A widespread cyber attack has been coming folks, and many security professionals are attempting to increase awareness for staff and companies.
Two days ago I shared an article from AIG that stated “systemic cyber attacks” were expected this year across several sectors, including healthcare.
As recently as February we wrote a blog post about the “Growing Threat of Ransomware”.
Whilst serving as CISO, I always remember a funny moment where a colleague in our London office shouted across the floor, “Here is Burke, what fear are you peddling today?” We all laughed. (Hope you are well Brian!)
I understand with limited time and resources it is easier for companies to think that “we have done enough and security people peddle fear” but it is our devotion to increasing security that truly drives us.
Security is our passion in CyberRiskAware, just like it is with every other security professional I know. All we wish to do is impart our knowledge and raise awareness so that every staff member in a company understands the risks that are relevant to their business and offer practical measures (not solutions) that ensure the business continues to win.
In coming up with practical measures for ransomware at your company, consider the following questions and answers.
Q: Why did my Anti-Virus, Firewall, SPAM Filter, IDS, IPS not stop this?
A: Specific cyber criminals provide QA services to the creators of ransomware and other malicious software so they can test it against the latest and widely used defences to see if will be detected or not. They literally take a feed from all security vendors every hour. Please keep your defences up to date but don’t assume they will prevent all attacks. This is not just a technical problem.
Q: What is the root cause of the latest ransomware infection?
A: The latest attack was caused by a phishing email that contained a malicious attachment. This reinforces that cyber risk is a human risk as cyber criminals target people first as they know they are the weakest link.
On average 30% of staff open phishing emails and 12% of those staff go on to click on a link or open an email attachment. Read more about phishing being the root of all evil.
Q: How can I prevent my staff from opening phishing emails, or if they do open, to NOT click on links or open attachments?
A: Send staff regular mock phishing emails at least monthly to keep awareness high and provide instant feedback if they fall for it, saying it was a test, offer tips and explain what the impact could be if it was real. Then provide short email security awareness training and identify repeat offenders! Trust me, once a staff member falls for a test email they won’t want to fall for the real phish and will inspect their email more closely. Instant 20% reduction in risk.
Provide a plugin to the company email client, such as PhishHuk from Cyber Risk Aware, that, at a click of button, allows employees to report attacks to IT Security. IT Security can then quarantine all other emails in the system and update other defences.
What other Steps Can I Take?
There are several other steps I recommend you take.
- Patch! and Patch again! Keep all systems fully patched as best you can. I have seen in so many client companies the difficulty IT staff face when trying to get downtime to do patching. Any business leaders reading this, help your IT staff get the downtime they need to do patching. Otherwise you will face unwanted downtime and be in the news like the NHS! (Hope this helps Alison and team!)
- Take Backups! Make sure you backup all important data and test that your restores work. DO THIS MORE THAN ONCE A YEAR! If affected, you will restore the data rather than pay the ransom.If you don’t have backups or your restore does not work? You may have to consider paying the ransom. I know of very large companies, including a very large law firm, who have had to pay to get their data! I know you say now you would never pay it but if your business depends on it you will be faced with this decision. The FBI has even commented on this. If you don’t have a bitcoin account please contact us.
- Implement an incident response plan – and test it! All relevant parties need to be involved in creating the incident response plan, and identify the key decision makers who will handle the required communications. Get your tabletop exercises done people, otherwise you will regret it when procrastination takes place and you make the wrong decisions and bad communications internal and external. (e.g. TalkTalk!)