Video: 10 Minute IT Jams - Cohesity CISO discusses ransomware and data management
Ransomware is spreading rapidly.
That was the message from Brian Spanswick, Chief Security Officer (CSO) at Cohesity, as he discussed the accelerating and evolving threat of ransomware in an interview on Tournament IT Jams. In his view, businesses must urgently reassess their approach to cybersecurity as attacks become increasingly sophisticated and damaging.
Spanswick noted that the explosion in remote working during the pandemic opened up vulnerabilities that cybercriminals have been quick to exploit. "The increase in the number of people working from home and the vulnerabilities created with the remote workforce have really really contributed to the increase that we're seeing in those ransomware attacks," he said.
What is most concerning, according to Spanswick, is the increased sophistication in attackers' approaches. "Initially the attackers really focused pretty much on the production environments, but they quickly realised that if companies have the ability to recover from those backups that reduces the need for the companies to pay the ransom in order to get their systems restored," he explained.
That realisation has driven a shift in tactics: instead of targeting only production environments, attackers are now also going after backup systems, trying to sabotage companies' recovery efforts and strengthen their own bargaining position. "Quickly their approach is shifting from attacking the production environments first to going after the backups, getting control of the backups, and then attacking the production environments. That puts them in a position to extort the company to restore those systems," Spanswick explained.
There is another worrying trend. "Attackers are seeing the value of data exfiltration in addition to the ransom payments," he said, adding that stolen data can be sold on underground markets, multiplying the potential impact of a breach. Beyond financial loss, the fallout can include damage to brand equity, loss of customer confidence, regulatory fines and more. "Oftentimes, those impacts are even greater than the cost of the ransom," Spanswick noted.
Can companies ever really be ready for such an attack? Spanswick believes preparation is not only possible, but vital. "There's a lot that an organisation can do," he said, advocating for both preventative and mitigation measures.
First and foremost, it is essential to master the basics: "Really focus on the fundamentals of cybersecurity, make sure that you have a solid security foundation." That means timely patching of known vulnerabilities, encrypting data both at rest and in transit, adopting a 'least privileged' approach to access management, and securely backing up production systems so they can be swiftly restored.
"This foundation really starts to address a lot of the ways that the attackers come into the environments, so having those foundations solid is critical," Spanswick said.
If an attack does occur, the ability to recover quickly is paramount, reducing the incentive to pay the ransom. "If you can bring systems back online and recover from 10 or 15 minutes ago, an hour ago, there really isn't a lot of leverage from those ransomware attackers trying to hold the recovery of your systems hostage," he added.
Spanswick also emphasised the importance of controlling data proliferation. Too often, organisations have allowed data to multiply unchecked throughout their systems, increasing the 'attack surface'. "One of the things that we're doing here at Cohesity is figuring out how do we reduce the number of places that data is stored, reducing the attack surface that the security organisation would have to protect," he explained.
Boardrooms are paying attention, Spanswick said, but sometimes the questions board members ask are rooted in outdated thinking. Historically, backup solutions were designed to recover from accidental deletions or natural disasters. These days, Spanswick argued, the more pertinent question is: how quickly can systems be restored from backup after a cyber attack? "They're asking a question that is really based on an old idea of how we're securing the data and really isn't relevant in this ransomware world that we're living in," he said.
On the controversial issue of paying ransoms, Cohesity's stance is in line with law enforcement agencies. "If you pay the ransom, you're really adding to the problem," Spanswick said, explaining that criminal groups use the proceeds to invest in more effective attack strategies. "Paying the ransom absolutely adds to the problem for sure."
He did, however, acknowledge that the decision is ultimately for each organisation to make. Cohesity focuses on ensuring customers are never forced into that dilemma by enabling rapid and reliable recovery from backups. "If we focus on the controls that deliver this ability to recover quickly from a recent recovery point just prior to the disruption, the organisations are going to have the advantage over the attacker," Spanswick said.
Spanswick described the shift from a compliance-based approach to a focus on cyber resiliency. Rather than simply meeting regulatory requirements, he advocated for adopting a mindset of continuous business operation, even during adversarial cyber events. "This concept of results over resiliency is relatively new, and it's simply the ability to continuously deliver your business outcomes despite adverse cyber events," he said.
Data management is also undergoing a transformation, moving beyond compliance towards a focus on security and visibility. "Dark data is a critical concern from a data management perspective. If you don't know where your data are, you can't protect it," he said.
Asked for his predictions of what the next few years hold, Spanswick was blunt: the speed and scale of digital transformation show no sign of slowing down, nor do the opportunities for cyber criminals. "The truth is that we're living in a digital world...especially after these last two years, the digital transformation that has occurred in banking, entertainment, healthcare, education, transportation got supercharged during this COVID time, and the quantum change that we're seeing isn't slowing down when COVID is under control," he said.
He warned that as this transformation accelerates, so do cyber risks. "We're going to see the number of attacks increasing, where they target the attacks is going to grow, and the techniques that they use are going to evolve," Spanswick said.
His advice for businesses: maintain vigilance, a strong security posture, and keep up with the pace of change. "Actively managing that security posture in order to maintain a target of protection that addresses the evolution of the breaches and continues to look at the potential impacts of the organisation - that's going to be critical," he said.