How ransomware threatens government agencies [Q&A]
Ransomware is an increasingly severe threat to all organizations and government agencies are not exempt. The Federal Trade Commission recently labeled ransomware as "among the most troubling cyberthreats".
But why are government agencies such an attractive target and what can they do to combat the threat? We spoke to Andrew Hay, chief information security officer of data security specialist DataGravity to find out.
BN: Ransomware isn't a new danger, but it seems to be on the rise. Why is the FTC just now recognizing it as a cybersecurity threat?
AH: Although the threat isn't new, people are aware of ransomware threats more than ever. We can't say for sure why the FTC recently addressed the issue -- it may have been the focus of an internal policy, or perhaps the commission realized citizens are looking to the government to respond to such threats. In any case, ransomware can be one of the most damaging security attacks in the digital age, as it gives perpetrators the chance to extort money from unsuspecting, unprepared individuals. The more users in every industry can recognize and understand ransomware incidents, the more people can prepare to defend their sensitive data from attacks.
BN: This malware seems to be hitting certain industries harder than others. Why government agencies? What makes them particularly vulnerable?
AH: Many government agencies have access to (and store) personal information about individual people. This data makes government agencies a major target -- personally identifiable information (PII) is worth a lot of money in the criminal underground, meaning its presence can easily motivate a ransomware attack. If an organization or department has PII about thousands of individuals, an attacker would immediately assume a high profit associated with that information.
Due to budget restraints, it's also common for government organizations' IT infrastructure to be sprawling in nature, often with out-of-date technology in certain areas and a lack of security staffing when compared to private industries. When you combine the incentive for ransomware attacks on government agencies with the resources many are using to guard against them, it’s a perfect storm of vulnerability.
BN: What can these agencies do to prevent ransomware attacks?
AH: The easiest and most valuable defense plan for ransomware is to ensure that all sensitive data is fully protected, and to prepare and frequently test a response strategy. Data is what attackers are looking for -- it's often more important than the operational state of a system. When data has been adequately secured before an attack occurs, recovery is an easy, programmatic process. To pull it off, agencies need to know exactly where every instance of sensitive data resides, who has access to it and what they're trying to accomplish.
Frequently backing up data (and testing those backups) is a critical part of responding to ransomware. If IT pros can restore a system's operations using a backup, and also recover the data used by the system, there's no reason for an attack to cause panic. On the other hand, if an agency is trying to proactively deflect every ransomware variant instead of focusing on response tactics, they’re likely embarking on a no-win strategy.
BN: Should the government pay or not pay the ransomware fee?
AH: There’s no good answer to this question. Paying a ransom is always risky, and there's no guarantee that the attacker will, or can, actually return the data in question. There's no way to search Yelp for your ransomware campaign operator's credibility. Shelling out a ransom fee also validates the attack strategy’s lucrative business model, which might encourage the continued use of a particular ransomware strain.
Yet, in situations where data value, business costs associated with data loss and customer remediation costs add up to a greater sum than the ransom demanded by an attacker, it can make sense to pay the ransom and move on.
BN: While ransomware is a high priority for many government IT compliance employees. What other data security threats should they be considering?
AH: Government agencies face a multitude of data security threats with limited resources, as do organizations in a host of private industries -- especially small and midsized businesses. In every case, one of the most dangerous security risks stems from the fact that many organizations don't know what their data contains. As a result, agencies underestimate their threat level and underprepare for a security attack of every kind. Unless the organization has been burned before or has a full understanding of the sensitive information it's housing, the team isn't equipped to recover from ransomware -- or any other attack.
Many security attacks are opportunistic. In the cases of ransomware, phishing emails and other frequently used tactics, individuals recognize a chance to get a foothold into an organization's infrastructure. Once they're inside, those individuals are in control of the situation. By learning as much as they can about what's in their data and how it's being used, government IT pros can defend against such attacks and make recovery a simple process.
Photo credit: Ton Snoei / Shutterstock