Strategies for combating ransomware encounter potential bottlenecks due to numerous procedural steps
The Institute for Security and Technology has published a new report, titled "The Blueprint for Ransomware Defense," which aims to assist organizations, particularly small- to medium-sized businesses, in fortifying their defenses against ransomware attacks. The authors of the report, Megan Stifel (Chief Strategy Officer at the Institute for Security and Technology) and Valecia Stocchetti (Senior Cybersecurity Engineer at the Center for Internet Security), have curated a list of 40 safeguards to help organizations protect themselves.
The report emphasizes the importance of starting small when implementing a security framework. Every little bit helps, as Stifel and Stocchetti suggest, and any actions taken, full or partial, represent a step in the right direction. The authors acknowledge that not every organization may have the resources to implement every safeguard immediately, but they encourage organizations to grow their defenses at a pace that takes available resources and appropriate needs into account.
The 40 safeguards, including 14 foundational and 26 actionable, have been selected for their effectiveness in defending against ransomware attacks. The foundational guidance involves procedural steps for vulnerability management, security awareness, incident reporting, configurations, and access management. The actionable safeguards offer more specific recommendations, such as establishing and maintaining an inventory of all assets and accounts, and implementing software updates, improved password management, and multifactor authentication.
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, and Chris Inglis, National Cyber Director, made these statements at the RSA Conference in June. Easterly emphasized the need to explain these cybersecurity measures in a way that is not too complicated, confusing, or technical. Inglis compared the responsibility of cybersecurity to personal physical defense, such as looking both ways before crossing a busy street, and stated that the process of cybersecurity has been made to seem harder than it actually is.
Balancing prescriptive and prospective guidance in the battle against ransomware is challenging, especially for smaller organizations. However, the report's authors stress that communicating best practices, even simple cybersecurity actions, remains a challenge across all levels of responsibility in governments, enterprises, SMBs, and individuals. The report serves as a valuable resource for organizations seeking to strengthen their defenses against ransomware attacks and is a testament to the Institute for Security and Technology's commitment to promoting cybersecurity awareness and education.
Despite the authors not being explicitly named in the available search results, their expertise and the institute's reputation in the field of cybersecurity lend credibility to the report's recommendations. The report on ransomware risks is designed to assist organizations, particularly small- to medium-sized businesses, in implementing effective security frameworks and defending against ransomware attacks.
