Event Transcript Library
Top Ransomware Lessons for IT Leaders
Backups alone won't save you. Veteran technologist Howard M. Cohen breaks down the evolving ransomware threat and the layered strategies IT leaders need to stay ahead of the next attack.
Transcript
Hi, everyone. Welcome to the latest installment of our ongoing editorial webinar series, Coffee Talk. Each hour-long, information-packed episode, organized by the hardworking folks at Redmond magazine, features the observations and insights of an independent expert on a wide range of tech industry topics. Many thanks to the underwriting sponsor of this episode, Quest Software, protecting and empowering users and data, streamlining IT operations and hardening cybersecurity from the inside out since 1987. Without their support, this series would not be possible.
And thanks to you for joining us. I'm John K. Waters, Editor in Chief of the Converge360 group of 1105 Media, and I'll be your moderator. Today's topic is top ransomware lessons for IT leaders, and our lead presenter is technologist, creator of compelling content, and senior consultant Howard M. Cohen.
Before we get started, just a bit of housekeeping. This episode is being recorded for later access, so keep an eye out for an email with a link to that recording in the next few days. We will make time for questions, so please feel free to type your questions into the Q&A box at any time. Our sponsor has provided some extra resources you will not want to miss, available now on your console. As a small thank you to the first 200 attendees who stick with us to the end, we will send you a $5 Starbucks certificate. It's a cup of joe to go with the info.
Now, the presenter. Howard M. Cohen has spent more than 40 years in the IT industry. During that time, he's held senior executive positions in many of the top channel partner organizations, and he currently writes for and about IT and the IT channel. He's a sought-after speaker and insightful observer of the technology landscape, and one of our very favorite presenters. You're in for a great session. Take it away, Howard.
Howard M. Cohen's Presentation
Thank you, John K. Waters. This is Howard M. Cohen welcoming you to today's presentation on ransomware lessons for IT leaders. Those of you who have been with me in prior presentations know I always begin with a word of the day. Today's word is based on an error message: "Problem exists between keyboard and chair. Please replace user as soon as possible."
Yes, "problem exists between keyboard and chair" is the inspiration for today's word of the day, which is PEBCAK: problem exists between keyboard and chair. Some of you may have heard other versions of PEBCAK. There is the popular PICNIC: problem in chair, not in computer. There is EBCAK, error between keyboard and chair. There is PEBMAC, problem exists between monitor and chair. Then there's the ID10T error, one of my favorites, indicating that "ID10T" is you, get it? There's also the layer eight issue. You're familiar with the OSI seven-layer model; there is an eighth layer, the user layer. And of course, the classic IBM: idiot behind machine error.
Obviously, we're saying the problem is focused on users. The problem users have is that all too often, because they are fallible and human, they fall for phishing emails.
Phishing is a form of social engineering. Social engineering is so prevalent that of 2,200 incidents per day, over 90 percent use social engineering.
It is a predominant technique people use to break into other people's networks. Why? Because people are fallible, unpredictable, and will not do the same thing the same way every time because they have feelings, may be in a bad mood, or distracted. You can't do that with digital devices, but you can with people.
When I say they're falling for phishing, what am I talking about? The user receives an email that looks very genuine. It has the right typography, coloring, and reads like it comes from who it says it comes from. It may come from a vendor like Microsoft, your bank, your attorney, or even your boss, appearing to come from within your organization. These are particularly insidious.
In many cases, the email makes an offer, like a free vacation or free gas for life, if you click here. Another form it takes is the Microsoft 365 login page popping up, asking you to log in with your ID, password, and MFA, but it's not from Microsoft—it's from a cybercriminal. It invites you to click a link or open an attachment, and when you do, you open the gates of hell.
You give the attacker free rein to corrupt, encrypt, or steal your data. Once they're done with your data, they move laterally around your network, attacking and wreaking havoc on everyone in your organization. Phishing emails often lead to ransomware.
When I say ransomware, I mean a subset of malware where the thief locks or encrypts your data, then lets you know they have done so and will not return it until you pay. It's nasty. There are multiple types of ransomware. Locker ransomware blocks your access to computers. Crypto ransomware encrypts files and demands payment for the encryption key. More recently, we've seen double extortion, where you pay to decrypt your files, and then they threaten to release your data publicly, forcing you to pay again.
There are also ransomware-as-a-service models, where attackers can use someone else's ransomware engine for a fee.
Ransomware has become more prevalent. If you've never encountered a ransomware notice, consider yourself fortunate. Let me tell you, ransomware messages are among the most frightening things you will ever see. They'll tell you your documents have been copied to their servers, encrypted on your server, and you can't recover them unless you pay. They might even tell you how much time you have left to pay, asking for as little as $300.
It used to be that ransomware demands were in the hundreds of thousands or millions, but attackers realized they weren't getting paid, so they lowered their demands to more affordable amounts to increase the likelihood of payment.
Despite lower individual demands, the overall cost of ransomware is massive. In 2023, the global cost was $30 billion. An IBM report states an individual data breach now costs almost $4.5 million, and the average ransom payment has increased to almost $1 million.
Ransomware incidents are increasing in frequency and cost. The attackers don't care about your data; they want your money. More than 95 percent of breaches are financially motivated. The average ransom payment continues to rise, and it takes almost a year for victims to identify they've been attacked. Over a third of ransomware attacks are never reported, so our statistics could be off by as much as a third.
In 2023, cybercrime hit $8 trillion, and it's expected to grow to $10.5 trillion by next year. It's predicted that we will see a ransomware attack every two seconds within the next decade.
When confronted with ransomware, you have three choices: pay the ransom, not pay and risk going out of business, or restore from backup.
Two-thirds of those who pay the ransom get their data back, but about a third do not. If you choose not to pay, you risk going out of business, as many companies that lose their data go out of business within 60 days. The third option, restoring from backup, is where we pivot to discuss solutions.
The popular assumption is to provide protection and prevention, but preventative measures only go so far due to PEBCAK. So, we need to go beyond prevention and protection.
Solution step one: make the attack pointless by encrypting your data in all three states—at rest, in transit, and in use—so that even if attackers steal your data, it is useless without your decryption key.
Solution step two: maintain fresh, current backups so you can quickly recover your data and replace the encrypted versions. Follow the 3-2-1 rule: keep three backups on at least two different media, with at least one copy offsite. One copy should be recorded to immutable storage so it cannot be changed.
Solution step three: prepare for the next attack. Continue user training, regularly test backups, conduct phishing tests on your users, and publicly highlight failures to reinforce vigilance. Provide multiple layers of network defense, strong endpoint protection, consider implementing zero trust, and employ extended detection and response to catch threats early.
Practice prompt patching to reduce vulnerabilities, and remember that backup is a constant occurrence, not a daily task. Maintain air-gapped and immutable backups, and establish a cycle to manage old backups appropriately.
Finally, as Master Yoda would remind you, use the Force: exercise constant vigilance. This threat is not going away and requires your ongoing attention to detect and stop ransomware attacks before they hit.
That prepares us for the next presentation, where we will discuss in more detail how to put these measures into practice. Before that, I will ask my friend John to come back on to let me know if there are any questions.
[Audience Q&A follows; listen to it here.]