Imagine the following nightmare scenario.

You start your workday just like every other by sitting down and turning your computer on. But—nothing. A blank screen. Black. Or worse yet, a nefarious image pops up that is not from your IT department. Your stomach sinks as you realize you’ve become the latest victim of a ransomware attack.

Many people are familiar with the “WannaCry” ransomware attack, which in 2017 affected hundreds of thousands of computers around the world. Other variants and names abound, such as Bad Rabbit, Cryptolocker, NotPetya, and SamSam.

According to David Teneyuca, PhD, a faculty member for Capella University’s School of Business and Technology, ransomware represents one of the greatest cybersecurity threats to organizations of all sizes.

“Essentially, ransomware is extortion,” Teneyuca explains. “Hackers hold organizations ransom by locking down their data and refusing to unlock it until a ransom is paid, most often in bitcoin. Even if the victim pays up, there is no guarantee that their data will be restored or that it is not already being used for other nefarious purposes on the Dark Web.”

Teneyuca notes that in recent years, it’s not just organizations that have been targeted. “Ransomware is now targeting common folks,” he says. “Hackers are realizing that companies are putting considerable resources into adding controls in their systems. So they’re going after individuals, nickel and diming them for $100 to $200 at a time. The targets are much easier to hack, and for those small amounts of money, many people will pay just to get it over with, and probably won’t bother to report it.” Going for those smaller totals means these hackers are not looking for high-income victims. “Everyone’s a target,” Teneyuca says. “Students, too. We’re all the target now.”

So how do you avoid this fate? Teneyuca offers the following recommendations to protect against ransomware attacks:

Back up, back up, back up.
The key aspect of protection for both organizations and individuals is simple: effective data governance that includes redundancy, availability, and storage. Apply software patches religiously and never download software updates unless they are from sources you trust. Without question, every organization needs to back up its data daily with multiple copies in multiple digital and offsite locations.

Yes, there are other ways to protect against ransomware, but this is the only guaranteed way, says Teneyuca. “These hackers encrypt your data and they have the key,” he explains. “They don’t take your data, or remove it, just encrypt it so you can’t access it. If you have a solid backup, you can circumvent their demands.”

Test for ransomware attack scenarios.
While most organizations have technology and systems in place to detect and defend against hacking attempts, relatively few organizations are actually conducting crisis testing for a ransomware attack, Teneyuca says.

“Organizations of all sizes absolutely need to educate their employees and test their cybersecurity protocols at least annually,” he advises. “They need to run penetration tests with scenarios, exercises, and incident-response plans where they shut down the computing devices of their key players and systems and figure out what to do next. How do they recover their data? How suitable and timely is their backup and restore strategy? Can they determine from their log files what is missing or compromised? Do they pay the ransom? Whom do they inform? Those are some cursory questions organizations need to be able to answer.”

Train your employees to be your first line of defense.
Individual employees are both the weakest link and the greatest asset in defending against cyberattacks, Teneyuca says. He shares the following cybersecurity best practices that every person in an organization needs to be aware of, including vendors and third-party contractors that may have access to an organization’s network.

First, he stresses that everyone who goes online should follow safe Internet practices, such as ensuring the prefix “https” is in a URL when making a payment or sending personally identifiable information. Without this prefix, your data is not encrypted, and information you share can be viewed by hackers. In addition, commonly used software should have macro scripts disabled by default.

“If you open any of the pop-ups and spam messages you receive, there is a good probability that there is ransomware embedded in it,” he explains. “Also, if you receive an unfamiliar document and a window opens asking if you want to enable ‘macros,’ absolutely do not do it!”

Finally, Teneyuca says organizations need to establish firm systems access controls for employees, limiting access to only those users who absolutely must have it, with an added emphasis on those who hold administrator rights. It’s critical that access is granted on a need-to-know basis. “No one should have carte blanche access to every system, not even the CEO,” he says.

Take action if attacked.
So what do you do if, despite your best efforts, your organization becomes a victim of a ransomware attack? Teneyuca advises to immediately invoke your tested (ideally) incident response plan, take affected computers and devices off the network so they don’t infect others, and preserve your log files. Also, contact law enforcement as soon as possible. Next, he says it’s wise to seek a professional in data recovery and forensics to see what can be done to recover data without paying the ransom.

“The reality is, organizations that don’t take the threat of ransomware seriously and don’t take the right precautions are more likely to be forced to make hard decisions as to whether or not to pay a hacker when a ransomware attack hits,” he concludes. “Even if the ransom is paid, there is no assurance an organization will ever recover their data. Ransomware attacks are sobering. You don’t want to place your organization in a vulnerable situation.”

Learn more about the Master of Science in Information Assurance and Cybersecurity program at Capella University.

Business moves fast, stay on the cutting edge. Keep me informed.