Skip to main content
close search
site logo
Dive Brief

Ransomware defense guidance risks hang-ups under many steps

Small and mid-sized businesses don’t typically have the resources to meet every safeguard. But every action, however small, helps.

Published Aug. 4, 2022
Matt Kapko's headshot
Senior Reporter
Image depicts the implementation of cybersecurity with a lock displayed over a screen.
anyaberkut via Getty Images

Dive Brief:

  • A new report created to help organizations navigate ransomware risks exemplifies the challenges small- to medium-sized businesses confront in the battle against just one of many cyberthreats. 
  • The recommendations, identified to help SMBs with limited cybersecurity expertise, include 40 safeguards. That’s a curated subset of the guidance in the Center for Internet Security’s critical security controls.
  • The report’s authors acknowledge not every organization has the resources to implement every safeguard immediately, but they maintain any actions taken, full or partial, represent a step in the right direction.

Dive Insight:

Balancing prescriptive and prospective guidance in the battle against ransomware is difficult for large enterprises and often even more so for their smaller counterparts. 

Two of the report’s authors — Megan Stifel, chief strategy officer at the Institute for Security and Technology, and Valecia Stocchetti, senior cybersecurity engineer at the Center for Internet Security — said every little bit helps. 

“It’s easy for [SMBs] to become overwhelmed when implementing a security framework. Starting small is the key,” Stifel and Stocchetti said via email.

Organizations should, as a baseline, establish and maintain an inventory of all assets and accounts, then grow defenses at a pace that takes available resources and appropriate needs into account, according to the Blueprint for Ransomware Defense published by the Institute for Security and Technology. 

The 40 safeguards, including 14 deemed foundational and 26 described as actionable, were selected for their effectiveness in defending against ransomware attacks. 

The foundational guidance involves procedural steps to identify, protect, respond and recover from ransomware. This includes the establishment of programs for vulnerability management, security awareness, incident reporting, configurations and the granting or revoking of access.

Communicating best practices, even less complicated actions that can bolster cybersecurity remains troublesome across every level of responsibility in governments, enterprises, SMBs and individuals.

Software updates, improved password management and multifactor authentication are relatively straightforward tasks that need to be explained in ways that people and organizations don’t find too complicated, too confusing or too technical, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in June at the RSA Conference.

These responsibilities fall on all of us, akin to how individuals participate in their own physical defense by default, such as looking both ways before crossing a busy street, National Cyber Director Chris Inglis said on a panel with Easterly at the conference.

“We’ve made it seem like it’s harder to do than it is,” he said.

Filed Under: Strategy, Threats

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell