What Your Organization Can Do to Stop Ransomware

June 16, 2021
Share on:

You might be panicking right now, and I understand why. There’s a quickening drumbeat of news about companies getting hit by ransomware, and your organization has probably done little to prepare for it—let alone figure out how to pay a steep ransom. 

Well, you don’t have to pay. That’s right. Take a deep breath and stop worrying. If your organization takes the proper steps to protect its data, you won’t have to shell out any Bitcoin. You won’t have to call the FBI. It’s time to flip the script on cybercriminals. You can protect your data so that it’s worthless in the hands of hackers and forces them to ignore your organization altogether.

Ransomware works because many cybercriminals behave like rational businesspeople. They follow a tried-and-true playbook to score easy money: Encrypt a business’ files through malware, demand a ransom, and then give the victims detailed instructions on how to pay. Some even have a help desk with dedicated “customer-service” representatives standing by, ready to take your money. And take they will: The average ransomware payment was $312,493 in 2020.

The playbook indeed works. Look no further than how one of the largest insurance companies in the U.S., CNA Financial Corp., reportedly paid $40 million in ransomware, which some cybersecurity experts believe is the largest such payment. JBS, one of the largest meat suppliers in the U.S., paid an equivalent of $11 million in ransom. And after a cyberattack prompted fuel shortages across the East Coast, Colonial Pipeline sent about $4.3 million worth of Bitcoins to release its prized resource—although it was fortunate the U.S. government managed to retake $2.3 million of the ransom.

If you’re like those businesses—or even Volkswagen or McDonald’s, which also recently lost sensitive customer and employee data as targets of cybercrime but weren’t victimized by ransomware—you might feel unprepared for what seems like, and usually is, an inevitable cyberattack. (A Dell survey in 2020 showed that 63 percent of businesses had suffered a breach within the past year.)

Security Magazine recently outlined why companies haven’t taken ransomware seriously: a lack of resources, overworked security personnel who miss warning signs because they’re stretched thin, and a small pool of experts to hire from because of a dearth of trained and educated professionals. If your organization is in that boat, it doesn’t have to sink. Right now, you can stop ransomware before it stops your business.

By following five simple steps, you can simultaneously protect data and make it available to those who use it to gain valuable business insights. You don’t need to put data under lock and key to avoid a cyberattack. Data can, and should, be shared freely and safeguarded effectively. 

Know what kind of sensitive data you have and where it is. If you can’t determine either, don’t worry; many companies also don’t know. That’s because data is kinetic. It’s everywhere and never stops coming: IDC predicts that by 2025, 175 zettabytes (or 175 trillion gigabytes) of new data will have been created around the world. Add to that the many zettabytes that have been annually produced over the past decade, and that’s a lot of data—and much of it is sensitive.

Sensitive data flies under the radar. It’s often created through new business processes and applications that can go unnoticed in larger data discovery efforts. Enterprise data protection as a whole is particularly difficult to manage because data powers a wide variety of on-premises and cloud-based applications and exists in many databases. You can’t protect what you don’t know you have. That’s why it’s critical to rely on a data-protection platform that corrals all of your data so you can determine what’s sensitive. When data is properly categorized as sensitive or non-sensitive, then you can decide which data-protection method best aligns with the level of sensitivity, which is often shaped by regulations governing data privacy.

Decide who needs to see which data. There’s a proper balance to data access. It can get out of whack when an organization freely grants access because it is concerned business functions will otherwise slow. Imbalance also happens when an organization grants hardly any access—a measure that actually does slow business progress. Share data too freely, without regard to data-privacy laws, and a business will eventually find itself the focus of regulators and disappointed customers and partners. Hold data too tightly and a business will eventually find itself losing ground to data-driven competitors. 

A data-protection platform can help you achieve a healthy balance. But not just any platform. It has to be one that keeps your organization compliant with current regulations and prepares you to handle future regulations. When evergreen compliance weaves privacy into the fabric of your organization, secured sensitive data will fuel innovation and you’ll be future-proofed against new regulations as they surface.

Tokenize your data. There are other data-protection methods, including encryption, anonymization and dynamic data masking. But tokenization is often chosen by businesses that want to protect data while also preserving its format and length, so that it can be easily used in analytics.

Tokenization converts cleartext data into a random string of characters. Cybercriminals can do nothing with random characters, and, if anything, businesspeople that they are, they’ll realize they’ve just wasted time freezing data that’s worthless in their hands. Banks that want to protect credit card numbers in data, for example, will typically choose tokenization, with randomly generated numbers (the token) replacing the primary account numbers and the process keeping the format and length of the dataset intact. In other words, the data remains valuable to the bank, but not to an invasive hacker.

Empower your business with protected data analysis. This goes back to achieving a proper balance. When your organization can consistently and effectively classify, discover, and safeguard data, authorized employees can freely access and share it because the sensitive elements are protected.

Analyzed data arrives in time for financial teams, marketers, developers, and a host of business lines to benefit from in-the-moment valuable insights. A marketing manager, for instance, might need to access only pertinent data elements of the profiles of middle-aged customers so she can run a campaign through a third-party analytics program and determine who wants to buy exercise equipment. A CMO, on the other hand, might need access to the near-entirety of a customer’s data record for a more encompassing AI-supported initiative. When data-protection methods work in concert with policies that are centrally administered and enforced, data is compliant, secure, and can be shared without hesitation. 

Don’t worry about paying ransomware. You won't have to divert money into a rainy-day ransomware fund when your kinetic data is protected. Indeed, there’s no need to panic. Seize the moment and be an organization that won’t make the news as the latest ransomware victim.

When your organization always knows which kind of data it has, where it resides, and which kind of data-protection method will best protect sensitive data elements, you will benefit from data insights—and cybercriminals will gain nothing. Let them have the worthless characters, while you let your kinetic data run free through AI-driven analytics other business applications.

I recent detailed how organizations can eliminate the threat of a data ransomware attack and empower their businesses with kinetic data protection, as part of a recent AWS Startup Showcase event by theCUBE. Check out the interview.