3 minute read 10 May 2021
EY - Man with computer in the dark

Three ways to protect your organization against ransomware

By Dave Burg

EY Americas Cybersecurity Leader

Proud husband, father of three. Skiing, tennis and golf enthusiast.

3 minute read 10 May 2021

Show resources

  • EY: How to protect your organization from ransomware (pdf)

Ransomware attacks can be costly and damaging to the unprepared organization. A layered defense strategy can reduce the risk.

In brief

  • Secure configurations, proactive threat identification, and employee training and testing are essential first-line elements of cyber defense.
  • Strong management of privileged and administrative access can effectively limit an attacker’s ability to harvest data or launch a ransomware attack.
  • An incident response plan, tested regularly, is essential to limiting damages and recovering quickly from a cyber attack.

Successful ransomware attacks are on the rise, and this trend is likely to continue. As ransomware attacks increase in frequency and evolve in sophistication, it is critical to understand the current attack patterns that lead to an attacker’s success. Only then can you implement steps to reduce the risk of a disruptive incident.

Download our full report on how to protect your organization from ransomware.

For years, cybersecurity defense strategists have promoted a multilayered (defense in depth) approach to prevent attackers from gaining access. Despite multiple variations and opinions, all agree that hardening the exterior shell is a necessary part of effective defense. In other words, decreasing the attack surface makes the organization a more difficult target to exploit.

1. Shore up your ransomware defense

There are many methods for malicious actors to gain access to an environment. Ransomware attacker groups continue to successfully target unpatched vulnerabilities in a wide variety of applications and systems. Exploiting insecure network services, especially via remote desktop protocol (RDP) is another common method.

Establishing a strong set of security controls to protect against these vulnerabilities is important to a successful defense. Organizations must establish, implement and manage a secure configuration for each system on the network. They also need to consider access controls, scanning strategies, patch management processes and more. 

Advanced endpoint detection and response (EDR) solutions use proactive techniques, such as machine learning and behavioral analysis, to identify potentially new or complex threats. EDR solutions can quickly identify an attack, the scope across your network, and isolate and/or quarantine infected systems to stop the attack. Advanced techniques like EDR make it much more difficult for an attacker to establish a solid footing on your network.

2. Consider privileged access management

An attacker’s goal is often to obtain persistent access and escalate access privileges. The attacker requires significant access and leverage to propagate ransomware across the IT environment. If an attacker gains access to wide system admin credentials, or worse yet, domain admin credentials, they can use your infrastructure against you to widely disrupt IT systems and deploy ransomware.

It’s critical that organizations do everything they can to protect privileged accounts and administrative access within their environment. Without privilege, an attacker is limited in being able to widely impact the organization. Unfortunately, many organizations make gaining privileged access too easy and aren’t monitoring for unusual privileged user behavior patterns

Additionally, malicious actors often focus their efforts on phishing employees to obtain needed credentials or system access for their attack. Employees are human and make mistakes, despite their best efforts and intentions. To reduce the opportunity for successful phishing attacks, organizations should focus training and testing efforts on the individual employee.

3. Create a cybersecurity incident response plan

Even if an organization takes all the steps to protect its network, an attacker will likely find a way in. Threat attack methods are constantly changing, and it’s virtually impossible to consistently avoid infiltration. It’s important to assume an attacker will get past the best defenses and plan for attacks by building resiliency and redundancy into your organization. This helps organizations limit damages and allow for a quick recovery from a cyber attack.

A cybersecurity incident response plan is a key asset — and it must involve a broad team beyond your cybersecurity team. Consider all internal and external roles that may be involved; all key vendors and contacts; outside firms that can assist with forensics and legal needs; and how to identify, contain, remediate and recover from a cybersecurity incident.

Once you have your plan defined, it’s critical to test it. This is typically done through tabletop exercises, where organizations can pull all required personnel together to safely simulate a ransomware event. The more an organization practices, the more it will identify ways to improve the plan, train employees, reduce the panic if an event occurs and best position itself to respond to a cyber crisis. 


Ransomware attacks are increasing in frequency and evolving in sophistication. Organizations need to shore up their defenses through a strong set of security controls, and protecting privileged accounts and administrative access is critical. A well-tested incident response plan can help train employees, reduce panic and limit the damage of a cyber attack.

About this article

By Dave Burg

EY Americas Cybersecurity Leader

Proud husband, father of three. Skiing, tennis and golf enthusiast.