On August 18, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance advising government and private sector organizations on how best to prevent and respond to data breaches caused by ransomware.
In encouraging organizations to increase their awareness of the threat of ransomware incidents, CISA outlines several recommendations. To prevent ransomware attacks, CISA highlights the importance of offline, encrypted backups, which limit a ransomware actor’s ability to find and delete or encrypt the backup data. The guidance also recommends identifying and mitigating internet-facing vulnerabilities, such as through vulnerability scanning, in order to reduce exposure to ransomware attacks. As many attacks are delivered through phishing emails, CISA encourages organizations to take steps to limit or eliminate phishing emails, including enabling strong spam filters and training workforce members on how to identify and report suspicious incidents. Finally, the CIST guidance emphasizes the importance of an incident response plan and a resilience plan, which helps to evaluate an entity’s operational resilience and cybersecurity protocols.
To protect personal information or other sensitive data, CISA recommends inventorying the information the organization maintains, where it is stored, and who has access. The guidance recommends adopting physical security best practices, as well as cybersecurity best practices, including encryption, firewalls, and network segmentation. CISA also advises organizations to ensure that incident response and notification procedures comply with applicable state laws; organizations regulated under federal laws, including HIPAA and GLBA, should ensure compliance with those requirements as well.
The guidance also addresses how organizations should respond to data breaches caused by ransomware. CISA recommends first securing the organization’s network operations by determining the impacted systems and isolating them (or powering them off if they cannot be removed from the network). Impacted organizations should triage their impacted systems to address restoration and recovery, beginning with the most critical systems. The organization should analyze the incident and work with its internal and external stakeholders, who should be outlined in the organization’s incident response plan, to mitigate, respond to, and recover from the ransomware attack. The guidance also addresses a scenario where it may not be possible to engage in mitigation, encouraging organizations to take a system image and memory capture of the devices impacted by the attack to preserve evidence of the event. Finally, CISA recommends that organizations conduct all required notifications: to individuals, other businesses, and governmental agencies, as well as notifications to CISA and the FBI or US Secret Service.