What was once an arcane security threat that only IT professionals worried about is now a lead story in the news. With the recent attack on Colonial Pipeline, regular citizens are learning about the dangers of ransomware, and those living on the East Coast were personally feeling the effects of the attack with long lines at gas stations and low supply. Colonial Pipeline eventually paid nearly $5 million to the attackers to regain control of their network and data. When you consider that Colonial Pipeline provides 45% of the fuel for the East Coast, the costs and consequences could have been much higher.
Large corporations with deep pockets may seem like the ideal target for attackers, but that doesn’t mean attackers are not interested in small and medium businesses. According to a report from Datto, one in five SMBs report that they have already been the victim of a ransomware attack. The average ransom is around $6,000, but that price is only part of the total cost. Data shows the total financial impact of an attack is up to 23 times greater than the ransom itself. The downtime, investigation, containment, and recovery time and expense are added to lost sales. Reputational damage can be even higher.
Ransomware Attacks Begin With the Click of a Mouse
Phishing emails are the preferred method of initiating a ransomware attack. Phishing emails are easy to send and, in business terms, deliver a high return on investment. By leveraging social engineering schemes, the phishing email lures victims into clicking on a link that launches the attack. Phishing emails are increasingly designed to look like they come from a trustworthy source. A recent phishing attack posed as an email from Microsoft itself, and was so well crafted that it initially evaded most security software solutions.
While security software is critical, it isn’t foolproof. And in the case of a phishing email, one of your most valuable security assets can also be your largest liability: employees. If a phishing email makes it past your security software and into an employee’s inbox, no damage has been done. A phishing email requires the employee to take an action, usually by opening an attachment or clicking on a link, that then initiates the attack. That’s why most phishing emails will combine a sense of urgency and fear-inducing language, hoping the employees will click without thinking. Most employees want to do the right thing, and when they see an urgent problem, they naturally want to move quickly.
Educating employees on how to detect the key characteristics of phishing emails can turn them from a security liability to a security asset. When they know that bad grammar, a sense of urgency, and a request to click a link or open an attachment are a dangerous combination, rather than mindlessly clicking the mouse to inadvertently launch the attack, they can forward the email to the security team to alert them to the threat. Security training needs to be well designed: too long and employees lose interest, too infrequent and employees forget, not updated frequently and the information isn’t as relevant.
Build a Layered Defense
If you’ve read our previous blog posts, this section should be familiar. Just as there are many different types of threats, there are many different types of security software. No one piece of security software is sufficient against all threats, so it’s really about assembling the best “team” of security software to get the overall protection you need: endpoint detection and response, mobile device management, security event monitoring, firewalls, anti-phishing, multi-factor authentication, etc.
In addition to good security software, you need to minimize your attack surface. Regularly test the network looking for security holes, mapping the devices on the network and their current security settings. Remove services and connections that are not necessary.
Prepare Your Response in Advance
In the event of a ransomware attack, the most effective response is something we’ve had for decades: backups. A robust backup process should be considered a security tool, and evaluated and funded accordingly. If ransomware attacks a single PC, and you have a secure backup from shortly before the attack, simply wiping the drive and restoring the backup image is all that is required. Even if the attack spreads to more PCs, as long as they have backups, you’re only looking at a productivity hit while you reimage systems.
The situation gets ugly fast when the ransomware spreads from your PCs to your servers. Now critical business processes are shut down, from manufacturing to financial to even phones. Your response plan should prioritize assets rather than treating them all as equivalent. For example, the data on your most critical assets should be backed up more frequently than for less critical devices. Since cybersecurity is a continuous process, you must continue adapting your plans for critical assets so that when a problem occurs, you can quickly remediate critical assets to keep your business running.
The rise of cloud-based backups has made it easier to run continuous incremental backups to avoid data loss. However, these cloud-based backups are always connected, giving the ransomware a chance to encrypt the backups themselves. In this case, you can’t restore from backups without paying the ransom. That’s why it’s important to continue to backup to physical devices that are then stored offsite and disconnected from any network. This belt-and-suspenders approach may cost a little bit more up front, but it pays dividends when there is a problem and your only choices are paying a ransom or suffering through a prolonged attack.
Don’t Stop Evolving
Cybercrime doesn’t stop evolving; neither should your security planning. The only way your company can keep pace with the criminals is to continuously assess, upgrade, and improve. With several different security software tools protecting your business, you need to track each one, updating when necessary and regularly evaluating new competing solutions against your current solutions. All new employees need to be trained to detect phishing emails, and existing employees need regular refresher training to keep their skills sharp. Backup and recovery plans for critical assets need to be reviewed regularly to ensure they are effective against the latest threats.
While it sounds exhausting, blunting the threat of cybercrime to your business is possible. By reducing your attack surface and educating employees, you make it much more difficult to launch an attack. By running up-to-date security software, you increase your ability to detect an attack in its early stages when clean-up is easier. And by maintaining a robust backup and recovery process, you can quickly recover from an attack without paying a dime to the criminals.