Imagine the following nightmare scenario.
You are the CEO of your company. You stroll into work just like every other day, sit down, and log into your computer. And then…nothing. A blank screen. Black. Or worse yet, a nefarious image pops up that clearly is not from your IT department. Your stomach sinks as you realize you’ve been hacked.
What do you do now? How do you run your company? How do you communicate? Most importantly, how do you find out what critical company information has potentially been stolen?
You’ve become the latest victim of a ransomware attack (with a 2048-bit encryption key that would take until the year 2030 to crack).
Many people are familiar with the “WannaCry” ransomware attack, which in 2017 affected hundreds of thousands of computers around the world. Other variants and names abound such as Bad Rabbit, Cryptolocker, NotPetya, and SamSam that have primarily targeted health care organizations.
According to Bill Dafnis, PhD, PMP, associate dean of technology for Capella University’s School of Business and Technology, ransomware represents one of the greatest cybersecurity threats to organizations of all sizes, as well as individuals.
“Essentially, ransomware is extortion,” Dafnis explains. “Hackers hold organizations ransom by locking down their data and refusing to unlock it until a ransom is paid, most often in bitcoin. Even if the victim pays up, there is no guarantee that their data will be restored or that it is not already being used for other nefarious purposes on the Dark Web.”
So how do you avoid this fate? Dafnis offers the following recommendations to protect against ransomware attacks:
Back up, back up, back up.
Effective data governance that includes redundancy, availability, and storage is the friend of any organization, Dafnis says. Apply software patches religiously and never download software updates unless they are from sources you trust. Without question, every organization needs to back up its data on a daily basis with multiple copies in multiple digital and offsite locations.
With such proactive measures and data redundancy in place, hackers are in a much weaker position to demand any ransom, Dafnis explains.
Test for ransomware attack scenarios.
While most organizations have technology and systems in place to detect and defend against hacking attempts, relatively few organizations are actually conducting crisis testing for a ransomware attack, Dafnis says.
“Organizations of all sizes absolutely need to educate their employees and test their cybersecurity protocols at least annually,” Dafnis advises. “They need to run penetration tests with scenarios, exercises, and incident-response plans where they shut down the computing devices of their key players and systems and figure out what to do next. How do they recover their data? How suitable and timely is their backup and restore strategy? Can they determine from their log files what is missing or compromised? Do they pay the ransom? Whom do they inform? Those are some cursory questions organizations need to be able to answer.”
Train your people to be your first line of defense.
Individual employees are both the weakest link and the greatest asset in defending against cyberattacks, Dafnis says. He shares the following cybersecurity best practices that every person in an organization needs to be aware of, including vendors and third-party contractors that may have access to an organization’s network.
First, Dafnis stresses that everyone who goes online should follow safe Internet practices, such as ensuring the prefix “https” is in a URL when making a payment or sending personally identifiable information. Without this prefix, your data is not encrypted, and information you share can be viewed by people hacking into a network. In addition, commonly used software should have macro scripts disabled by default.
“If you open any of the pop ups and spam messages you receive, there is a good probability that there is ransomware embedded in it,” Dafnis explains. “Also, if you receive an unfamiliar document and a window opens asking if you want to enable ‘macros,’ absolutely do not do it!”
Finally, Dafnis says organizations need to establish firm systems access controls for employees, limiting access to only those users who absolutely must have it, with added emphasis on those who hold administrator rights. It’s critical that access be granted on a “need-to-know” basis. “No one should have carte blanche access to every system, not even the CEO,” Dafnis says.
So what do you do if, despite your best efforts, your organization becomes a victim of a ransomware attack? First, Dafnis advises to immediately invoke your tested (ideally) incident response plan, take affected computers and devices off the network so they don’t infect others, and preserve your log files. Also, contact law enforcement as soon as possible. Next, Dafnis says it’s wise to seek a professional in data recovery and forensics to see what can be done to recover data without paying the ransom.
“The reality is, organizations that don’t take the threat of ransomware seriously and don’t take the right precautions to protect against it are more likely to be forced to make some hard decisions as to whether or not to pay a hacker when a ransomware attack hits, with little assurance they will ever recover their systems and data,” Dafnis concludes. “Ransomware attacks are sobering. You don’t want to place your organization in a vulnerable situation.”
Learn more about Capella University’s Master of Science in Information Assurance and Cybersecurity program.