John Griffin Jr. is CEO & Founder of AGB Investigative Services, which provides physical security and cybersecurity services in 12 cities.
One Monday morning, the 35 employees at a Chicago nonprofit that I serve on as a board member, booted up their PCs and were greeted by a skeleton head on their screens and a demand for $100,000 in Bitcoin. Their internet connections were cut off, their databases scrambled and useless.
Like thousands of ransomware victims whose stories never make a headline, I saw how this nonprofit had critical infrastructure but no trained cybersecurity personnel or even a comprehensive data recovery and business continuity plan. Until that awful Monday morning return to work, the company never even considered that its data and networks were vulnerable. And it did not have the means to pay a ransom.
Victims of ransomware suffer most through lost productivity and the time-consuming task of containing and cleaning up after the attack. A ransom payment, if any, typically accounts for less than 20% (download required) of the total cost of a ransomware attack’s disruption, according to research from Proofpoint and the Ponemon Institute.
The Chicago nonprofit’s workers learned too late that its data recovery systems did not really back them up. The organization painstakingly set about finding paper records to rebuild its records from scratch.
Smaller organizations convinced they’re too small to be ransomware targets are mistaken. In fact, according to the National Cyber Security Alliance, the majority of all cyberattacks happen to small to midsized businesses, and they found that up to 60% of them go out of business within six months after the ransomware attack.
Three Basic Moves to Foil Hackers
Some may justifiably wonder if a $44 billion company like Accenture can become a ransomware victim, what can a smaller business possibly do? If no one is immune from an attack then everyone needs a response plan. Here are three basic steps to consider:
1. Train all employees in cyber awareness.
There’s an acronym in cybersecurity circles: PEBCAC or “problem exists between computer and chair.” Since email phishing is by far the top threat vector for ransomware, the very first cybersecurity defense is to teach all employees not to click on unfamiliar attachments or clickbait links (e.g., “You’ve just won $1 million!”) and to safeguard their login credentials, ideally with two-factor authentication to confirm their identities.
Believe it or not, some employees still keep passwords on Post-it Notes attached to their monitor screens. Today’s interconnected remote workforce makes every employee part of the security apparatus. Employees can be important data defenders, provided they have the right information and education.
2. Patch all the apps.
Every threat assessment starts with an inventory of operating systems and software. Updates will protect a computer network against known vulnerabilities. Likewise, every firewall and server must be properly maintained and configured. Unfortunately, this seemingly routine data governance is a massive job, made even more challenging by the profusion of endpoints (think smartphones, industrial systems, IoT devices and all the equipment used by work-from-home staff).
3. Test backups and restoration plans.
Every organization needs reliable backups and, just as important, a business continuity plan to bounce back from an attack. Organize a cyber incident response team and do penetration testing to make sure critical infrastructure is protected. Be preemptive with your cyber response, not reactive.
No one is safe from attack.
These basic defenses are only a start. Without real-time monitoring of network traffic, organizations remain exceptionally vulnerable. Because 100% prevention isn’t affordable or feasible, systems must be in place to detect an incursion and respond before the damage is done.
Virus software and firewall hardware have come a long way, but at the end of the day, a trained cybersecurity staff can offer the best defense. A control center for monitoring and incident response will provide a quick data recovery response, cutting downtime for both internal breaches and external cyberattacks. Firms with limited resources can lower their risk by outsourcing a security operations center.
The first step to making systems more resilient is to consider the cost of business interruption. No one is safe from attack — not governments, not utilities and not even tech companies. Without a robust data security approach, it is a matter of not if you’ll be hit, but when.