How to Protect Your Business Against Ransomware
In today’s connected world, cyber security is one of the most important things to consider when running any business or organisation. Cyber attacks are becoming more common, happening more frequently, and getting smarter – and it doesn’t matter where you’re located, because as long as you’re connected, cyber attackers can find you.
One of the most common forms of cyber attacks – both for businesses and individuals – is ransomware.
What is Ransomware?
Simply put, ransomware is software that holds a computer system ‘ransom’. Ransomware is a type of malicious software that is designed to block access to a computer system until a sum of money is paid.
Ransomware attacks are financially motivated, and they can hit both individuals and companies. Targets are typically selected on their wealth; as the whole purpose is to extort money, these attacks are more commonly targeted at organisations.
The official advice from all New Zealand agencies is the same: do not pay the ransom. When a ransom is paid, there is no guarantee that the attacker will return the ransomed files in full, or even at all. There is also no guarantee that they won’t attack the same target again. However, businesses and organisations often place more value on the ransomed data than the ransom demand, so this issue is often not a simple one.
Therefore, the best course of action against ransomware is doing everything you can to prevent an attack in the first place.
Ways to Protect Your Business or Organisation
There is no single ‘set-and-forget’ solution to protecting yourself against ransomware. It’s an ongoing effort by multiple people and multiple teams across the business or organisation.
Below are some actions you can take to mitigate your risk against ransomware. Due to the ever-evolving nature of attackers and attacks, this is not a comprehensive list; this is simply a sample of a large array of actions that can be taken.
Infrastructure and Management:
These are examples of some actions that can be implemented on an organisational level.
- Regular Patching and Updates – This is something that seems like a no-brainer, but often gets left behind. Implementing patching and system updates on a regular basis will make it harder for attackers to slip in, leaving your security door locked and closed for as long as possible
- Network Segmentation – Attackers that gain access via a user with high network access can quickly work their way through the entire system. By identifying and separating out users that need high escalation access verses those that don’t, you will leave a smaller target base for the attackers.
- Regular Security Reviews – Even when no large-scale or significant security events have happened, it’s important to look at what events do happen and evaluate how they could have been prevented. If you can understand how and why they happened, you’ll be able to proactively implement fixes that can help prevent events in the future.
- Offline and Cold Backups - Backups that are left online are readily accessible by a compromised device, meaning attackers can encrypt or delete them. Backups that are offline cannot be altered or deleted, so you can still recover them in the event of a ransomware attack.
- Network-Level Firewalling - Don’t just rely on the firewall of a server, because if the server gets compromised, the firewall can be compromised as well. A network-level firewall means you have a completely separate, independent device. It’s important to remember that a firewall is only as good as its policies, so make sure the policies themselves are valid and up to date.
- Logging, Monitoring, and Alerts – This action goes hand in hand with regular security reviews. Alerts and monitoring provide visibility on what’s happening in your system and allow you to act quickly if something occurs.
- Incident Management Processes - What happens when something goes wrong? What’s the process for handling it? How do you approach the situation? Having this process down pat is crucial to a prompt response, which can go a long way in mitigating damage.
These are examples of some actions that individual users can take to protect themselves.
- Multi-factor Authentication (MFA)/Two-factor Authentication (2FA) – Where possible, users should enable this. MFA/2FA is essentially a double check to verify that it’s actually the user attempting to log in to something. It can be used in several forms, such as a separate app on your phone or a token that asks for a code.
- Regular Backups – To retain copies of important data, users should regularly back up computers to a hard drive; but be sure to remove the hard drive from the device after the backup has completed.
- Passwords – It’s important not to choose easy to guess passwords. Users should also use different passwords across different sites or logins, as this will prevent “password stuffing” (where a compromised password can be used to log into many different places). You can use a Password Manager to keep track of your passwords; there are many free password managers available that come with browser extensions.
- Frequent Updates – Users should run all operating system and application updates regularly and as soon as they are prompted to do so. Updates include vulnerability patches, so it’s important not to put them off.
- Don’t Open Attachments from Unknown/Unverified Sources – This one may seem like a no-brainer, but phishing emails are getting cleverer. Many come through with attachments that claim to be urgent, important things like overdue invoices. If you’re unsure or weren’t expecting an attachment, do not open it. Instead, ring the alleged sender to verify they have actually sent it; it’s best to always be safe than sorry.
- Enable Antivirus and Update Frequently - Antivirus isn’t always perfect but it’s another line of defence. Users should be sure it’s enabled on their device, as sometimes people turn it off temporarily and forget to turn it back on.
What Should You Do If You Encounter a Cyber Security Event?
Your exact course of action will depend on the process your organisation has in place, but in general, the following is a good example of where to start:
- The first thing you should do is disconnect by immediately unplugging your network device and all cables.
- Next, you should fully shut down your computer. Don’t just close the laptop lid, as sometimes this will just put it to sleep; be sure to actually shut it down. This can help stop the attack in its tracks so it can’t go any further.
- Then, you should notify the relevant person within your organization (IT department, security consultant, etc). You should provide them with all relevant information, such as the time and date of the event, what you were doing when it happened, or if you’ve had any issues in the last couple of days with anything not behaving as it should have? Anything you can think of will be helpful, even something that might have seemed insignificant at the time can be very useful to an investigation
When it comes down to it, the biggest protection asset a company can have is its people! Cyber security is everyone’s responsibility, so it’s important to make sure your people remain vigilant and pay attention. If something seems weird or not quite right, make sure they report it and don’t feel embarrassed to do so. This can prevent a seemingly innocent event from turning into a very large problem.