FBI Director Christopher Wray has said that the threats posed by ransomware attacks are on a scale with the challenges posed by the 9/11/01 terrorist attacks. Imagine an earthquake that comes with no warning – sometimes it only causes a little damage but other times it is catastrophic. Similarly, breach repercussions can range from annoying downtime and limited data loss to full on 100% business failure.
Treat cyber security as a business risk. Define what you want to protect, from who, and what the consequences will be if you fail to protect it. In the worst-case scenario, deciding whether or not to pay the ransom is a business decision – but hopefully it will never come to that.
Here are some best practices to help your small business prepare for a ransomware attack.
Secure Your Endpoints and Entry Points
The Colonial Pipeline breach originated with a legacy VPN system that was password protected but did not have multifactor authentication (MFA) in place. There are a couple of lessons we can learn from this. First, identify all of the ways someone can access your company’s network. Legacy systems are often a weak link when it comes to your cyber security. Likewise, IoT connected devices may be overlooked but still provide a backdoor in for the bad guys. Never, ever setup a “smart” device with company credentials. Instead, use a unique account for each device that has no access to company data or applications. Install advanced endpoint protection/antivirus software and make sure endpoints are updated with the latest security patches.
Second, make MFA a requirement for critical systems. In addition to VPN, this includes Office365, password managers, and any other systems containing business sensitive information. Ongoing security awareness training is another way to enable your users to protect your business against ransomware attacks.
Finally, secure your WiFi. I advise severely limiting access to corporate data over WiFi. Only allow laptops belonging to your business on a privileged WiFi. Consider changing the privileged WiFi password regularly. For example when an employee leaves the company. Setup a guest WiFi that only has access to the Internet and not to your corporate data. Make sure all company cell phones and foreign devices only connect to the restricted guest WiFi.
Back Up Your Data
This should be a no-brainer. Confirm that your backup works, and that the timeframe for recovery meets your business requirements.
Unfortunately, just having a back up doesn’t fully safeguard your company against ransomware attacks. I have experienced firsthand a situation where the hacker gained access to the backup files and began deleting them right in front of my eyes. That was a really bad day. Our partners at Datto recommend using MFA and keeping backup copies in a safe, secure location, preferably geographically separated from the primary data and backups. Check with your IT team to make sure you have these measures in place.
Have a Response Plan
Who is the first person you’ll call in the event of a ransomware attack? Yes, your IT response team is critical, especially because we may be able stop an attack in progress or prevent additional damage. But what about your corporate counsel and insurance agent? Impacts of a breach can be wide ranging and affect more than just your company. Depending on your industry or geographic location there may be legal and/or compliance implications (think California’s Consumer Privacy Act or Europe’s GDPR).
It is a good idea to call your existing corporate attorney first. Once your attorney is involved there is implied attorney-client privilege that could protect your reputation. If you don’t have a relationship with a qualified corporate attorney, now is the time to set up a relationship before an event happens.
Hackers sometimes use a “pressure clock” where the ransom increases with each hour or day that you don’t pay. Your company will be much better positioned if you have a response plan in place before you find yourself in a tense, time-sensitive situation.
What Happens if You Decide to Pay?
As I said earlier, deciding to pay the ransom is a business decision. You might be able to negotiate with the hacker to lower the amount. However, payments may violate Office of Foreign Assets Control (OFAC) or Know Your Customer (KYC) rules. Check with your lawyer or trusted advisor before proceeding.
Ransomware hackers always request payment in the form of crypto currency such as Bitcoin. The physical act of making the payment can be time consuming if you don’t already have an account in place or work closely with someone who does. You don’t want to be purchasing Bitcoin for the first time after a ransom event. It takes time to setup an account and to convert USD to BTC. I recommend all companies have an existing account at a digital currency exchange and some corporate assets in Bitcoin.
Bitcoin is not anonymous because every transaction is logged on a public ledger. However, it is unlikely that law enforcement will be able to recover your payment once it’s been sent. Plus, the costs of downtime, legal fees, investigations, and compliance will add up.
Even if you comply with the hacker’s demands, you don’t know that the decryption key provided after the payment will work seamlessly. Criminals are not known for their quality control or customer service. Your company may only recover part of your data, or none of it. It will be a long road to recovery. Hopefully, if you’ve taken the time to prepare in advance, your business will experience nothing more than a bump in the road and go on to thrive.
Cyber security is vital to protecting your business. Prepare now, so you do not learn cyber security the hard way.
Feedback
If you have questions about this article, or if there is an IT topic you would like to know more about please email me your suggestions.
Referral$
If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.
That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.
Referral$
If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.
That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.