When you think about different types of cyber attacks, ransomware might not be the first thing to come to your mind. It’s the sort of thing you might expect to see in a movie, but not in real life. The truth is, however, that ransomware is an increasingly common form of cyber attack. Government agencies, for example, are now a prime target for ransomware. However, it’s not just governments that should be worrying. According to one report, ransomware attacks against businesses rose by a whooping 263% in 2019. Business everywhere should therefore ensure they take precautions to prevent a ransomware attack and also have a plan in place if one does happen. To help, here is a list of 5 ransomware tips that all businesses should consider.
Ransomware Tip #1: Back It Up
Perhaps the most crucial way to protect yourself against ransomware is to have a robust and regular backup system in place. Any data that is sensitive or essential to business operations should be backed up on a regular basis. However, you have to be smart about it. Make sure your backups are stored offline or somewhere separate from your other networks. If a hacker gains access to your systems, you want to ensure they won’t be able to reach your backups. You should also regularly test your backups to ensure there is no corruption in the data. That way, if an attack occurs and they encrypt your data, you can be sure you have a backup to avoid paying the ransom.
Ransomware Tip #2: Use Security Awareness Training
Ransomware attackers often gain access to systems by first conducting phishing attacks or other forms of social engineering exploits. The key to the attackers success are employees who are not sufficiently trained in detecting emails that contain malicious links. This is just one of the many reasons more businesses should invest in security awareness training programs. For many forms of cyber attacks, your employees are your first line of defense, so making sure they have the tools needed to spot phishing attacks is a must.
Ransomware Tip #3: Stay Up to Date
Operating systems and software are constantly being updated to patch any known security vulnerabilities, but it can be easy to miss an update or put it off for another day. The problem is that attackers are constantly looking for these vulnerabilities and will prey on anyone who hasn’t updated their systems. Updating software, operating systems, and applications should therefore be a priority. In many cases, you are able to set up your systems to update automatically when a new patch is released.
Ransomware Tip #4: Segment and Limit Access
If an attacker gets into your system, you want to ensure they can’t access everything. It’s therefore important to segment your networks. This essentially just means keeping different elements of your network separate from each other so you can control how information flows from one to the others. This also involves implementing access controls so that users on your network are only able to access what they need for their job. These controls should be regularly evaluated. That way, if an attacker steals one of your user’s credentials, they won’t be able to access your entire network.
Ransomware Tip #5: Plan Your Response
Lastly, when it comes to ransomware, it’s important to not just try and prevent an attack, but also have have a plan in place in case one actually happens. Ransomware response should be included in every organization’s overall incident response plan, and you should have a team dedicated to carrying out the plan if an attack happens. Every organization’s response to a ransomware attack will be different, so response teams should sit down with members of the organization at various levels to ensure everyone is on the same page.
In 1989 the U.S. Postal Service issued new stamps that featured four different kinds of dinosaurs. While the stamps look innocent enough, their release was the source of controversy among paleontologists, and even serves as an example of how misinformation works by making something false appear to be true.
The controversy revolves around the inclusion of the brontosaurus, which, according to scientists at that time, never existed. In 1874, paleontologist O.C. Marsh discovered the bones of what he thought was a new species of dinosaur. He called it the brontosaurus. However, as more scientists discovered similar fossils, they realized that what Marsh had found was in fact a species previous identified as an apatosaurus, which, ironically, is Greek for “deceptive lizard.” Paleontologists were therefore rightly upset to see the brontosaurus included on a stamp with real dinosaurs.
Over 30 year later, however, these stamps may have something to teach us about how disinformation works today. They show how disinformation is not simply about falsehoods — it’s about how those falsehoods are presented so as to seem true.
The stamps help illustrate this in three ways:
One of the ways something can appear to be true is when the information comes from a figure of authority. Because the stamps were officially released by the U.S. government, it gives the information contained on them the appearance of truth. Of course, no one would think the USPS is an authority on dinosaurs, and yet the very position of authority the postal service occupies seems to serve as a guarantee of the truth of what is presented. The appearance of authority, however wrongly placed it is, is often enough for us to believe something to be true.
This is a tactic used by scammers all the time. It’s the reason why you’ve probably gotten a lot of robocalls claiming to be the IRS. Phishing emails also use this tactic by spoofing the ‘from’ field and using logos of businesses and government agencies. We too often assume that, just because information appears to be coming from an authority, it must be true.
2) Truths and a Lie
Another way something false can appears true is by placing what is fake among things that are actually true. The fact that the other stamps in the collection — the tyrannosaurus, the stegosaurus, and the pteranodon — are real gives the brontosaurus the appearance of truth. By placing one piece of false information alongside recognizably true information, that piece of false information starts to look more and more like a truth.
Fake news on social media uses this tactic all the time. Phishing attacks also take advantage of this by replicating certain aspects of legitimate emails. This might include mentioning information in the news, such as COVID-19, or even including things like an unsubscribe link at the end of the email. This tactic works by using legitimate information and elements in an email to cover up what is fake.
The US Postal Service did not invent the brontosaurus: in fact, the American Museum of Natural History named a skeleton brontosaurus in 1905. Once a claim is stated as truth, it becomes very hard to dislodge. This was actually the reasoning the US Postal Service used when they were challenged: “Although now recognized by the scientific community as Apatosaurus, the name Brontosaurus was used for the stamp because it is more familiar to the general population.” Anchoring is a key aspect of disinformation, especially with regards to persistency.
Overall, what the brontosaurus stamp shows us is that our ability to discern the true from the false largely depends on how information is presented to us. Scammers and phishers have understood this for a long time. The first step in critically engaging with information online is therefore to recognize that just because something appears true does not, in fact, make it true. Given the continued rise of disinformation, this is a lesson that is more important now than ever. In fact, it is unlikely disinformation will ever become extinct.
A hacker got into your system, but you spot the problem before the hacker has a chance to carry out an attack. Best case scenario, right? Well, it all depends on what you do next. The government of Florence, Alabama found themselves in this exact situation, but their response is now costing them nearly $300,000. Here’s what happened:
In late May, cybersecurity report Brian Krebs received a tip that hackers known for ransomware attacked gained access to Florence’s IT system. Krebs made numerous attempts to contact city officials before finally receiving a voicemail thanking him for the tip and telling him that the city took care of the issue. However, on June 5th the city announced that a ransomware attack shut down the city’s email system. The city plans on paying the hackers the nearly $300,000 ransom to restore their system.
So, what went wrong? According to city officials, when the attack hit, the IT department was in the middle of securing approval for funds to investigate and stop the attack. Local governments are often slow to act, to be sure, but officials knew about the hacker 10 days before the attack and they still weren’t prepared. The bottom line is, given the rise in ransomware attacks on public institutions, Florence officials needed to have a detailed plan in place before an attack took place. Instead, they scrambled. And, to add insult to injury, hackers accessed to the city’s systems by stealing the Florence IT manager’s credentials through a phishing attack.
How to Beat the Hackers
So, what should you do if you know you’ve been hacked but haven’t yet been attacked? Here are just a few steps you can take:
1. Have a Plan in Place
One of the main reasons Florence was slow to act is because they waited until after the hack to figure out a game plan. Instead, the city needed to have a detailed incident response plan in place. This involves first identifying what types of attacks you are most vulnerable to. Then, you need to create a detailed step-by-step response for each type of attack, and create a team of employees responsible for carrying out each of the steps. You also need to ensure you have contingency funds readily availble to carry out the plan quickly. Finally, it is important to simulate each type of attack so that the team can practice carrying out their response. Overall, the goal of an incident response plan is to deal with potential attacks as quickly and efficiently as possible.
2. Shut Down and Isolate Infected Systems
In order to keep the hackers from accessing other systems, it is important to shut down and isolate infected systems and any devices connected to it. Remove the system from your network. Disconnect the system’s wireless and bluetooth capabilities. Any devices previously connected to the infected systems should be shut down and removed from the network. Along with keeping the hack from spreading, this also limits the hacker’s ability to encrypt or damage the infected systems.
3. Secure Your Backups
Having updated and secure backups are especially important for ransomware attacks. If a hacker encrypts your data, having a recent backup of that data could save you from having to pay the ransom. There are two important caveats, however. First, it’s important that you regular test your backups to ensure your data isn’t corrupted in the backup or restoration process. Second, keeping the copies of your backups secure and offline is essential. Otherwise, it is possible for hackers to gain access to your backups and encrypt of remove them from your systems.
4. When in Doubt, Rebuild
The hard truth is, the most reliable way to shut down a hack before an attack is to completely remove the infected systems and rebuild them from scratch. Of course, the time, resources, and personnel required to do this makes it a difficult pill to swallow for many organizations. However, it is the only way to guarantee that a hack is removed from your systems.
The Bottom Line
Spotting a hack before the attack can give you the leg up on the hackers. But, as the ransomware attack on Florence, Alabama makes clear, knowing that someone accessed into your systems is not enough. You need to have a game plan ready to go and carry it out as fast as possible. Using your time and resources to prepare for an attack now will give you piece of mind, and potentially reduce the cost of a hack later.
The fear of experiencing a cyberattack is rightfully keeping businesses owners up at night. Not only would a cyber attack give your security team a headache , but could have profound and irreversible financial implications for your businesses. In fact, according to a report by IBM and the Ponemon Institute, the average cost of a data breach in the U.S. is a over $8 million. And with 30% of companies expected to experience a breach within 24 months, it’s no surprise that business are seeking coverage. The problem, however, is that businesses and insurance companies alike are still grappling over exactly what is and is not covered when a cyber event occurs.
Some businesses are learning this the hard way
Recently, a phishing campaign successfully stole the credentials of an employee at a rent-servicing company that allows tenants to pay their rent online. The phishers used the employee’s credentials to take $10 million in rent money that the company owed to landlords. The company had a crime insurance policy that covered losses “resulting directly from the use of any computer to fraudulently cause a transfer,” but soon found out their claim was denied. Among the reasons the insurer gave for denying the claim was that, because the funds stolen were owed to landlords, the company did not technically suffer any first-party losses and there were not covered by the insurance policy.
In another case, the pharmaceutical company Merck found itself victim to a ransomware attack that shut down more than 30,000 of their computers and 7,500 servers. The attack took weeks to resolve and Merck is now claiming $1.3 billion in losses that they believe should be covered by their property policy. The problem, however, is that the attack on Merck was actually a by-product of a malware campaign that the Russian government was waging against Ukraine and happened to spread to companies in other countries. The insurer therefore denied the claim, stating their property coverage excludes any incidents considered an “act of war.”
Silence is Deadly
The Merck example above also illustrates the concept of “silent”, or “non-affirmative” cyber. Basically these are standard insurance lines, like property or crime, in which cyber acts have not been specifically included or excluded. Merck was filing the claims against the property policy because it sustained data loss, system loss and business interruption losses. Silent cyber is difficult for a carrier to respond to (which is why the carrier in this case is looking to the war and terrorism exclusion to deny coverage) and even more challenging to account for. That’s one reason both carriers and businesses are looking to standalone cyber insurance, which provides both the insured and carrier with a lot more clarity as to what is covered. (Although, carriers can deny coverage in situations where the attestations about the quality of security up front do not measure up at claim time.)
Predicting the Unpredictable
It’s commonly said that insurers will do anything to avoid paying out claims, but the issue with cyber insurance coverage goes much deeper. Instead, the problem centers around a number of uncertainties involved in categorizing and quantifying cyber risk that makes comprehensive policy writing a near impossible task. For one, cyber insurance is a new market dealing with a relatively new problem. There are therefore not as many data points for insurers to accurately quantify risk as there are for long-standing forms of insurance.
The real problem, however, is that cyber incidents are extremely difficult to predict and reliably account for. Whereas health and natural disaster policies, for example, are based on scientific modeling that allows for a certain degree of stability in risk factors, it is much harder for insurance companies to predict when, where, and how a cyber attack might happen. Even Warren Buffett told investors that anyone who says they have a firm grasp on cyber risk “is kidding themselves.”
Reading the Fine Print
It’s important to understand that, despite the relatively unpredictable nature of cyber incidents, there are plenty of steps businesses can and should take to understand and mitigate their risk profile. Organizations with robust risk management practices can significantly reduce their vulnerability and a strong security posture goes along way towards minimizing their risks and providing a strong defense when a claim strikes.
Unfortunately, this puts a lot of the responsibility on individual businesses when evaluating their cyber exposures and the insurance coverages which might be available to respond. A good insurance broker who has expertise in cyber is essential. Much like the threat landscape, cyber insurance coverage is constantly evolving, and it is to all parties, from businesses to carriers, to keep up.
We’re number one! (Oh, that’s not a good thing?)
Yes, sometimes it’s better not to be recognized. Especially if it’s in the Verizon 2020 Data Breach Investigations Report which shows new and emerging trends of the cyber threat landscape. Anyone who is anyone in cyber wants to get their hands on it as soon as it’s published (and we are no exception). As has been for many years, one of the key reasons behind data breaches involves what we do (or don’t do). In fact, this year’s report shows that 3 out of the top 5 threat actions that lead to a breach involve human’s either making mistakes or being tricked. Below is a closer look at those 3 threat actions, and the human factors they rely on.
In this year’s report, phishing attacks lead the cyber threat pack for successful breaches. It it also the most common form of social engineering used today, making up 80% of all cases. A phish attacker doesn’t need to rely on a lot of complicated technical know-how to steal information from their victims. Instead, phishing is a cyber threat that relies exclusively on manipulating people’s emotions and critical thinking skills to trick them into believing the email they are looking at is legitimate.
One surprising aspect of the report is the rise of misdelivery as a cause of data breaches. This is a different kind of human factored cyber threat: the pure and simple error. And there is nothing very complicated about it: someone within the organization will accidentally send sensitive documents or emails to the wrong person. While this may seem like a small mistake, the impact can be great, especially for industries handling highly sensitive information, such as healthcare and financial services.
Misconfigurations as a cause of data breaches is also on the rise, up nearly 5% from the previous year. Misconfigurations cover everything security personnel not setting up cloud storage properly, undefined access restrictions, or even something as simple as a disabled firewall. While this form of cyber threat involves technological tools, the issues is first and foremost with the errors made by those within an organization. Simply put, if a device, network, or database is not properly configured, the chances of a data breach sky rocket.
So What’s to Stop Us?
By and large we all understand the dangers cyber threats pose to our organizations, and the amount of tools available to defend against these threats are ever-increasing And yet, while there is now more technology to stop the intruders, at the end of the day it still comes down to the decisions we make and the behaviors we have (and which are often used against us).
We know a few things: compliance “check the box” training doesn’t work (but you knew that already); “gotcha” training once you accidentally click on a simulated phish doesn’t work because punitive reinforcement rarely creates sustained behavior change; the IT department being the only group talking about security doesn’t work because that’s what they always talk about (if not blockchain).
Ugh. So what might work? If you want to have sustained cybersecurity behavior change, three things + one need to occur: 1) you need to be clear regarding the behaviors you want to see; 2) you need to make it easy for people to do; 3) you need people to feel successful doing it. And the “+ one” is that leadership needs to be doing and talking the same thing. In other words, the behaviors need to become part of the organizational culture and value structure.
If we design the behaviors we want and put them into practice, we can stop being number one. At least as far as Verizon is concerned.
Your organization’s cybersecurity team is on edge in the best of times. The bad guys are always out there and, like offensive lineman in American Football who are only noticed when they commit a penalty, cybersecurity personal are usually noticed only when something goes wrong. Now, as the game has changed, the quick transition to work from home, combined with the plethora of COVID-19 scams, phishing, and malware drowning the cybersecurity threat intel sources—not to mention the isolation—may leave your team at a chronically high stress level. And cybersecurity is far more than just your technical safeguards. At the end of the day, the stress your team feels could lead them to put their focus in the wrong place and let their guard down.
Here’s what you can do about it
- Incorporate cybersecurity as a part of your overall business strategy process – now is the time to recognize cybersecurity as a key part of the organization’s strategy and that enables you to drive your mission forward.
- Be a part of the cybersecurity planning process – be active, listen, and understand how your team is handling this.
- Leverage your bully pulpit – communicate to the staff about the key areas your cybersecurity team is focused on and the role they are playing to keep the organization secure while everyone is working from home.
- Check in – take the time to just check in and see how they are doing. A little goes a long way.
The truth is, when it comes to cybersecurity, your first and most effective line of defense is not your firewall or encryption protocol. It’s the people that form a team dedicated to protecting your organization. Working from home poses unique cybersecurity challenges, and it’s up to you to make sure your team is given the attention they need to do their job well.