Be Proactive When it Comes to Ransomware

Body

By Kevin Goodman, Crain's Cleveland Business

By now you have heard of ransomware, where cyberattackers can hold your data, software, devices and entire systems captive until you pay a ransom to get them back.

It's part of the ever-expanding cyberthreat landscape. If you meet the attackers' demands, there's no guarantee you will get your data back uncorrupted — or at all.

Every year, the number of cyberattacks rises and their increasing intensity has governments and industries alike concerned. It is important now more than ever for businesses to understand both the reality and ramifications of these occurrences. Organizations need to begin addressing the magnitude of this threat and make cyber-hygiene an integral part of any business success.

I've spoken with a number of our region's experts to help explain ransomware, what you can do to prevent it and how to behave if you are hit. The digital era requires that we take the time and effort to instill practices that are proactive, reactive, strategic and tactical, including cultural practices, policies and procedures combined in our daily logistics around data security and privacy. It also is smart to engage law enforcement.

We live in a data-centric world where as soon as we gather information, we disseminate it. The proliferation of data offers tremendous advantages as far as timeliness and efficiency, yet the flipside is security and corporate responsibility.

Lines of defense
Proactive steps are the best lines of defense in preventing a hack. These include backups, disaster recovery and IT audits.
 

Ryan Moisio, senior cloud engineer for BlueBridge Networks, cautioned that backups and disaster recovery are often overlooked until you are under attack.

"The maintenance, testing and real-time continuity of your backup routines and systems could likely be the saving grace for a company's infrastructure in the event of a ransomware attack," he said. "This includes having a solid disaster recovery plan detailing actions of all internal technology staff and partners, and testing/simulating a recovery event periodically."

Because most next-generation malware is distributed through email phishing and spam attacks, Moisio suggested the first lines of defense to protect your network include secure email gateways with advanced spam monitoring, URL checking and attachment scanning.

"This also holds true for scanning of your company's internet traffic via (IDPS) intrusion detection/protection systems or a web filter that checks against known malicious IPs or domains," he said.

These tools are helpful for protecting a system from exploitation. But when these tools are installed across networks, a critical step can often be missed, said Dale Dresch, director of information technology at Maloney + Novotny.

An IT audit is one of the most effective ways to ensure best practices are in place and function as effectively as possible, he said.

"An IT audit can provide important and valuable insight into IT environments," Dresch said. "It can provide some assurance that the technologies you use conform to best practices and match the level of security that your business needs. The most effective way to protect against ransomware is to implement fundamental best practices. This includes employee education, regular backups, restricted administrative access, and patching and updating software.

"Whether you use an external third party or an internal audit function, an IT audit will help reduce your organization's risk and enhance communication between your organization's leadership and IT department."

Training
The best defense, though, remains training of the end user, Moisio said. "I can't stress the importance of user education enough when it comes to the topic of ransomware," he said. "As this type of malicious software evolves, knowing what to look for at the user level becomes imperative. Training sessions, weekly updates, phishing simulations — all necessary tools in the fight to combat these types of attacks."

Tim M. Opsitnick, executive vice president and general counsel of TCDI, views user training as essential for strengthening a company's "human firewall." Security awareness training is the best way to combat ransomware, he said, and should be done periodically starting with the onboarding process for new hires.

Hackers, though, have upped their game and phishing emails are not as obvious as they once were, making the "human firewall" more vulnerable.

"Despite continued warnings, many employees continue to click on phishing emails which are the primary source of ransomware," Opsitnick noted. "One reason that the number is so high is that phishing emails are not as painfully obvious as they once were, and hackers have become adept at creating a sense of urgency.

"Do not be the person who infects an entire company. If you are not certain, do not open an unknown email message or click on the attachment to a message."

Legal issues
If hackers do manage to infect your network, it's important to get advice from legal counsel with experience handling ransomware and other data- and privacy-breach events so you can understand your obligations and rights under the law, said Michael Stovsky, partner and chair of the innovations, information technology and intellectual property practice group at Benesch.

First, Stovsky said, "Companies need to quickly determine if the ransomware attack is simply a lockdown of systems and devices by the hacker in an attempt to extort funds from the party attacked (a 'pure' ransomware event) or whether the hacker has gained unauthorized access to or misappropriated personally identifiable information (or will do so if the ransom is not paid)."

Typically, a hacker in a pure ransomware attack treats it like a business transaction: In exchange for a fee (usually payable in bitcoin or some other cryptocurrency), the hacker provides the decryption keys necessary to unlock the locker systems or devices. "In some cases, ransomware attacks are coupled with data breaches, which could trigger additional legal obligations for the party suffering the hack," he noted.

In a pure hack scenario, it comes down to a business decision as to whether to pay the extortion payment or not.

When the ransomware attack is coupled with unauthorized access to or misappropriation of personally identifiable information, he Stovsky said, "a wide range of legal obligations may be triggered under U.S. federal and state law, and potentially international law, including data-breach disclosure obligations." That's why involving counsel is so important, he added.

Communication
If you've been hacked, the next step after evaluating how your systems were affected and working with legal counsel to evaluate the legal implications is to work with your public relations firm to communicate to employees and customers what happened, how they might be affected and what you are doing to address the issue, said Ari Lewis, co-founder and partner at Green Block Group.

"You don't want your customers or employees to hear that an attack occurred from a media outlet rather than the company itself," Lewis said. "The unfortunate reality is that no matter how well you prepare, your company is at risk of getting hacked. It's important that you have a PR firm on retainer that helps you tell the community what happened, who did it and how you are responding."

Ransomware is catching victims off guard. Since the loss sustained is not just monetary but can be reputational, be proactive.

Goodman is managing director and partner with BlueBridge Networks, a cloud data center and managed services business headquartered in downtown Cleveland.

 

Want us to share your news or article? Contact Courtney Smyser at [email protected]