Ransomware protection – what does good IT security look like?

Expert risk article | October 2022

From ransomware identification, user awareness and business continuity planning to backups: What does good IT security look like?

We have put together a checklist with recommendations.

  • Are anti‑ransomware toolsets deployed throughout the organization?
  • What proactive measures are in place for identification of ransomware threats?
  • Are policies, procedures, access controls methods and communication channels updated frequently to address ransomware threats?
  • Are in‑house capabilities or external arrangements in place to identify ransomware strains?
  • Are ransomware‑specific incident response processes in place?
  • Have there been any previous ransomware incidents? If so, what lessons have been learned?
  • Are pre‑agreed IT forensic firm or anti‑ransomware service provider arrangements in place?
  • Is regular user training and awareness conducted on information security, phishing, phone scams and impersonation calls and social engineering attacks?
  • Are social engineering or phishing simulation exercises conducted on an ongoing basis?
  • Are regular backups performed, including frequent backups for critical systems to minimize the impact of the disruption? Are offline back‑ups maintained as well?
  • Are backups encrypted? Are backups replicated and stored at multiple offsite locations?
  • Are processes in place for successful restoration and recovery of key assets within the Recovery Time Objective (RTO)?
  • Are backups periodically retrieved compared to the original data to ensure backup integrity?
  • Are endpoint protection (EPP) products and endpoint detection and response (EDR) solutions utilized across the organization on mobile devices, tablets, laptops, desktops etc.?
  • Are Local Administrator Password Solutions (LAPS) implemented on endpoints?
  • Is Sender Policy Framework strictly enforced?
  • Are email gateways configured to look for potentially malicious links and programs?
  • Is web content filtering enforced with restricting access to social media platforms?
  • Are physical, logical segregations maintained within the network, including the cloud environment?
  • Are micro segmentation and zero trust frameworks in place to reduce the overall attack surface?
  • Are automated scans run to detect vulnerabilities? Are third party penetration tests performed on a regular basis?
  • Does the organization ensure appropriate access policies, enforcement of multi‑factor authentication for critical data access, remote network connections and for privileged user access?
  • Is continuous monitoring in place for detecting unusual account behavior, new domain accounts and any account privilege escalations (administrator level), new service additions, and unusual chain of commands being run during a short time period?
  • What due diligence and risk management activities are performed prior to M&A?
  • Are regular security audits conducted on newly‑integrated entities to ensure evaluation of security controls?
All of the recommendations are technical advisory in nature from a risk management perspective and may not apply to your specific operations. Please review recommendations carefully and determine how they can best apply to your specific needs prior to implementation. Any queries relating to insurance cover should be made with your local contact in underwriting, agent and/or broker.
Keep up to date on all news and insights from Allianz Commercial