Every day, clients come to us with questions about\u00a0ransomware\u00a0and how to best prepare their organizations against potential attacks. This is perhaps one of the most vexing challenges in\u00a0cybersecurity\u00a0as ransomware attack methods, motivation, and barriers to entry are constantly evolving. We\u2019ve collated three key questions that concisely explain ransomware:How do these attackers target my organization?\u00a0Ransomware attacks are a business unto themselves and if an organization displays a lack of defenses, it is likely to become a victim. Organizations that do not adapt and change run the risk of fostering attacker innovation.Why have these attacks grown?\u00a0It\u2019s a vicious cycle. Attacks are funded by victims, enabling attackers to innovate and develop the next generation of attack method and technology, targeting the complex and difficult security elements that are not quickly or easily fixed. The cycle will continue as long as the attacker sees an opportunity to profit.What happens to my organization when an attack occurs?\u00a0Files with critical business information and systems become unavailable. Sensitive data is exposed, regulators demand answers. Legal disputes can go on for years. Paying a ransom does not mitigate the damage and may encourage a return.Anticipate, respond, recoverAn active defense \u2013 including assessment exercises, threat hunting, and tabletop exercises \u2013 can improve any organization\u2019s ability to quickly react to evolving threats. Ransomware attacks require companies to focus on anticipating the attack, responding when it happens, and recovering and updating business controls to help prevent future events.Anticipate:\u00a0Understanding the threat landscape to gain insight into potential threat vectors that can impact a company\u2019s weak control areas is vital; this requires external sensing, an active defense posture, and continuous risk analysis.Respond:\u00a0The crisis management approach coordinates the entire enterprise to respond to a ransomware attack. This includes executive, legal, and technical functions.Recover:\u00a0This is more than just the resumption of operations. Decisions made during the crisis can have long-lasting impacts on recovery efforts. Steps to prevent recurrence can add to the length and cost of recovery.Attackers are growing more sophisticated and treat their work in much the same business manner most organizations do. They are hiring developers and business analysts, developing more sophisticated \u201cmarketing\u201d techniques such as phishing emails, and growing more sophisticated in recruiting the global skillsets needed to stay ahead of the cyber controls and investments that organizations are working hard to put in place. With attackers constantly innovating, they are unlikely to use the same attack vectors twice. Organizations need to build a recovery plan that can adapt to the known and unknown vulnerabilities, to minimize their risk when an incident occurs.Cyber risk quantification ProtivitiThe best offense is an active defense. With so many different attack types and an ever-changing risk landscape, effectively prioritizing investments in defenses can be a significant challenge. Quantifying the risk of a ransomware event can help determine where rational investments can be made and falls under the \u201cAnticipate\u201d step of an advanced ransomware detection approach. Consider the above graphic, which illustrates how risk quantification can be a useful tool in deciding where to allocate resources to get the most impactful risk reduction. Simple, cyber risk quantification translates risks into financial terms \u2013 a concept an entire business can understand.We apply risk quantification techniques by identifying risk scenarios and the ways they can result in loss to an organization. Using open-source models, we can then forecast loss to an organization from a number of different ransomware threats.Ultimately, quantitative risk management allows an organization to understand its risk in financial terms, which in turn enables a clear prioritization of actions to be taken. We believe one of the most powerful arguments for quantitative vs. qualitative risk assessments is the ability to compare different investments to identify what future mitigating measures will most effectively reduce the most loss exposure per dollars invested.We recently released a\u00a0case study\u00a0in which we performed a quantitative risk analysis specific to a ransomware attack on a fictional large financial institution. Ultimately, the insights identified through our analysis will allow this fictional bank to determine its potential maximum disruption from a ransomware attack, assess whether or not current operations can withstand such an impact, and make critical decisions to drive meaningful change.Remediation creates a sustainable futureA ransomware attack is not a single, discrete event. Someone has gotten in, launched ransomware and\/or stolen data. This is an intelligent, human-driven attack that automated tools often have a hard time stopping. Cybersecurity control weaknesses that are impacted by a ransomware attack can cover many areas of a business. In order to fight back, organizations must have an active defense plan that includes proactive assessments and regularly scheduled simulations. We strongly recommend using a risk quantification tool to get the most impact from the defense plan, while securing buy-in across the business for security effectiveness.More specifically, we suggest these remediation steps to create a sustainable future for any organization:Define incident response governance proceduresQuantify the risk for a ransomware event to enable better decision-makingImprove security controls managing end-user and admin access to company resourcesEnsure robust vulnerability management practices are utilizedEstablish an active, continuous monitoring program for security eventsConfirm digital identity access rights and corresponding controlsAssess the organization\u2019s response readiness to deal with the next attackRansomware is complex but preventing it doesn\u2019t have to be.This article was written by Daniel Stone and Tim Kelly.