Avoiding ransomware: what security & risk leaders need to know

Ransomware attackers are holding computer systems hostage on a daily basis, demanding substantial amounts of money from victims to restore order. The latest victim falling to this costly trap was the American Colonial Pipeline, an operator pipeline system that transports fuel across the East Coast, leading to fears that gas prices would soar immediately after.

Yet like in any other major ransomware attack, organisations get stuck in a never-ending tango of ransomware attacks, followed by exorbitant pay-outs while they scramble to find the ‘bad guy’ – blindly not realising that, perhaps, it is not a person, but the system itself.

The problem with this approach is that companies are unknowingly ignoring the real issue: the Original Equipment Manufacturer (OEM) device manufacturers, who oversee setting up Industrial Internet of Things (IIOT) and Operational Technology (OT) systems.

As businesses adopt new technologies and digital offerings to improve service and efficiency, many OEM providers had to quickly pivot to become digital product providers, often failing to do one thing: productise security.

Top tips for protecting crucial data in the manufacturing industry

Manufacturers must use technology to safeguard ideas and reassure customers, according to Martyn Davies, director, Rocket Software. Read here

Stopping the vicious cycle

If companies want to avoid another vicious ransomware attack cycle, it might be worth reconsidering their strategy: from how they engage with their OEMs, to prioritising product device security.

This means, hardening systems, equipment, devices, and supply chains while ensuring these are continuously being improved. This change in approach – from reactive to proactive – is required to offset future security breaches and ransomware attacks. There are five key takeaways companies need to keep in mind to achieve this.

First, organisations need to determine the OEM provider’s approach to secure product management, from ideation to end of life. Determining this from the onset will help CIOs understand the core competencies of a product security officer, enabling them to cultivate the skills that are needed to productise security features, including product roadmap, planning and lifecycle management.

Second, a focus on an integrated digital security approach, which looks holistically across IT and data, product, and operations-related technology, is needed. Currently, too many companies fail to see convergence, leaving key features at risk of being hacked – easily.

Companies must look at their supplier risk. Supplier risk has, traditionally, focused on the data and IT infrastructure security of the supply chain, usually missing crucial elements, like product security, which needs to be factored in for a better securitisation.

More importantly, some supply chain leaders are still using old vendor risk policies with OEMs that have increasingly become more digital, compromising the security of new products and devices – and once again leaving the window ajar for hackers to jump in.

Financial incentives are also key. Bad actors are financially incentivised to attack OT and IIOT environments, yet OEM providers have not been financially incentivised to protect them. Sharpening terms and agreements with providers by adding clauses that spell out their financial obligations in the event of a breach, will help OEM providers to better secure these.

Finally, there needs to be a shift from the current static approach to security to a more proactive one. Ransomware attacks are now too common, and bad actors are too quick to jump to new opportunities and find new ways to attack. This is particularly frequent when devices are too outdated to keep up with the emerging technologies and security trends.

Proactively discussing emerging technology trends with the OEM provider and determining security mitigation measures at the device and authentication level before adoption will help OEMs embrace and prioritise emerging security solutions.

Ultimately, companies looking to end this ransomware ping pong battle need to rethink their approach with OEM providers and prioritise product security.

Written by Barika L Pace, senior director research analyst at Gartner

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com