Executive Summary
According to the U.S. Small Business Administration, there are 32,540,953 million small businesses in the United States, representing 99.9% of all firms. However, many of these businesses remain inadequately prepared against the risk of a cyberattack. Accenture’s 2019 Cost of Cybercrime Study, for example, revealed that “43% of cyberattacks target small businesses, but only 14% are prepared to defend themselves.” To address this risk, it is increasingly common for small- and medium-sized enterprises (SMEs) to obtain cybersecurity insurance. Increasingly, however, insurers require enterprises to better understand, implement, and demonstrate cyber risk management practices before qualifying.
It is in this context that we recommend that SMEs should adopt a cybersecurity framework of specific best practices to help defend against these attacks. Fortunately, adopting and following a security framework can help enterprises build stronger defenses. Unfortunately, it is difficult to know where to start, leaving many lost and unable to prioritize their cybersecurity efforts. However, that framework needs to be written in plain terms, with easily digestible and practical guidance. Regrettably, some SMEs believe they are unable to achieve and implement certain cybersecurity frameworks and therefore have not pursued business opportunities that require demonstration of compliance to them. This practice perpetuates the cycle of inefficient cybersecurity preparedness.
In response to Action 3.1.1 of the Ransomware Task Force (RTF) report, which calls for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery,” the Blueprint for Ransomware Defense Working Group developed a Blueprint comprised of a curated subset of essential cyber hygiene Safeguards from the Center for Internet Security Critical Security Controls® (CIS Controls®) v8. These Safeguards represent a minimum standard of information security for all enterprises and are what should be applied to defend against the most common attacks. This Blueprint for Ransomware Defense represents a set of Foundational and Actionable Safeguards, aimed at SMEs.
Consequently, this Blueprint for Ransomware Defense utilizes the CIS Controls, a prioritized and prescriptive set of actions developed by a global community of cybersecurity experts. The forty (40) recommended Safeguards included in the Blueprint have been carefully selected not only for their ease-of-implementation but their effectiveness in defending against ransomware attacks. This has been backed by analysis from the CIS Community Defense Model v2.0 (CIS CDM v2.0) where implementing the Safeguards in this Blueprint defends against over 70% of the attack techniques associated with ransomware. It is important to note that this Blueprint is not intended to serve as an implementation guide, but rather a recommendation of defensive actions that can be taken to protect against and respond to ransomware and other common cyberattacks.
