The attraction of financial gain and access to your customers and partners, is more than enough incentive for these criminals to take the time and effort to launch some quite sophisticated attacks, even on SMEs.
There is no silver bullet for ransomware. It can be a complex problem to protect yourself against, and the attacks continue to evolve. It requires, what we used to refer to, as defence in depth, a term stolen from the military. There are technical solutions available out there, and depending upon the level of risk identified for your organisation (and here I’m assuming that you have done some sort of risk assessment), you may or may not consider that the cost is worth the investment.
Attacks come in many guises, phishing remains a very common entry point for the attacker, and to make things more difficult, sometimes it doesn’t start as a ransomware attack. It may start as an information gathering exercise which evolves. In that respect, any defences you may have, contribute to your ability to deflect or prevent such an attack.
Email is another common attack vector and as well as good user awareness, this is something that might require a more technical solution as well. A good question to ask is if your end point protection (anti-virus, anti-malware, in more common parlance), has the ability to defend against things like credential harvesting, attachments that may contain threats/trojans, or other malicious content.
Do you allow your users to work from home? Does your salesforce when on the road, tend to access the network sitting in coffee shops, using unprotected networks? Distributed working, as its being referred to nowadays, is introducing a lot more ways in which an attacker can get ransomware onto your network.
Have you considered what you would do if you were subject to a ransomware attack? If it was a relatively low figure, would you just pay up? After all, you need to get your company up and running as quickly as possible. And there is evidence that a significant proportion of SMEs do just that, but there is also evidence that a significant proportion of those, still didn’t get their data released. So, some form of business continuity plan in the event of a successful attack, in order to keep communicating and continue business, is essential.
It is simply a fact that 90% of data breaches are caused by human error. It is very unlikely that an employee will do something deliberately to damage your business. But humans are fallible and, if they haven’t had any awareness training, they simply don’t know what they shouldn’t be doing. Cyber security awareness training remains the most significant step you can take in this regard.
If you couple awareness training with well thought out policies and procedures, that are rolled out, tested and well understood by employees, you’ve taken an excellent step towards mitigating the risk of a ransomware attack.
I’ll revisit this in a little more depth next week.