Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

Cyber resilience against ransomware: fiction or reality?

Ransomware attacks on the domestic economy are increasingly making headlines. The attackers are becoming more professional, and the damage is increasing. In this article, we will discuss why preventive measures and a well-planned holistic security concept that relies on cyber resilience are indispensable, and why training employees is not enough.

From hurricanes to hackers: How cyber resilience can help you weather the cyber storm

Imagine you are a homeowner in an area that is prone to natural disasters like hurricanes. You know it’s only a matter of time before a major storm hits, so you take steps to make your home more resilient. You reinforce your windows and doors, install a backup generator and stock up on food and water in case of an extended power outage. When a storm hits, your home will be better able to withstand the damage, and you and your family will be better able to deal with the aftermath.

Similarly, ensuring strong cyber resilience helps you protect your organization from a cyber disaster. A cyber resilient business has taken steps to prepare for the possibility of a cyberattack, knowing that it is likely to occur at some point. It will have strengthened its defenses, established backup systems, and trained its employees to recognize and respond to threats. A cyber resilient business can continue to operate even in the face of a cyberattack, minimizing damage and getting back on its feet as quickly as possible. However, to achieve cyber resilience, you must first understand how these attacks can harm you.

Extortion attacks take place on multiple levels

Ransomware attacks are usually two-tiered. The first form of pressure is the encryption of company data. Within a short period of time, the systems or the files on them are rendered unusable, process chains fail, and the company comes to a standstill. The likelihood of paying a ransom is based on the extent of the damage: Did the backups survive the attack? How long would it take to restore the system landscape?

A short time later, the attackers apply the second pressure point, because data is frequently stolen before it is encrypted. If the ransom for the sensitive data is not paid, the cybercriminals threaten to publish or sell it. At this point, the search for the culprits begins. In the majority of cases, the gateway was a phishing email that was opened. Often, the person who clicked the link is blamed, but this is an oversimplification and a bad practice that will not help uncover the underlying vulnerabilities that are truly at fault.

By prioritizing cyber resilience, organizations can ensure that they have the right people, training and expertise in place to quickly detect and respond to attacks, minimizing the damage and reducing the likelihood of paying a ransom.

Awareness training is important but insufficient

Awareness training for all employees has been strongly promoted in the past. In some cases, it is almost seen as the only hope for IT security. I do not deny the importance of training, but the security of an entire company should not depend solely on whether employees recognize all phishing emails.

Employ a structured model for a holistic defense strategy

A good defense strategy can only be layered and based on the “defense-in-depth” principle. This can be visualized using a model to structure a typical course of attack: The Cyber Kill Chain® model. Created by the defense and technology company, Lockheed Martin, it divides attacks into several phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions.

Cybercriminals think strategically

In the reconnaissance phase, attackers gather information about the target company before assembling the necessary tools for the attacks in the weaponization phase. During deliver, a phishing email is sent, and if someone falls for it, the goal of the exploitation phase is achieved.

Backdoors are installed to maintain infrastructure access and gain permanent access to the system. Then, during the control phase, attackers scan the network for opportunities to spread and increase privileges, such as taking over administrator accounts. They then move on the next system. After gaining all the necessary access, they attack the higher-level target, such as stealing sensitive data and encrypting it.

Strategy for a stronger defense

The Cyber Kill Chain model is ideal for defense because it helps you track attacks that have taken place. Each phase has its own defense measures. In IT security, there is no single measure that can detect and prevent all eventualities. Instead, each phase must be considered separately to design effective detection and blocking mechanisms. These range from whitelisting, antivirus or endpoint detection and response solutions against execution, to resetting jump servers or network segmentation, to privileged access management and network intrusion detection/prevention systems against control and monitoring.

When developing these measures, it is always important to assume that the defense has failed in the previous phase. Security measures established in this way will enable several independent lines of defense.

Effective security strategy in joint responsibility

With these explanations, I would hope to convey that the blame for a successful attack can never be placed on one person, but that most attacks succeed because the existing security mechanisms are insufficient. After a phishing e-mail has been sent, a reasonable defense strategy still includes a number of detection and defense mechanisms. Sustainable IT security is a series of safety nets; if one breaks, another must be in place to prevent disaster.

Ultimately, cyber resilience requires a holistic approach that encompasses both technology and human factors to effectively combat the ever-evolving threat landscape.

Share this article

About the author

Stephan Mikiss

Head of SEC Defence at SEC Consult Group, an Atos company

Stephan is the Head of SEC Defence, the managed incident response and digital forensics division of SEC Consult. He is responsible for the product at group level and thus for the teams in Germany, Austria, Switzerland, and Romania. In addition, he is team leader of the Austrian SEC Defence members.
Besides his leadership tasks, he appreciates and loves working with customers: From proactive workshops to increase cyber resilience to incident management to efficiently defend against active cyber attacks.
Never stop learning and passing on everything learned to others as best as possible are personal core elements. Together with the great members of SEC Defence, the passion for cyber security can be lived every day as new.

Follow or contact Stephan
Linked-in Icon

All articles


The view from the attacker’s side – How ransom gangs operate and why they are so successful


The changing face of ransomware


The impact of ransomware attacks on business


The role of cybersecurity hygiene in a ransomware incident


Countering ransomware: how to build the right cyber governance strategy


How to protect your cloud from ransomware


Zero Trust: the key to stopping ransomware in its tracks


A comprehensive approach to ransomware defense


Cyber resilience against ransomware: fiction or reality?


How government and law enforcement can help prevent ransomware attacks


Ransomware infections: lessons learnt from the trenches


Batting ransomware: front-line insights from a CTO and a CISO