A look at recent news headlines continues to show the impact that ransomware has on our everyday life. Whether it be the attack on Colonial Pipeline which set off a potential gas-supply shortage or the attack on JBS, a meat packer, the news keeps coming. Last year in the U.S. alone, more than 100 federal, state, and local governments; 500 health-care centers; 1,600 educational organizations; and thousands of businesses were victims to ransomware. That’s according to “The State of Ransomware in the US: Report and Statistics 2020,” published by Emsisoft Malware Lab in January.
That impact is also felt by small and mid-sized businesses (SMBs) as it was found in 2020 that the average cost of a ransomware event for SMBs totaled $505,827 per incident (including downtime, lost business, rebuilding and upgrades, etc.). The cost is only increasing, especially when you consider lost revenue and reputational harm to your business. According to the Beazley Group, a cyber-liability insurance provider, small and medium businesses are most at risk of ransomware, with more than 62 percent of claims. Beazley also reports that ransomware attacks increased 130 percent in 2020.
In the past two years, the Cyber Defense Institute has assisted clients with ransomware incidents that ranged in cost from $600,000 to over $10 million right here in Central New York. Many ransomware attacks do not get reported as companies fear reputation loss and bad press. As a result, experts agree that the true number of attacks and cost of those attacks is grossly underestimated.
Ransomware is a type of computer malware that has a specific goal in mind — holding your data hostage until you pay a ransom. Early variants of ransomware would install on a single computer in your network and wreak havoc on your shared files. Today’s variants are using more sophisticated techniques in which they worm their way through your network, sometimes for months without detection, before detonating on as many systems as they can at once. This increases the likelihood you’ll pay the ransom because all your servers and workstations are infected all at once.
Awareness training. The most-common method of infection from ransomware is still malicious emails. Another common method is so called “drive by downloads” in which a malicious file is downloaded from an infected website. Because of this, end-user security awareness training is one of the key strategies you should be implementing to protect your business from ransomware. This end user-training should include continuous phishing training and at least one hour several times per year of direct computer-based training content. This phishing training should include a system that sends fake phishing emails to your users to give them real-world experience dealing with phishing emails. Weekly security reminders that detail the most-current threats and scams are also highly effective.
Two-factor authentication for applications and email is another easy win. Stolen credentials allow criminals to steal data and send malicious emails using legitimate email addresses to unsuspecting friends and colleagues.
Anti-virus/malware software. Another critical component to your anti-ransomware strategy needs to be anti-virus/malware software that can prevent advanced threats such as ransomware. Traditional antivirus is no longer enough and the need for advanced-threat protection is critical. Software that includes endpoint detection and response (EDR) features are commonly used in cases of ransomware to help clean it up and stop it from spreading. For this reason, you should consider a similar product to help protect your environment. It also goes without saying that it is critical that you maintain your subscriptions with your antivirus vendor. There is nothing worse than getting a malware infection because you forgot to renew your antivirus license or update your current product regularly.
Implement a SIEM — Security Information and Event Management System — to provide continuous monitoring of your network 24/7, 365 days a year, which can also be coupled with a dedicated Security Operations Center (SOC) to notify you of incidents. These systems provide real-time alerts of suspicious or malicious activity on your network, enabling a fast response and prevention.
System patches and updates are another key component to reducing the risk of ransomware. Making sure you run your Windows updates on every machine, all the time, keeps your systems protected from the latest vulnerabilities. Don’t forget to keep your firewalls, printers, and other network devices up to date as well. These commonly forgotten devices are also frequently attacked by malicious actors and can lead to ransomware or other harm to your network.
Cyber-liability insurance. When you buy an insurance policy, it should specifically cover ransomware or data-extortion costs. And do not skimp on coverage limits. We recommend a minimum of $1 million for any size of business.
Develop and practice an incident-response plan. A solid incident-response plan that is documented, known to all involved, and practiced at least once a year will save critical time when responding to an incident. Remember those fire drills in grade school?
Layer your defenses. This is also known as defense in depth. Develop multiple roadblocks and segment networks wherever possible.
Carefully consider the options before you pay the ransom. This is easy to say when you are in crisis mode, but the research by Sophos and others points to increased costs for those that do pay. Even after paying the ransom, the cost for upfront protection, user training, and a solid backup strategy is the least-expensive way to stay safe and recover if you do get hit.
Backups. Finally, and perhaps the most important protection against the harms of ransomware, is to have excellent backups of your systems. The difference between quickly recovering from ransomware while not paying the ransom is directly correlated to the quality of your backups. A restore from backup can many times be a quick way to give a ransomware extortionist the boot. However, you need to make sure your backup system includes more than one copy of your data. Typically for an SMB this includes a copy in your office and a copy in the cloud. We also recommend keeping backups for at least 90 days as malware sometimes remains dormant for several months before calling out to the ransomware host. There are several other backup tactics that can be implemented depending on your overall IT infrastructure.
Unfortunately, for most, ransomware is a matter of “when” and not “if.” However, you can reduce the impact it has on your business by taking steps now to better prepare for the inevitable. Ransomware does not have to be a potentially business-killing event if you properly prepare your business now. Doing nothing and ignoring the threat is no longer an option.
Jim Shea is president of Cyber Defense Institute, Inc. (www.cyberd.us), a Syracuse–based, regional cybersecurity consulting and training firm specializing in cybersecurity regulatory compliance, cyber risk management, and cybersecurity assessments. Contact Shea at firstname.lastname@example.org. Brandon Finton is the senior security engineer at Cyber Defense Institute. Contact him at email@example.com.