The last time we saw our intrepid integrator, he was making tough choices. Their business fell victim to a ransomware attack. All their files were locked and the attackers threatened to put all their sensitive information on the internet if they did not pay a large ransom.
What to do, what to do To do?
The first thing Joe (our fictional owner) did was call their insurance company. He was pretty sure his insurance would cover attacks like the one they had just suffered. If that was the case, he could bring them over and they would know how to fix things.
As ransomware attacks have become increasingly common, their insurance coverage has become increasingly expensive. Coverage against cyberattacks now requires its own separate insurance, usually referred to as cybersecurity insurance or cyber liability insurance. This insurance costs a pretty penny, so some companies opt for cheaper plans. Unfortunately, these plans have limited coverage. Joe learned the hard way that he had paid for an insurance plan that wouldn’t cover anything.
If you rely on insurance to cover you in the event of a cyberattack, please read the fine print of your coverage carefully. I am neither a lawyer nor an insurance agent. If you are unsure of what you are reading, please seek expert advice.
When you speak with your insurance agent, you should ask what types of attacks are covered by your plan. What happens if an employee is blackmailed or paid to steal sensitive information? What happens if an employee falls for a phishing attack? What is the annual maximum coverage? How much is your deductible?
When in doubt, remember this: if your plan seems a little too affordable, it’s probably the insurance equivalent of vaporware.
Joe sat down with his management team and started asking some tough questions about how the company should move forward. Tensions were high and the conversation quickly escalated. How to respond to a cyberattack is a divisive topic. Many cybersecurity experts recommend do not pay ransom demands – this incentivizes hackers to continue their attacks. Without the promise of a big salary, there is no reason to launch cyberattacks. But many companies don’t have the luxury of losing their data. And, as we learned in our last episode, many companies have sensitive data that can be exploited if they don’t pay, increasing their accountability.
After some discussion, Joe decided to hire an outside company to help get through the crisis. Ransomware recovery consultants are expensive, but Joe knew his business was outdated. The first thing the consultants asked was, “Where are your data backups?”
Backups? Joe looked at his IT manager. He shook his head. They had a patchwork of backup systems, but most of them lived on their local network and had already been encrypted by hackers. They might be able to consolidate some of their most important files, but they wouldn’t have everything. It could take weeks to find all of their available files, and even then they might not know what was missing until a customer called for service.
Backups weren’t going to save them.
The next question posed by the consultants concerned sensitive data. What could hackers have downloaded for their own nefarious uses? Which customers might start to feel contentious if they got wind of the company’s predicament? How careful had they been with sensitive data?
HR looked sheepish. All of their employee documents were stored in plain text on a company server. If the hackers performed a data dump, social security numbers and banking information were likely to be included. The operations piled up…their files included several sensitive floor plans and schematics. Much of this data was covered by NDAs. Their customers and business partners were not going to be happy if all this was published.
The hackers demanded a seven-figure ransom. The company could pay it, but that would deplete its cash reserves. The payment would cripple his finances. They were now facing severe budget cuts, with the very real possibility of layoffs. But what choice did they have? Losing their data could cripple the business.
Ransomware recovery consultants contacted the hackers. They were ready to pay.
The consultants were able to negotiate a small discount for prompt payment. They handled the logistics of buying cryptocurrency and then transferring it to the hackers’ digital wallet. They spent the rest of the week and all of the weekend running decryption software on the company’s files, rebuilding servers, and fixing issues along the way. After completing their work, they presented Joe with a large invoice and a business card from a trusted provider of outsourced IT resources.
They also created a report of recommendations on how to avoid another attack.
- Competent computer help. Joe’s CIO was a nice guy and a hard worker, but he still did things the way he learned 10 years ago. The consultants recommended a heavy dose of training. They also recommended the use of outsourced network and security resources. In-house IT could still be a great resource for setting up devices, resetting passwords, troubleshooting software issues, and more. But an external vendor should be delegated the work on servers, firewalls, etc.
- patch, patch, patch. Many AV companies fall victim to the “if it ain’t broke, don’t fix it” mentality. They remember how a firmware update bricked a big install and so they turn off automatic updates. The hackers were “kind enough” to tell the consultants that they had entered the network through an unpatched mail server. From now on, everything had to be updated in order to avoid future intrusions.
- Enable Multi-Factor Authentication (MFA) on Literally everything. MFA requires the use of an authentication device (usually an app on your phone) which is used to allow or deny connections to your systems. MFA isn’t a magic bullet, but it’s a great deterrent to hackers looking for easy access.
- Use strong anti-virus (AV) software that is difficult to disable. Joe’s company had AV software installed on its servers, but hackers turned it off and disabled alerts. Your AV software must require authentication and MFA to be disabled or uninstalled.
- Upgrade your backup solutions! There are actual stories of companies that were hacked, received a ransom demand, told the hackers to beat the crap, and then restored everything from backups. All information should be backed up in multiple formats and at least one of your backup solutions should be offsite. Back when I worked in IT (and dinosaurs roamed the earth), that meant backing up to tape drives and storing the drives somewhere safe. Kids these days use cloud services and don’t have to worry about whose turn it is to take the tapes with them.
- And don’t forget to test your backups! You want to know that something has not been configured correctly before there is a problem.
- Use a respected Endpoint Detection and Response (EDR) solution. What is an EDR? It is software that monitors all your devices and then alerts you if it detects a problem. A bunch of connections from Russia? It’s an alert. Someone is trying to disable all of your AV software (but they can’t because you’ve password protected it… right)? It’s an alert. As we learned in our last episode, our hackers spent weeks poking around Joe’s network. A modern EDR would have detected the intrusion before they had a chance to do any serious damage.
Protecting your business from cyberattacks takes a bit of determination and a willingness to pay for the right resources. It can be daunting to change the way you go about your daily business. But the good news is that even small changes can make a difference. In zombie apocalypse you don’t need to be the fastest runner to survive. You just have to be faster than the slowest runners. Implement basic security protocols and potential attackers will move on to more tempting targets.
Right now, many of the companies in our industry are the slowest. But, if we all work together to prioritize our attitudes toward safety, we can become much less tempting targets.
Be well and be safe.