The Cybersecurity and Infrastructure Security Agency (CISA) has released a fact sheet that offers recommendations on how to protect sensitive and personal information from ransomware-related data breaches.
The latest CISA communication draws significantly from guidance that the agency issued last year, with specific recommendations on protecting personal data.
According to the release, “all organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems.”
In response, CISA released the fact sheet to address the increase in malicious cyber actors’ exfiltration of personal information. The fact sheet provides information for organizations to use in preventing and responding to ransomware-caused data breaches. CISA encourages organizations to adopt a heightened awareness and implement the recommendations listed in this fact sheet to reduce their risk of ransomware and protect sensitive and personal information.
To protect personal information against malicious cyber actors, CISA recommends that organizations know what personal information is stored in their systems and who has access to it. The agency also recommends that organizations not store sensitive information on internet-facing systems, and create a notification plan if a data breach occurs.
Additionally, to prevent ransomware attacks, CISA recommends organizations maintain encrypted data backups offline and regularly test those backups, develop and deploy incident response plans, and reduce the risk of phishing emails by turning up spam filters and focusing on user training. CISA also recommends that organizations implement good cyber hygiene practices like enabling multifactor authentication for all services, and continuously updating antivirus software.
In the case of a data breach, CISA recommends that organizations attempt to stop additional data loss, collect information from the compromised systems, follow the appropriate notification requirements, and report the incident to the necessary officials.