As Georgia’s Chief Information Security Officer (CISO), David Allen has seen many ransomware attacks. In some cases, agencies have bounced back in days. In others, they’ve been reduced to using pen and paper.
In any case, Allen says that preparing for ransomware can teach agencies important lessons that they can apply in many ways, including to other cyberattacks, pandemics or something else.
During an interview with GovLoop, Allen describes how bracing for ransomware can equip agencies for many setbacks.
This interview has been lightly edited for clarity and length.
GOVLOOP: How do situations like the COVID-19 pandemic affect ransomware preparedness, especially with so many agencies working remotely?
ALLEN: If our attention is on other things, it provides an opportunity for adversaries to step up attacks. Everybody’s awareness of ransomware was heightened over the past year and we saw a decrease in a lot of issues or incidents. Or, at least we saw a decrease in the severity of them when they occurred because there were people taking definitive action to make sure that ransomware attacks didn’t happen to them.
I think cybercriminals are relying on us to take our eye off the ball in that regard. They’re seeing it as a potential opportunity to cause some damage and extort additional payments. And we have seen an increased spike in activity out there.
The No. 1 thing with working remotely is to maintain vigilance. Typically, our home networks are not as secure as the ones we use in the office. So, the second piece is stressing to our employees that they should practice good cyber hygiene at home. It’s using complex passwords, being mindful of specific policies about bringing your own devices, etc. As far as the IT staff, if they’re monitoring net flow, they need to pay extra attention. We’re just going to have to stay diligent from a security perspective. We must be mindful not to roll back any security protocols out of convenience. We should be able to adjust to this new normal.
What can agencies do to prevent ransomware attacks?
For prevention, I would say pay attention to our first line of defense: our users. In Georgia, our governor, Brian Kemp, leaned forward very hard on mandating training for all executive branch employees. We were able to give about 95% of our executive branch employees training within a 90-day period, which was significant for us. And that’s gone a long way to mitigate things.
When we talk to administrators, a big problem around ransomware has been that once cybercriminals get in, they’ve been able to compromise someone’s account that had elevated privileges. So, we focus a lot on making sure these administrative credentials and passwords are of the appropriate complexity by transitioning to multifactor authentication. It’s at a minimum at the admin level, but we’re pushing to get it implemented across the board for all users.
The third component is putting a lot of focus on our data backups and making sure we’re verifying the integrity of those backups continually. I’ve seen backups that have been compromised because the firewalls or some of the applications they were using weren’t configured properly. They didn’t provide the defense that they were supposed to.
How can recovery tools such as data backups help protect agencies from ransomware?
If you can completely restore your critical systems and the files that personnel work with, you’re going to be up in hours or days as opposed to weeks and months where you don’t have backups to restore to.
Without those backups, you’re basically building your entire IT environment from scratch. And that can cost you hundreds of thousands of dollars in equipment and new licensing, not to mention the personnel you need to help you architect the environment and set it up. If you’re a small shop with only two or three IT personnel supporting a lot of locations, you’re not going to be able to do that without a lot of contracting help.
Being able to restore those critical systems that keep your doors open and allow operations to flow, you can manage some of the lower-level stuff. But knowing what those critical systems are and having them on a secure backup that’s verified will go a long way to ensure that you can quickly recover from an operational perspective.