A massive cyberattack in May and another one yesterday shows the vulnerability we all face living and working in a digital online world.
The term ransomware comes from the attackers’ request for a ransom payment in order to unlock the computer systems of the businesses and government entities it attacks.
These attacks expose the major shortcomings in the approach of governments as well as businesses – of all sizes -- around the world to cybersecurity. And it shows just how inadequate our existing approach to cybersecurity is in the face of the widespread availability of software exploits and the increasing prevalence of malicious actors online.
While the attack in May was stemmed by a 22-year-old cybersecurity researcher who activated a "kill switch" buried in the malware code, companies can't count on these types of actions to stop the next attack.
Like so much of the malicious activity on the internet, the attack took advantage of known vulnerabilities. While no set of defenses can be guaranteed to withstand a sustained attack from a sophisticated attacker, they can still go a long ways toward reducing and mitigating risk: According to the Department of Homeland Security, as many as 85% of targeted cyberattacks are preventable through these basic risk-mitigation measures.
So what can you do to guard against attacks? Here are 3 critical steps to follow:
1) Create Phishing Protocols
Examine and/or establish protocols against phishing attacks (i.e., e-mails from bad guys with malware attached, where clicking introduces the threat to the system). Warning and educating employees about these threats is obviously a good idea — but a more effective tactic is to run a "red team" type test by sending fake phishing emails out to employees and seeing how many people fall for them. Companies can then follow up with better training after they've accurately diagnosed the extent of their vulnerability.
Also, back up your data everyday. Services like Carbonite or Sugarsync backup your data redundantly. This enables you to recover files prior to ransomware setting in.
2) Update your software and install appropriate security patches
That also means keeping current with the latest operating systems. A patch might only work with the most current system. Older systems may lose out on new security updates (as has been the case with Windows XP).
Also note, the patch that Microsoft had pushed out in March did not have a large red sign next to it that said, "URGENT Patch Needed To Prevent Against Devastating Ransomware Attack." The update was offered quietly without a further description. Whatever the reason for this (and perhaps it was because Microsoft didn't want to alarm users or call attention to the vulnerability), the fact remains that you may not know until it is too late whether an update is a critical cybersecurity measure or whether it just adds some new feature or fixes an obscure bug in the software.
3) Game out cyber scenarios
Have a plan in place for how to handle cyber issues. Every business should consider what its worst-case cyber event would look like and how that event would be handled. What corporate governance structures would kick in — and are there ways to elevate problems directly to the CEO? Does the legal department have the right kind of relationship with the IT people so that the lawyers can understand what's going on? Companies should also consider — in advance — what their policy should be for notifying law enforcement. And, in the event of a ransomware attack, they should consider whether they would heed the FBI's advice not to pay in all cases or would be willing to take some other approach if their business depended on it.
These decisions are complicated, and there is probably no one-size-fits-all set of answers. The legal fallout can also be widespread — ranging from possible consumer-privacy litigation, to shareholder suits, to cooperating in criminal investigations. A business that falls victim to an attack also likely won't know who is behind the attack for some time, and so will be forced to make these decisions with imperfect information about whether it is dealing with ordinary crooks, a hostile nation-state, a terrorist organization, or some combination of these actors working in concert.
Planning for these scenarios and putting safety measures in place may sound expensive and onerous. But as the data has shown, the cost of not preparing for them can be far higher. And unfortunately, businesses cannot count on governments to do this work for them. While federal agencies continue to assess their own vulnerabilities, the private sector must harness its own abilities to adapt and innovate in order to be better prepared for the next attack.