- A new report created to help organizations navigate ransomware risks exemplifies the challenges small- to medium-sized businesses confront in the battle against just one of many cyberthreats.
- The recommendations, identified to help SMBs with limited cybersecurity expertise, include 40 safeguards. That’s a curated subset of the guidance in the Center for Internet Security’s critical security controls.
- The report’s authors acknowledge not every organization has the resources to implement every safeguard immediately, but they maintain any actions taken, full or partial, represent a step in the right direction.
Balancing prescriptive and prospective guidance in the battle against ransomware is difficult for large enterprises and often even more so for their smaller counterparts.
Two of the report’s authors — Megan Stifel, chief strategy officer at the Institute for Security and Technology, and Valecia Stocchetti, senior cybersecurity engineer at the Center for Internet Security — said every little bit helps.
“It’s easy for [SMBs] to become overwhelmed when implementing a security framework. Starting small is the key,” Stifel and Stocchetti said via email.
Organizations should, as a baseline, establish and maintain an inventory of all assets and accounts, then grow defenses at a pace that takes available resources and appropriate needs into account, according to the Blueprint for Ransomware Defense published by the Institute for Security and Technology.
The 40 safeguards, including 14 deemed foundational and 26 described as actionable, were selected for their effectiveness in defending against ransomware attacks.
The foundational guidance involves procedural steps to identify, protect, respond and recover from ransomware. This includes the establishment of programs for vulnerability management, security awareness, incident reporting, configurations and the granting or revoking of access.
Communicating best practices, even less complicated actions that can bolster cybersecurity remains troublesome across every level of responsibility in governments, enterprises, SMBs and individuals.
Software updates, improved password management and multifactor authentication are relatively straightforward tasks that need to be explained in ways that people and organizations don’t find too complicated, too confusing or too technical, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in June at the RSA Conference.
These responsibilities fall on all of us, akin to how individuals participate in their own physical defense by default, such as looking both ways before crossing a busy street, National Cyber Director Chris Inglis said on a panel with Easterly at the conference.
“We’ve made it seem like it’s harder to do than it is,” he said.