Dan Smith, Zeguro co-founder and Forbes Technology Council member, explains how SMBs can prepare and fight back against ransomware. (Reprinted as it originally ran on Forbes.com last month.)
[This article was originally published on Forbes.com, courtesy of its author, Dan Smith, co-founder of Zeguro and member of the Forbes Technology Council.]
According to an April survey conducted by AppRiver (via Silicon U.K.), 55% of executives "at small to medium-sized businesses (SMBs) state they would pay hackers to recover their stolen data in ransomware attacks."
Most SMBs are overwhelmed by security issues and feel they aren't adequately prepared to deal with threats. Ransomware is a form of malware designed to lock you out of your information systems and hold your data hostage. Once an attacker has installed the ransomware, it proceeds to encrypt all the data it can find on your computer systems and then demands payment (often via cryptocurrency) in order to regain access. Unlike other forms of malware, ransomware can shut down a company's operations entirely — sometimes for days while you're recovering, but other times permanently.
Since you don't want your business to endure the cost of a cyber breach, how can you be prepared and fight back?
Continuity, Recovery And Restoration
The main goal of a ransomware attack is to make your computer systems and data unavailable when you need them. It helps to have some planning in place for contingencies in the event that an attack disrupts your normal business operations. These recommendations can help you ensure the continuity of your business without having to pay a ransom:
• Secure, Off-Device Backups: Some may choose to securely store data in a second location. If a particular device falls victim to ransomware, the easiest path is to simply roll it back to an earlier, unencrypted state. It's as simple as backing up to a second hard drive or using a cloud backup service.
• Contingency Planning: Although it won't help prevent a ransomware attack, a documented plan for contingency operations can help your team recover faster. Nobody does their best work under extreme pressure, so a well-written plan can guide your team through a stressful time successfully. Include an asset register of devices, a unique name and where they connect on the network. This will help determine whether an internal or remote admin and contact is needed.
• Ransomware Insurance: An attack counts as a business interruption, so know if your cyber risk insurance policy covers ransom payments. It's not the best option (paying a data thief only reinforces their bad behavior), but at least insurance can help you offset some of the financial burdens of a ransomware attack.
There's an old political maxim that states, "It's the economy, stupid." In cybersecurity terms, the maxim is, "It's software, stupid!" All systems require software that, since it's designed by fallible human beings, can contain bugs, flaws and vulnerabilities.
It is crucially important to identify any and all patches available for the software you're using and to ensure that patches are applied in a timely manner. Some patching programs run on a cadence, though there will be patches that need to be applied sooner than the prescribed time due to the severity of the flaw they're correcting. Patch deployment rates are a key metric for all businesses to focus on because unpatched software is the digital equivalent to leaving a key in the lock.
Audits are a great way to get the pulse of your security and compliance program, but unless you have an around-the-clock audit schedule, there's a good chance that report is stale by the time it hits your desk. Continuous monitoring aims to give near-real-time insight into the state of your security controls, weaknesses in your environment and potential security incidents. The sooner you learn about a vulnerability in your organization, the sooner you can patch it.
You should look for a continuous monitoring program that delivers regular, metrics-driven insight across your security risk mitigations (controls) and comprises administrative (people), technical (technology) and operational (process) elements of your organization. For example, security awareness training is a key people risk mitigation, and knowing how many staff members are delinquent provides a measure of risk. On the process side, routine processes like access control reviews and change management approvals are steps organizations can take to mitigate risk, while log analysis and correlation tools can often monitor technological controls in real time. By engaging in continuous monitoring, you can create a proactive security-first approach to cybersecurity.
Employees are the everyday custodians of the data and systems that organizations use to serve their mission, create value and just plain function. Not everybody has a cybersecurity background, though, so employees-as-custodians represent a high-value target for cybercriminals.
There are several things you can do to help your employees maintain vigilance against cyberthreats. Make sure you have an appropriate training program in place, and include content specific to your industry and business, especially if you're in a highly regulated industry like financial services or healthcare. You should also keep the cybersecurity information current — stale, boring material will likely have a negative effect, as it reinforces the idea that cybersecurity is a waste of time rather than a crucially important concern.
Finally, make sure you provide different levels of knowledge. Education is great for your cybersecurity professionals, but other employees who handle sensitive data don't need a bunch of cybersecurity certifications. They need training that is less broad but sometimes more specifically targeted based on an employee's role.
Threats to small businesses in the legal or medical industries that store client and patient data run particularly high, and this playbook should be of great value in those verticals. However, the sad reality is that with payouts on the rise, more hacking (even by unsophisticated new entrants) is happening to businesses of all sizes in all verticals.
By taking the time to understand what ransomware is as well as how and why it can hold your business hostage or cause irreparable downtime, you've already made important strides for your business. By actioning the prevention recommendations above, you are ensuring peace of mind and a better focus on day-to-day business management.