It’s every business owner’s worst nightmare — your data is being held hostage by hackers and they demand you pay up. Ransomware, a type of code used by cybercriminals to block access to files until a ransom is paid, is becoming more common than ever. In fact, ransomware victims have paid out over $25 million in recent years and global costs are expected to top $11.5 billion by 2019. What can your business do to address this issue?
The actual ransom is only part of the loss — other effects include downtime, disruption of the supply chain, inability to deliver services and the cost of restoring infected systems. Because so many companies are willing to pay the ransom, and because opportunities for entry into a company system are often plentiful, ransomware is thriving,
As a former CISO and VP of IT Risk Management, I had the experience of leading the IT organization’s efforts to become compliant with a federal IT control framework. We went back to basics and learned something very valuable — it was not the very expensive security technologies that made a dramatic difference in our IT operations and security, it was basic blocking and tackling.
The term “cyber hygiene” can best describe the approach taken. It’s the strategy of ensuring that well-documented and fundamental IT practices are employed throughout daily operations.
In our experience, we went from significant outages on a daily basis to no outages as we started deploying defect-free code. Best of all, we had confidence that our IT systems were immune to the kind of unsophisticated cybercrime attacks that were becoming more and more common.
Here are a few of the basic cyber hygiene practices you can use to prevent ransomware and minimize your threat surface. Like the experience my team had, you will find that these practices also improve your overall IT organization performance.
1. Teach your team to be savvy
Use training resources for all your people and make it personal so that they incorporate new habits more readily. The practices they use at work to protect company computer systems and prevent ransomware are the same practices that will protect them, their finances and their family at home.
Strong passwords, safe browsing behaviour and a healthy skepticism of any email that tries to compel an individual to click on a link are strong, front-line defences against ransomware.
2. Install those updates
Ensure that all computer systems are kept up-to-date on software releases and vendor-supplied security updates. Notable large-scale breaches, such the Equifax data breach of 2017, came through an unpatched server. In order to do this, you’ll need an updated inventory of all hardware and software assets.
3. Reset default passwords
Default passwords and vendor settings should be changed. I’ll never forget the day I got a call from an individual who had legitimately purchased a Cisco router through a “reseller.” As he began to set it up, he noticed that it was actually a router that belonged to the company where I was the CISO, and that it was set with vendor default community strings and passwords.
We made a thorough check of all Cisco equipment as well as our internal IT practices to ensure that everything was reset — just in case. We also beefed up our physical security in the data centre to prevent unauthorized leakage of equipment after that.
4. Keep a lid on coding errors
Any software that is not commercially “shrink wrapped” software should be developed using well-defined software development lifecycle (SDLC). For companies that outsource their software development, be sure to evaluate your SDLC or agile processes to minimize coding errors that can leave your company vulnerable.
5. Develop a backup strategy
Have regular backups that can be easily restored in the event of an incident. And make sure your backup strategy is sufficiently able to restore your systems in a timeframe that does not put you out of business.
One company I reviewed was operating in a highly transactional environment that could only tolerate about three days of downtime before the billing system stopped storing transactions for future processing. This meant everything that happened in the company after three days of downtime was lost revenue.
The company insisted they had a comprehensive backup system, which was great — however, they backed up everything in the data centre to tape, which would potentially create another issue. We calculated the time required to back up the company systems from tape and it was 17 years.
The bottom line for all SMEs is this: whether you insource or outsource your business systems, taking basic preventative measures with your IT systems and your people can save you significant expenses and repetitional harm. This will help ensure that you’re not one of the companies who rewards cybercriminals by paying their ransom demands.