransom for that very reason: because a ransom payment never guarantees the decryption of data. According to a global study of 15,000 consumers, 17 percent of those who paid the ransom did not secure the return of their stolen data.

Most obviously, ransomware attacks pose a huge amount of financial risk to organizations. For some, the financial burden of a ransomware attack is enough to shut down operations entirely.

In addition to financial risk, ransomware attacks also threaten your organization’s reputation, which could result in losing your customer’s trust, falling stock prices, or withdrawals of critical capital investments.

So what is the best way to prevent ransomware from harming your business? You need to create and implement a risk management program that addresses ransomware risk.

This answer may seem obvious, but anticipating risk so you are prepared to mitigate the outcome isn’t as easy as it sounds.

Ransomware risk is particularly difficult to determine because cybercriminals are able to hide their efforts to steal and encrypt your data until well after the deed is done; most organizations aren’t made aware of an attack until many months after it occurs.

Fortunately, NIST’s recently published preliminary draft for a ransomware risk management framework can help your organization better prepare for and respond to ransomware attacks when they occur.

NIST’s Preliminary Ransomware Risk Management Draft

The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce that aims to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

In 2014 NIST created the Cybersecurity Framework (CSF) to provide a “common organizing structure for multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively today.”

The NIST CSF is based on existing standards, guidelines, and practices, and offers many specific, customizable actions that organizations can take to better manage and reduce their cybersecurity risk.

On June 9, 2021, NIST published a draft of ransomware guidance for organizations. The document reviews how to defend against malware, what to do when a ransomware attack occurs, and how organizations can recover from ransomware events.

The framework establishes the Ransomware Profile: a guide to help organizations assess the state of their own readiness for a ransomware attack. The profile maps security objectives from the NIST CSF to security capabilities.

Informed by NIST CSF, the Ransomware Profile is divided into five categories: identify, protect, detect, respond, and recover.

Each category also contains subcategories with more specialized references that organizations can consult, along with a ransomware application section that explains how each subcategory can help to prevent or respond to ransomware attacks.

  • Identify. This category is the foundation for the rest of the cybersecurity measures. It involves developing an organization-wide understanding of cybersecurity risks.
  • Protect. This category suggests implementing security systems and safeguards that prevent the disruption of critical services. The profile recommends proper credential management and network segmentation.
  • Detect. This category outlines what to look for using early detection of ransomware events, and recommends monitoring personnel activity and keeping detailed records as well as conducting audits to get ahead of suspicious activity.
  • Respond and recover. These categories provide guidelines for reporting a ransomware attack and recovering trust with stakeholders after an attack.

The publication also details basic preventative measures that an organization can take immediately to protect your data against ransomware threats:

  • Use antivirus software at all times. You should also set your software to automatically scan emails and flash drives.
  • Keep computers fully patched. You should run scheduled checks to keep everything up-to-date.
  • Block access to ransomware sites. You should use security products or services that black access to 96 known ransomware sites.
  • Allow only authorized apps. You should configure operating systems or use third-party software to allow only authorized applications on computers.
  • Restrict personally owned devices on work networks. Employees and others should not be able to access the corporate network from personal devices that might be unsecured.
  • Use standard user accounts rather than accounts with administrative privileges whenever possible.
  • Avoid using personal apps — email, chat, and social media — from work computers.
  • Beware of unknown sources. You should not open files or click links from unknown sources unless you first run an antivirus scan or look at links carefully.

To help organizations recover from future ransomware events, the NIST publication suggests the following steps:

  • Make an incident recovery plan. You should develop and implement an incident recovery plan with defined roles and strategies for decision making. This can be part of a business continuity of operations plan.
  • Backup and restore. Carefully plan, implement, and test a data backup and restoration strategy. Secure and isolate backups of important data, too.
  • Keep your contacts. Maintain an up-to-date list of internal and external contacts that can help with ransomware attacks, including law enforcement.

All of the recommendations outlined in the framework profile are meant to be used in conjunction with the NIST CSF; other NIST-specific resources that provide guidance on patching software, improving telework device security, and more; guidance issued by the Department of Homeland Security; and guidance issued by the FBI.

NIST says that the Ransomware Profile is intended for a general audience and is broadly applicable to organizations that:

  • Have already adopted the NIST CSF to help identify, assess, and manage cybersecurity risks;
  • Are familiar with the NIST CSF and want to improve their risk postures;
  • Are unfamiliar with the NIST CSF but need to implement risk management frameworks to meet ransomware threats.

Whether your organization is already familiar with the NIST CSF or is considering adopting the risk management framework to meet rising ransomware threats, NIST’s preliminary draft for ransomware risk management can help your organization to get ahead of ransomware attacks and to avoid the often disastrous repercussions.

Next Steps for NIST

As mentioned before, NIST accepted public comments on the preliminary draft for ransomware risk management until July 9, 2021. A revised copy along with a second commentary period will be released prior to the final document’s adoption.

As cybersecurity threats continue to evolve, NIST presumably will continue to update its frameworks regularly to reflect the current threats facing organizations.

This means keeping your own cybersecurity measures current using the NIST frameworks as a point of reference. As NIST points out in its CSF, there is no one-size-fits-all approach to cybersecurity.

Instead, using the NIST CSF and the preliminary draft for ransomware risk management, your organization should update your own risk management plan to reflect the best practices for your business.

When new changes are introduced by NIST, it’s important that your organization updates its own risk management program in response. Still, with threats to cybersecurity constantly evolving, staying aware of every threat can be difficult and time-consuming.

That’s where good governance, risk management, and compliance (GRC) software can help.

ZenGRC Helps You Track Changes in Risk Management

Creating and implementing a risk management program is complicated enough as it is.

Cybercriminals constantly change their tactics and technologies, so your organization must do the same — or risk losing control of your systems and data to ransomware. At the same time, you need to stay current on the latest frameworks available to your organization and which ones your compliance program should use.

For many organizations, this task of measuring and assessing risk while staying compliant is overwhelming. It requires time, money, and resources that some organizations just don’t have.

Fortunately, there is a GRC software solution that can help you handle the many facets of managing risk, including ransomware risk management.

ZenGRC from Reciprocity can help your organization address enterprise risk management (ERM) and cybersecurity risk across threats, vulnerabilities, and incidents. It can communicate current risk status and potential threats through risk heatmaps, dashboards, and reports.

Customizable risk calculations with multivariable scoring let you evaluate risk across connections, such as systems, business divisions and controls, including NIST frameworks.

With continuous risk monitoring from ZenGRC, you’ll be able to discover compliance-related risks before they manifest, with intuitive and automated alerts and workflows so you can catch and remediate risks with real-time updates.

Zen helps you pinpoint risk by probing your systems and finding cybersecurity compliance gaps. Generating metrics about your risk posture, ZenGRC can help you prioritize risks using a user-friendly dashboard to let you see at a glance the status of each risk, and what needs to be done to address it.

Zen also generates an audit trail of your risk management activities and stores all of your documentation in a “single source of truth” repository for easy retrieval come audit time. It allows unlimited self-audits so you always know where your organization’s risk management and compliance efforts stand.

With ZenGRC, ransomware risk management all but takes care of itself — leaving you to more pressing concerns such as boosting your business and your bottom line.

Worry-free GRC: that’s the Zen way. Sign up for a demo today to see how ZenGRC can help your organization get the most out of NIST’s preliminary draft on ransomware risk management.

How to Upgrade Your Cyber Risk
Management Program with NIST