One cannot read the news today without finding another story of a company besieged by a malware infection: their files encrypted, and the company is brought to their knees by cyber criminals. In the past month we have seen a large pipeline company have to shut down all operations and a US government agency suspended operations for 2-4 months, leaving more than 550 former Hanford workers without access to benefits.
While we often read about large corporations impacted by ransomware, small businesses aren’t immune from these cyber attacks. The US Department of Homeland Security Secretary Alejandro Mayorkas has warned that SMBs comprise 50-75% of ransomware attacks. In the past year, ransomware attacks are up over 300%[1] costing businesses over $350 million in ransom payments alone. Extorting companies is big business in 2021.
With the word ransomware thrown around so casually, we should probably agree on a definition of what it is. Ransomware is software that runs on a computer that gives someone leverage over a person or company through malicious means. This typically means that a person or company’s information is made inaccessible by encrypting the information with a key that only the attacker has. Using this as leverage, the attacker extorts the person or company for money to give up the key to decrypt the information.
A more elaborate method of extortion is on the rise as well. Besides encrypting information on the computer, the ransomware will also package up and send the information to the cloud to be used to blackmail the company or customers by threatening to release of sensitive information. Further, this information is often used for identity theft. The information tends to become commoditized and sold amongst criminal groups, even if the ransom is paid.
It’s easy to think that because you’re a small business that this shouldn’t affect you. The reality is that this type of software is sent out blindly, widely, and inexpensively, predominantly through email. The distribution of the ransomware is indiscriminate and blasted widely to email addresses that have been acquired through other hacks, open searches, or other legitimate lists. Everyone is at risk because the cost to infect a system is low while the reward can be very high.
What can you do about this scourge of malware? You should follow best practices as published by the US Cybersecurity & Infrastructure Security Agency (CISA)[2]. Here are a few categories to implement when looking at your business’ cyber security posture:
Training
Implement a comprehensive employee training program to include common methods of attack, including simulated phishing campaigns. Implementing programs that encourage good behavior rather than punishment for failures have shown to be far more successful, because these programs depend on employees to report potential issues and not feel shamed for doing so.
Patching
Continuous security patching and auditing is necessary across all technology devices. Often forgotten are the edge devices, such as firewalls and routers used by many homes and businesses. These edge devices have become a common attack surface lately with Work from Home becoming typical in our modern business environment.
Password Hygiene
Passwords are still ubiquitous and a common method for attackers to take over accounts and networks. Check out Have I Been Pwned[3] to check if any of your accounts have been exposed. Taking simple steps can help: never re-use passwords, use longer and more complex passwords, and ideally use a password manager such as LastPass[4] or 1Password[5].
Multi-Factor Authentication
Multi-Factor Authentication (MFA), or Two-Factor Authentication (TFA), combines your username & password with something like a 6-digit code texted to your phone or a physical device, like a Yubikey[6]. This significantly increases the account security and research suggests this alone can prevent up to 99.9% of account attacks[7].
Endpoint Protection
Your free antivirus software just isn’t enough. Comprehensive endpoint protection methods must be implemented on any business device, especially those with access to sensitive business information. Reducing attack surface by removing administrator access for the daily user account, using robust antivirus and anti-malware protections, and implementing robust backup solutions are critical to both preventing and recovering from malware.
A business should consider leveraging trusted security-focused firms to help implement and manage risk-based cybersecurity programs and to audit existing programs to ensure compliance. Businesses should also engage their insurance firms to get more information about cyber insurance to transfer risk. The only thing you shouldn’t do is nothing.
Ryan Maloney is the Chief Executive Officer of Devinion, LLC, a managed information technology and cybersecurity services company located in Richland, WA. Ryan has over 25 years of experience in network security and systems integration. He holds a CISSP, ITIL 4, and several CompTIA certifications in cybersecurity and networking. Devinion just celebrated their 10th anniversary in May, 2021.
[1] DHS secretary warns ransomware attacks on the rise, targets include small businesses - ABC News (go.com)
[3] Have I Been Pwned: Check if your email has been compromised in a data breach
[4] #1 Password Manager & Vault App, Enterprise SSO & MFA | LastPass
[5] Password Manager for Families, Businesses, Teams | 1Password
[6] Discover YubiKey 5 | Strong Authentication for Secure Login | Yubico
[7] One simple action you can take to prevent 99.9 percent of attacks on your accounts (microsoft.com)
