The Ransomware Challenge: Don’t Pay – Prevent and Protect

Recently, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory that warns against paying out ransomware demands and encourages a risk-mitigation approach, in light of dramatic increases in ransomware attacks to US-based organizations. 

girl with code projecting on her face representing the risk of ransomware attacks

The advisory is a timely response to a higher incidence of this national security threat, with 51% of respondents to a 2020 survey of 5000 IT managers revealing they had suffered a ransomware attack in the last year, and a 171% increase on the average ransomware payment compared to 2019. 

What the legislation means for US organizations 

In the updated policy, OFAC stresses that no direct or indirect payments should be made to malicious cyber actors who have been listed under their cyber-related sanctions program. Rather, they recommend taking preventive measures and a resilience approach to cyber security to protect themselves against ransomware attacks. 

It states: “The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.” 

However, what are the best preventive measures and how should you ensure you won’t be affected by ransomware in the first place? And how will OFAC determine that your mitigating factors were up to par, so their enforcement response is appropriate in case of violation? 

OFAC advisory mitigating factors 

First and foremost, a Sanctions Compliance Program (SCP) and “meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide” will be considered by OFAC when determining an appropriate enforcement response to a ransomware payment. 

The CISA-recommended mitigation measures mentioned in the advisory include but are not limited to: maintaining offline backups of data, an Incident Response Plan (IRP), a Written Information Security Program (WISP), instituting cybersecurity training, regularly updating antivirus and anti-malware software, employing authentication protocols, making a voluntary and complete self-disclosure report of the ransomware attack to OFAC, law enforcement, or other appropriate U.S. agencies, and the organization’s cooperation with OFAC or law enforcement. 

Don’t pay – prevent and protect: A risk-based approach to cybersecurity 

“As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations”, states the advisory. Indeed, this advice is consistent with global standards, regulations and guidance, such as ISO 27001, the California Consumer Privacy Act (CCPA), Payment Card Industry Data Security Standard (PCI DSS) and the National Institute of Standards and Technology (NIST). NIST clearly echoes the importance of improving understanding and awareness around ransomware as they are developing the NIST 8374 framework to provide additional guidance. 

A risk-based approach to cybersecurity provides an understanding of risk tolerance, enabling organizations to prioritize cybersecurity activities in order to make informed decisions about cybersecurity expenditures. Knowing where and how to spend your budget to better protect yourself against cyberattacks, including ransomware, as well as understanding what levels of risk your organization can withstand with minimal to no disturbance to your business activities is the foundation of building cyber resiliency.  

Acuity has vast experience supporting organizations become more resilient and better understand their risk tolerance. Based on this experience, we have arrived at seven requirements for a practical risk–based approach to cybersecurity, to help get you started: 

  1. Set the right scope 
  1. Capture and correlate relevant risk information 
  1. Make risk-informed decisions 
  1. Report in the language of business leaders 
  1. Maintain evidence and history 
  1. Accept accountability 
  1. Monitor and continually improve 

For more detail on the above, you can download our whitepaper 7 Requirements for a Risk Based Approach to Cyber Security or contact us to speak to our risk management experts.