Ransomware attacks on businesses in the U.S. are growing faster than ever and few businesses are ready to handle them, according to a bulletin from the Federal Bureau of Investigation.
Cyber criminals are also attacking a much broader range of businesses, including attacks on health care facilities and critical infrastructure as well as launching attacks more frequently, according to the bulletin.
In April, the city of Lansing, Michigan reported that its water and power utility had suffered such an attack.
Unfortunately, the FBI has determined that businesses are unequipped to deal with a ransomware attack, despite the fact that such attacks have been around for a few years and have received broad publicity. Attacks on hospitals in Hollywood, Calif. and in Washington, DC have made the national news, but little seems to have changed in terms of companies’ preparedness to defend themselves from an attack.
Part of the problem, of course, is that companies may not be sure what to do about an attack. Another reason may be that the costs are unknown, so it’s hard to make a business decision regarding ransomware. “What’s amazing to me is that with all of this going on for this many years is that people are still opening attachments to emails,” said Jack Gold, principle analyst for J. Gold Associates.
Gold is referring to the practice of cyber-criminals to send emails to a targeted list of individuals with malware infected attachments. When the recipients open the email and either click on an attachment or in some cases click on a link to a website, malware infects victims’ computers and networks. “Most of the breaches are [are the result of] phishing attacks, with somebody doing something silly, such as opening an email attachment,” Gold said.
Gold added that while most antivirus software will find malware in an email, there are plenty of ways to attack your network that the AV software misses. He said that the reason these attacks work is that there isn’t necessarily a technology solution. “At the end of the day, if people are going to do something silly, it’s hard to get past that,” he said.
Unfortunately, many organizations simply don’t focus on the problem of dealing with malware attacks including ransomware. Ask most top level managers how much their data is worth or what would happen to their business if it was lost, they are likely to say they simply don’t know.
Likewise, those managers don’t know whether they have adequate backups, whether those backups could be restored, or how long it would take to recover from such a data loss.
This is likely part of the reason those businesses aren’t taking adequate protective measures. They can find out how much it costs to perform some tasks, but putting a cost to training employees to avoid an attack, not to mention making sure their data systems aren’t vulnerable remains a mystery to many. Unfortunately, many in business aren’t sufficiently motivated to find out.
Spike in Ransomware Attacks Shows Why Businesses Must Bolster Defenses
Adding to the problem is that most companies don’t have the means to get out of trouble if they’re hit, short of paying the ransom and hoping that the attacker makes good on the promise to deliver the decryption keys.
“Most companies don’t even do adequate backups,” Gold said. “It’s a growing problem. But it’s hard to defend” from a purely technological standpoint.
So what can you do? Let’s assume that you’re aware that ransomware could put your company out of business, could cost you millions in lost business, legal fees and damages, and that there are solutions that will at least mitigate the risk. Let’s also assume, although this may be a stretch, that your upper management actually wants to protect their business rather than heading for the hills when catastrophe strikes.
In that case, there are two major actions that your company can take that go beyond the basics such as good anti-malware protection and some training on email best practices.
First, instill actual email discipline into your workforce. This is more than just sending a memo around that says “Don’t open attachments,” but rather means actual dedicated training, including some form of practical follow up, such as sending test attachments to your employees, followed by additional training for everyone who clicks on the wrong thing.
The other step is to start implementing real, off-site, cloud backups that are constantly up to date. These backups to the cloud can’t be just a virtual disk drive where things get copied. It needs to be real cloud storage that’s not visible at the operating system level. The reason for that is most ransomware can see storage that appears as an attached drive, and will encrypt that along with your computer.
This commitment to protecting your company means that you may have to remove email privileges from those people who simply can’t keep from clicking on attachments or links. It may require stronger sanctions against employees who decide to store critical documents and files on their own servers that aren’t part of the corporate backup and protection plan, and thus aren’t protected against malware.
Finally, your company needs to have a plan, if only because there may be a day when the attack happens. “Nothing is 100 percent,” Gold points out. “Educate your users. Make a policy of how you’re going to react.”
Gold suggests that it’s important for your business to determine whether the demands of the cyber-criminal will be met, and if so, how. He also said that you will need to determine whether your backups can be restored, how long that will take, and how much the downtime and restoration will cost your company.
Perhaps most important defensive measure is to make those plans and decisions well in advance, and then practice their implementation regularly.