Ransomware attacks are a huge problem: in the past five years alone, they have brought about a state of emergency across vast swathes of the United States, threatened to topple the Costa Rican government, and brought Portugal's largest media conglomerate to its knees. And ransomware attackers show no signs of slowing down: last year, roughly one-third of all data breaches involved ransomware or some other extortion technique.
Preventing and protecting against ransomware attacks has become a global priority, with cybersecurity regulations and frameworks playing an essential role. By outlining, standardizing, and mandating preventative measures, cybersecurity regulations and frameworks ensure that organizations worldwide are prepared to deal with the ransomware threat. Let's examine them more closely.
Understanding Cybersecurity Regulations
First, we need to understand cybersecurity regulations and what they do. There are far too many cybersecurity regulations for us to cover in this article, so we'll focus on three of the most important: NIS2, DORA, and HIPAA.
Broadly speaking, cybersecurity regulations are sets of laws, rules, or guidelines enacted by governments or regulatory bodies to protect information systems, networks, and data from cyber threats and attacks. These regulations ensure data and information systems' confidentiality, integrity, and availability by enforcing specific security practices, controls, and procedures. But let's look at each of our examples a little more closely:
NIS2 (Network and Information Security Directive 2)
The Network and Information Security Directive 2 (NIS2) is a legislative framework established by the European Union (EU) to enhance member states' cybersecurity resilience and response capabilities. It builds upon the original NIS Directive to strengthen cybersecurity measures in critical infrastructure sectors, promote cooperation among member states, and hold organizations accountable.
DORA (Digital Operational Resilience Act)
The Digital Operational Resilience Act (DORA) is a regulatory framework that came into force in January 2023. It aims to enhance the financial sector's digital operational resilience within the EU. DORA's primary goal is to ensure that financial institutions can withstand, respond to, and recover from all types of ICT (Information and Communication Technology) related disruptions and threats, including ransomware and cyberattacks. The Act complements the NIS2 regulation in the financial services domain.
HIPAA (Health Insurance Portability and Accountability Act)
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPAA sets the standard for protecting sensitive patient data, and organizations dealing with protected health information (PHI) must ensure that they put in place and follow all necessary physical, network, and process security measures to comply.
How do Regulations Improve Ransomware Readiness?
Now that we better understand each regulation, we can explore how they improve ransomware readiness. Again, we won't have time to explore each regulation's provisions in their entirety, so we'll pick out some of the most important.
NIS2
NIS2 has several provisions that improve relevant organizations' resilience to ransomware attacks. For example:
● Risk Management: NIS2 mandates that organizations implement robust risk management practices, including conducting regular risk assessments and deploying advanced security controls.
● Supply Chain Management: NIS2 compliance reduces the risk of ransomware attacks spreading through supply chains. Under NIS2, organizations must ensure that their suppliers and service providers adhere to stringent cybersecurity practices to prevent ransomware from spreading.
● Information Sharing: NIS2 requires member states to contribute to and cooperate with the Cyber Crisis Liaison Organizations Network (EU-CyCLONe), which shares threat intelligence and best practices with other member states.
Dora
DORA Here are some examples of the DORA provisions that ensure organizations improve their ransomware preparedness:
Comprehensive ICT Risk Management:
● DORA requires financial entities to conduct thorough risk assessments to identify vulnerabilities that ransomware attackers could exploit. They must implement robust risk management frameworks to mitigate these risks effectively.
● Financial institutions must deploy advanced security controls and technologies, such as firewalls, intrusion detection systems, and endpoint protection, to prevent ransomware attacks.
Incident Detection and Response:
● DORA mandates the implementation of monitoring and detection mechanisms to identify ransomware and other cyber threats promptly.
● Relevant organizations must have detailed incident response plans in place. These plans should outline procedures for containing, mitigating, and recovering from ransomware attacks, ensuring minimal disruption to operations.
Regular Testing:
● DORA requires regular testing of digital operational resilience, including penetration testing and scenario-based testing. These tests help financial institutions prepare for and effectively respond to ransomware attacks.
HIPAA
HIPAA, however, has a focus on security standards and safeguards to improve ransomware readiness, including:
Administrative Safeguards - Policies and procedures for managing the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI). Examples include:
● Security Awareness and Training - Regular training for employees on recognizing and responding to ransomware threats.
● Incident Response Plans - Procedures for responding to security incidents, including ransomware attacks.
Technical Safeguards - Technology and policies to protect ePHI and control access to it. Examples include:
● Access Controls - Ensuring only authorized personnel can access ePHI; this includes unique user IDs, emergency access procedures, and automatic logoff.
● Encryption - Encrypting ePHI to protect data at rest and in transit from unauthorized access is crucial for preventing ransomware attackers from accessing and exfiltrating sensitive information.
How to Ensure Compliance and Enhance Ransomware Preparedness
While we have covered some specific examples from each regulation, it's important to keep in mind that they share many of the same provisions: By implementing a few basic cybersecurity measures, you can set your organization on the path to compliance with a wide range of regulations and dramatically improve your ransomware preparedness.
For example, it's essential to conduct regular risk assessments and implement risk management strategies to identify and remediate vulnerabilities. Similarly, most regulations require incident response plans, security awareness training, continuous monitoring, and technical measures such as advanced anti-ransomware solutions, encryption, and multi-factor authentication.
But most importantly, you must recognize that threats and regulations are constantly evolving. As such, it's essential to regularly review and update security policies and procedures to ensure you're protected from emerging ransomware threats and comply with changing regulations.
In conclusion, achieving regulatory compliance is a great first step to protecting against ransomware. While it's always advisable to go above and beyond regulatory requirements, regulations such as NIS2, DORA, and HIPAA are valuable guidelines for implementing an effective cybersecurity program. Try not to think of cybersecurity regulations as cumbersome rules you must follow; think of them instead as a free resource to help you protect your organization.