This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?
Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. Here are some best practices to help organizations manage the risk posed by ransomware.
By Troy Fine, CPA
Ransomware is a form of malware designed to encrypt files and render the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. According to Sophos’s whitepaper The State of Ransomware 2020, the average cost for an organization to remediate a ransomware attack is $732,520 for organizations that do not pay the ransom and $1,448,458 for organization that do pay the ransom. The following best practices will help organizations manage the risk posed by ransomware.
Maintain Offline Backups – It is important that backups be maintained offline because many ransomware variants attempt to find and delete any accessible backups. Additionally, backups should be encrypted and current. If current offline backups exist, there is a better chance that you can easily restore data if you’re hit with a ransomware attack. Backup restoration testing should be performed at least annually to ensure that data can be restored from backups.
Create an Incident Response Plan – Create, maintain, and exercise a basic cyberincident response plan and an associated communications plan that includes response and notification procedures for a ransomware incident. The response plan should be tested on an annual basis by running through a mock ransomware incident. Gaps in the incident response plan will be identified and remediated before an actual incident occurs.
Conduct Vulnerability Scanning – Regular vulnerability scanning will help identify and address vulnerabilities, especially those on internet-facing devices, and limit the attack surface. Processes should be implemented to ensure that vulnerabilities are remediated in a timely manner based on risk.
Patch Regularly – Regularly patch and update software and operating systems to the latest available versions. In addition, all zero-day exploits should be patched immediately when identified.
Ensure Antivirus and Anti-malware Software Is Regularly Updated – Ensure antivirus and anti-malware software and signatures are up to date. Additionally, turn on automatic updates for both solutions and use a centrally managed antivirus solution. This enables detection of both “precursor” malware and ransomware.
Conduct Cybersecurity Awareness Training – Implement a cybersecurity user-awareness and training program that includes guidance on how to identify and report suspicious activity (such as phishing) or incidents. Conduct organizationwide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails. For those who repeatedly fail phishing tests, additional training should be provided.
Employ Multifactor Authentication (MFA) – Employ MFA for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource. The verification factors must consist of at least two factors from the following three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint).
Apply the Principle of Least Privilege – Apply the principle of least privilege to all systems and services so users only have the access they need to perform their jobs. Threat actors often seek out privileged accounts to leverage to help saturate networks with ransomware.
Employ Network Segmentation – Employ logical or physical means of network segmentation to separate various business-unit or departmental IT resources within your organization as well as to maintain separation between IT and operational technology. This will help contain the impact of any intrusion affecting your organization and prevent or limit lateral movement on the part of malicious actors.
Baseline Network Activity – Baseline and analyze your network activity over a period of months to determine behavioral patterns so that normal, legitimate activity can be more easily distinguished from anomalous network activity.
Troy Fine, CPA, CITP, CISSP, is senior manager, risk advisory services, for Schneider Downs & Co. Inc. in Pittsburgh and a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at tfine@schneiderdowns.com.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.