When the “cost of doing business” is no longer an option.
“It’s the cost of doing business.” Over the long holiday season, I heard this phrase several times while socializing with family, friends and business acquaintances. My usually optimistic social group bemoaned the annoying effect ransomware has had (and continues to have) on their day-to-day business.
The topic isn’t a surprise. Around the country, similar professionals at small/medium-sized enterprises (SMEs) echo their sentiments. What surprised me was their passive reaction to the problem. Even the current President Barack Obama and the President-elect Donald Trump recognize the threat of cybercrime to businesses and the public.
It’s not just you, Mr. SME
Ransomware has undoubtedly been on the rise, with some groups such as the FBI claiming 4,000 attacks a day. These high numbers affirm the fact that ransomware is a financially motivated, equal opportunity malware; it wants to lock down any device that has an owner, whether the owner is a teenager, a global business tycoon or a small business owner.
Unfortunately, ransomware can be debilitating for small/medium-sized businesses (SMEs) whose viability hinges on access to customer lists, financial records, product/service details, legal contracts and much more. Most SMEs don’t have the resources or a sophisticated technology infrastructure to adequately secure their business. In fact, almost a third of SME don’t employ an information security professional. And, considering more than 70% of businesses actually pay up, ransomware is the perfect exploit for SMEs.
Clearly, it’s a big problem that needs a big solution, right?
Backups, backups, backups
From hospitals and medical offices to accounting firms and ecommerce shops, ransomware has proven to be a successful criminal endeavor, with many paying more than $10,000 for each incident to regain access to their business data. And, SMEs seem to have learned to accept it as a cost of doing business.
“It’s not a big deal, Mark. We just do more frequent backups.” Yes, this was an overwhelmingly common approach to the problem. It seems my discussion partners spend several hours a week making backup copies of files. When asked about the costs (storage, time resources, duplicate systems, access to backups, energy usage, etc.) the response was a casual shoulder shrug. Really? Frequent backups is your security strategy? At a time when businesses are getting leaner in every way, spending time and resources on backups isn’t a good use of ever-thinning IT budgets or the scarce security talent.
Beyond backups – seal the entryway
Backups are good, but they are just one piece of a more holistic security strategy against ransomware. The biggest challenge is helping my fellow IT professionals understand that ransomware—and any malware for that matter—can penetrate the best of defenses. The key is knowing how it enters: basic everyday Internet usage at work (think about email, websites, apps, out-of-date software/patches, etc.
“We use anti-virus software, blacklist the typical non-business sites, installed ad blockers, and repeatedly train staff about the perils of email links and attachments. What else is there?”
First, anti-virus (AV) and blacklisting isn’t enough as these defenses assume the bad guy is known; his signature is captured and stopped from executing. With thousands of new malware variants entering the digital ecosystem each day it’s nearly impossible for AVs to keep their protection levels up. Blacklisting is good for general business purposes. (I mean, if coworkers need to access porn, gambling or gaming during the work day you’ve got bigger problems!) But this doesn’t mean that all other websites are good, even the Alexa 1,000. Some of the largest web-based attacks occur on legitimate, premium websites.
Second, enterprise ad blocking isn’t all it seems. You may think that all ads are blocked, but this isn’t true. Large advertising networks pay a fee to whitelist their ads in exchange for agreeing to fit a stilted format. Media website owners (Facebook anyone?) are adopting technology to detect ad blockers and then re-insert their ads or content.
“Well, dammit, what should we do?”, you ask.
All is not lost – A new year has dawned
Now’s the time to take stock of your business’s information security plan. Conducting a full-scale audit can be daunting. To kick-off the process, I recommend the following initial steps:
- Identify all data sources (employee, vendors, customer). Increasingly, enterprises are asking their partners about security processes as part of their own security governance.
- Document how data is collected, used and stored. This includes mapping data input sources, e.g. website forms, emailed contracts, customer portals, payroll, etc.
- Estimate costs to collect and store data.
- Assign an owner to each data element, e.g., financial information to Finance, marketing data to Sales/Marketing, legal information to Contracts/Finance, etc.
- Score data value. On a scale of 1-100 assess the data’s criticality to business, e.g. if it’s lost what is the impact from financial, brand, relationship perspectives.
- Consider a Threat Intelligence Platform (TIP) to streamline data management and terminate threats before they penetrate the business.
Once you have this information you can then start to evaluate weaknesses, reinforce existing security processes and align IT budgets accordingly.
Ransomware isn’t as hard to tackle as many SME information security teams think.