The FBI just recently put out a public service announcement regarding the threat of high-impact ransomware.
According to Mike Jordan, CISSP, CRISC, CTPRP, Senior Director at the Santa Fe Group, and VP of Research & Development for Shared Assessments, a recognized authority on IoT Risk Management:
Shoring up your own defenses to protect from ransomware is unfortunately only part of the job. Third parties are often critical parts of an organization’s operations, and they can also be affected with ransomware as well as spread it.
Risk assessments should be performed on all third parties to some degree. The more critical a vendor, the more diligence an organization should take to ensure they are capable of protecting themselves and their partners against malware. Ongoing and continuous monitoring of those vendors is also crucial to ensuring their protections remain sound.
Regarding ransomware specifically, when assessing your third parties, you should consider the same cyber defense controls recommended by the FBI, looking for indicators that show they are prepared for ransomware, and paying particular attention to how they handle business resilience controls such as system and data backups, and that they perform Disaster Recovery Testing with ransomware as a testing scenario.
Because fraudulent emails/phishing are the number one way ransomware gets into a network, how your third parties manage phishing through email protection technologies and security awareness training is also critical. A successful anti-phishing program requires both.
As with the recent “Shadowhammer” attacks, malware can also spread through hardware and software providers’ automatic patching systems. If you allow any providers to automatically patch the software, firmware, or BIOS on your systems, you should ensure that they have processes to protect the integrity of the updates that go through their automatic patching systems.
You also want to get an understanding of how their leadership would handle a ransomware attack. Do they have a crisis management team that includes key stakeholders from security, legal, PR, and executive leadership? Has that team gone through training and role played how to handle a ransomware incident? Have they made contacts with law enforcement so they can get advice and help quickly? You may also consider contractually requiring third parties to notify you within a certain amount of time should they experience a ransomware attack. This can give you time to protect your own systems and to consider alternatives if their services become disrupted. As we’ve seen in some of the municipal ransomware attacks, the effects can last a long time.