When Hollywood puts a wealthy business mogul together with a kidnapping and a ransom demand they have a tried and true formula for a hit action movie. But, in the IT world, the hostage is valuable data, the villain wants your money and the victim is often a small business. Ransomware is the threat of the moment. The question is: What should you do when you find your business infected?
Rob Rae, vice president of business development for Datto, Inc., a CompTIA Premier Member, says, above else, do not pay the ransom.
“Companies should be investing in protection instead of paying the ransom,” Rae said. “Once you’re infected, you’ve downloaded the software onto your system. Paying the ransom doesn’t remove the software – and it could very well happen again.”
Ransomware is a term for the many variations of malware that infect computer systems, typically by social engineering schemes. Ransomware sometimes marks the files for permanent deletion or publication on the internet. The perpetrators then demand a payment, usually in untraceable cryptocurrency like Bitcoin, for the private key required to decrypt and access the files.
Datto’s research shows that the average ransom requested is typically between $500 and $2,000, but 10 percent of managed service providers report the ransom average to be greater than $5,000. But it’s not just the money companies are losing – they’re losing time as well. The downtime following an attack can be crippling.
The SMB Story
On the big screen, the villain usually gets a good dose of karma in the end. But, the forces behind cyber-threats like ransomware are unknown – and that poses a huge problem. One of the challenges for organizations is that they tend to place the greatest emphasis on the cyber-threats they understand the best. Malware and viruses, two of the oldest forms of cyber-attacks, typically get the most attention. Meanwhile, CompTIA’s research shows that most companies are only slightly concerned that they would be the target of something else – like a dedicated denial of service, social engineering, Internet of Things-based attack, SQL injections or ransomware.
“We’re seeing significant growing threats to small businesses today,” Rae says. “The press covers larger stories about data being lost so small businesses may not think they are risk. But in essence small businesses are even more at risk because they don’t spend as much on security and may not be thinking about their vulnerabilities.” According to Rae, ransomware is the biggest threat in the SMB space right now.
The State Story
Ransomware is a crime of extortion, and the more valuable your data, the more you are at risk. According to the FBI, organizations such as hospitals, school districts, and state and local government agencies are often targets of ransomware attacks. But, surprisingly, at the state level, government institutions sometimes go unprotected.
Srini Subramanian, principal at Deloitte & Touche LLP, a Premier Member active in CompTIA’s public sector programs, said states allocate a very small percentage of their tech budgets to cybersecurity. One reason for the shortfall of funds is that communicating cybersecurity risks can be a unique challenge.
“I think with respect to cyber-risk being such a new discipline, there is a lot of information that is difficult for executives to comprehend,” Subramanian said. “For instance, telling them ‘We block millions of attacks every day using a firewall.’ The executives say, ‘Well it looks like we’re in pretty good shape, right?’ Well, that may be accurate data but that doesn’t paint the complete picture of what is going on in a network infrastructure or environment.”
But things are also beginning to look up – or more secure at least. States have started to appreciate the importance of having a comprehensive cybersecurity strategy. One particularly instructive way Deloitte has been facilitating this shift is through launching, implementing and managing solutions that bridge the communication gap. For instance, in some cases Deloitte puts C-suites through simulated data-loss emergencies. Such war games do more than just tell high-level state government officials about the cost and impact of data breaches and the proper response to them – they show them.
The Healthcare Story
Last year, a ransomware attack against hospital and ambulatory electronic health records (EHR) vendor Greenway Health affected 400 client organizations using the vendor’s cloud-hosted platform. While half of the affected clients had their EHR services restored within a few weeks, the rest had to revert to manual processes in the hope of timely restoration. Greenway Health’s breach wasn’t the first attack on this type of data and certainly will not be the last.
Healthcare enterprises know that assessing risk is a critical part of the cybersecurity equation – they just need more information about what the process entails. But it has to be done the right way.
Lysa Myers, security researcher with CompTIA Premier Member ESET, has seen the fallout when enterprises roll out security solutions without first assessing the real operational needs and functioning of a business. Not only can it be ineffective, but it can be an inconvenience, which can create greater vulnerabilities as employees circumvent solutions and policies to get their work done.
“If you make it so that security is more seamless in their day, then they’re not going to go through weird gyrations to get what they need to get done,” said Myers, a member of CompTIA’s IT Security Community.
In her own speaking engagements, educating representatives of smaller institutions in areas like healthcare and education, she sees the same mindsets that permeate both the general SMB landscapes and state government.
“Businesses don’t fully realize that, even though they’re less visible than big multinational enterprises, the records on their servers are a veritable goldmine to hackers. They know that they need to take a look at cybersecurity both technologically and operationally, but they’re not sure how best to continue their efforts beyond the work they’re already putting in,” she said.
The IT Pro Story
New threats – like ransomware – keep popping up and aren’t going away. Businesses large and small, across all verticals, can wind up victims and you better be ready when it happens to you.
“Ransomware doesn’t have a target,” Rae said. “It’s an indiscriminate effort to get dollars.” And, while preventing an attack may not be feasible – there are things you can do, he said.
First, invest in protection. There are ransomware detection-and-recovery technologies available and affordable to the SMB market. According to Rae, in the long run these technologies save people and companies money. Second, communicate to your employees that everybody is vulnerable. It’s not as easy as forbidding employees to pull up certain websites anymore. These new threats are savvy and find their way into your inbox disguised as a legit sender containing business-related information. Educating your employees about vulnerabilities gives them the power to take initiative and communicate when something goes wrong. And, the sooner you catch it – the better off you’ll be. Third, new skills must be combined into a new approach. In a world of constant, evolving attacks, a mentality of preventing all breaches is outdated. Organizations must shift to proactive measures, including external audits, penetration testing and security training. Strong defenses will always play a role, but they must be coupled with ongoing offensive activity.
Click here to download CompTIA’s new report 2018 Trends in Cybersecurity: Building Effective Cybersecurity Teams and here to get involved with CompTIA’s IT Security Community.