Finally, with whitelisting, there’s the user acceptance factor: your users won’t be able to download anything, including browser plugins, which you have not already allowed in advance. This includes even the most minor programs like PuTTY for secure shell tunneling over the internet using SSH, popular with your IT staff, or something like Notepad+, a great text editor many knowledge workers like to download to enhance quick notetaking. (Both of those programs are single executable files with no installation required and are portable between systems, meaning that they often find their way onto thumb drives or USB storage devices and are shared freely among coworkers.)
Are you and your IT team up for the massive effort not only to establish the initial set of whitelisted definitions but also to continually maintain them, even as new patches change digital signatures, new employees request new programs, and additional services come online? It would truly be a massive undertaking, but I call it the nuclear option simply because it is the most straightforward (not easiest; but most plainly simple) way of all but eliminating the threat of ransomware on your systems.
Sign up for CIO Asia eNewsletters.