How to implement an EFSS ransomware recovery plan
Original article featured here: https://www.helpnetsecurity.com/2016/10/14/efss-ransomware-recovery-plan/
Ransomware attacks are at an all-time high, and security experts warn it has become a matter of “when” not “if” your company will be breached. The number of victims has grown exponentially in 2016, spanning large enterprises to small businesses, across industries.
Enterprises are particularly at risk because the potential payoffs attackers receive are higher. Those hit with system-wide breaches impacting multiple users and thousands of files face hefty ransoms, anywhere from $200-800 per file. Furthermore, the restoration process after an attack can be time-consuming and costly, resulting in major disruptions to business operations and productivity.
The FBI and other security experts advise victims not to pay the ransom and instead focus on business continuity with prevention and recovery plans, user education and good security practices.
Although there is no single solution to prevent an attack, there are measures corporations can take to protect themselves and help to address data loss as a result of ransomware. It only takes one employee to open a malicious email attachment for malware to begin encrypting files on local drives and potentially other computers on the same network, locking users out of files.
By deploying a proper ransomware recovery plan before an attack, organizations can mitigate the effects and recover normal operations in minutes or hours, rather than weeks or months.
Behavioral security training and traditional detective controls like anti-virus software should be employed. In addition, enterprises should use an enterprise file sync and share (EFSS) solution as a core component of their ransomware mitigation plan to recover files quickly on their own, without paying a ransom.
Keys to seamless recovery with EFSS
While most companies know they should be using preventive security measures such as firewalls, they may not realize the significance of implementing procedures and safeguards to enable business to carry on as usual after a ransomware attack.
An EFSS solution can be used as part of a comprehensive recovery plan. These solutions provide a real-time backup of critical files and folders, which means copies of all files and data are stored securely in the cloud, while providing additional benefits including:
Enabling IT to implement group-based security policies that can restrict individuals from sharing designated content outside the company
Allowing users to access, view and edit content from any device, whether they are in the office, on the road or across seas
Letting knowledge workers continue work as normal but with the peace of mind that their documents are automatically backed-up in real-time
Permitting users to easily share folders and files with collaborators while maintaining visibility and control.
A comprehensive backup strategy is essential to recovery. Traditional backup services often require complex processes to recover files and can also require you to recover more than you want. EFSS solutions provide continuous availability and real-time data protection, which means backup copies of all files and data are stored securely in the cloud rather than backed-up on local desktops – making recovery easy and seamless. For example, an organization can “roll back” files to a healthy state before an attack using these cloud-based backups and ensure they don’t restore the same malicious files. It’s also important that the solution organizations are using is capable of excluding file types and extensions known to be associated with ransomware.
EFSS solutions are prime to protect against these threats because data is protected in the cloud against unauthorized encryption. They also can help an organization contain and stop the spread of an attack by allowing administrators to block known crypto file types – such as those with the .locky and .crypt filename extension, as well as potentially malicious executables such as .vbs, .scr, and .exe – from syncing.
Email attachments should be closely monitored, as an employee can unknowingly set ransomware loose with one click. A simple way to reduce your organization’s risk is properly training employees to use secure sharing links to access files rather than opening documents directly from their email clients.
Awareness programs with high engagement can also add to an organization’s true security posture. These programs teach employees how to spot malicious phishing emails with real-time training such as simulated attack emails. The key to changing human behavior is to have an instant feedback loop to interrupt the bad behavior. If an employee accidently opens an email attachment during training, they’ll be notified immediately to stop the bad behavior in real-time.
Finally, businesses must establish a retention policy. Many organizations have a retention policy set in place; however, it’s essential to review your policy to ensure that employees and admins can directly restore previous file versions on-demand and save files for an appropriate amount of time.
A retention policy is critical to recovery as it allows your original files to be restored quickly after they are deleted or encrypted by ransomware. Therefore, in the event that an attack does slip through your defenses, having a solid policy and remediation plan in place will make for a quick recovery.
The road to rapid recovery
In a fast-paced business environment, losing documents that knowledge workers invested time and energy into has a significant impact on your organization — missed internal and external deadlines, lost sales analysis numbers, presentations, and more. The resulting productivity loss can turn into weeks or months of downtime and millions of dollars lost.
Attackers are betting that enterprises will pay the ransom to get business moving again. Conversely, with proper EFSS security and preventive controls in place, the most critical component of your remediation strategy – recovery of the locked files – is covered.
As the ROI continues to be attractive for criminals, it will likely be some time before the current wave of ransomware attacks subsides. By following industry guidance and the strategies outlined above you can avoid being the next victim in the headlines. As the saying goes, ‘an ounce of prevention is worth a pound of cure.