6 Steps to Make Customers Less Vulnerable to Ransomware

Asher de Metz

By Asher de Metz, Senior Manager, Sungard Availability Services

The question facing most businesses isn’t if they’ll be the target of ransomware, but when. Yet the percentage that feel adequately prepared for ransomware attacks rarely rises above 50 percent, according to surveys.

Part of the problem is a disparity in perception of risk between those on the ground – the IT teams that see the vulnerabilities and understand the threats – and those higher up. Board members don’t see the risk if everything is status quo. CFOs are more interested in spending time and money on efforts that will result in profit and gains, not the far less glamorous idea of protecting their data.

Groundless optimism or a reckless attitude can replace common sense. Partners need to help IT educate execs that, while ransomware is something of a lottery, there are steps that will minimize the impact and get the company back to business as usual quickly, without handing over any cryptocurrency.

Here are six ways the best-prepared companies protect themselves from ransomware:

They have segmented networks: Simply put, it’s a matter of putting up firewalls with strict filtering between different network segments. In the event of a ransomware attack, a firewall can quarantine the attack to the segment through which it entered by isolating it from the rest of the network. These systems take time and planning to implement correctly, but a company that has properly segmented networks can easily recover from an attack by closing off the infected segment and reimaging those machines.

What happens to companies that don’t segment? In a flat, unsegmented network, everything’s accessible at the same level. The only option for a company with this kind of network is to turn everything off — if there’s anything left to turn off. This can really cripple an operation. And, in doing so, they add a new problem: This creates their own personal denial-of-service attack. When they turn it back on, the virus will spread rapidly because the attack isn’t localized.

They keep sensitive data separate: Very often I see companies house critical client data on the same network as all of their other data. If it is segmented, it’s done poorly. If critical data lives in another network, it’s often completely open. A company may think a system is segmented if it’s on a different subnet or IP address, for instance, but that doesn’t qualify as segmentation. For example, interns, freelancers and other junior employees who would never need (or shouldn’t have) access to critical client or business data can access it. Without segmentation, it’s open season, and you’re vulnerable to internal threats.

Their board is on board: In enterprises, IT and security teams need support and direction to come from the top down, from the board and C-suite. As stated earlier, the very people who may not see ransomware as an imminent threat are the ones in charge of the purse strings. CFOs often aren’t interested, either. Spending more affects the bottom line, and they won’t see the value if they don’t understand the risk. Partners who fill a trusted-adviser role can bring to bear case studies and materials from suppliers that will open …

… even the most skeptical exec to the prevalence and disruptiveness of ransomware. As an example, AppRiver’s annual Global Security Report shows that in the first half of 2017, 1.9 billion data records were lost or stolen as a result of cyber attacks. This followed a tough year in 2016, when losses totaled $16 billion and criminals pocketed approximately $1 billion in ransomware payments alone.

Their IT teams are motivated: In general, customer IT teams are stretched thin. Without the time, the training or the budget, it’s difficult to proactively segment networks and put other next-gen precautions in place. Yes, risking a ransomware attack by not taking the proper precautions now can create a nightmare scenario they have to deal with later. But in the short term, having more duties heaped onto your existing job description doesn’t sound appealing to anyone. They may just turn a blind eye and take their chances.

Compared with the attacker’s motivation – a million-dollar payday, possibly – and the ease of getting ransomware, the motivation to protect data might be pretty low for overtaxed IT teams. Malicious hackers are counting on it.

How do you as a partner incentivize a complacent team? By opening up resources, spending time with customers’ staff or working with a specialized partner who can perform a penetration test or run some testing as part of a training program to prove to the executive management team and the CFO just how vulnerable the network is.

Their employees know how to carry out the disaster-recovery plan: A company that can dodge a ransomware attack has to have all the pieces in place. But just as critical is making sure employees know exactly what to do when an attack hits. Even with all of the networks segmented as they should be and layers of protection in place, it doesn’t mean systems are impenetrable. An attack will be contained, but there’s procedure to follow. It’s all about damage control.

Organizations that breeze through ransomware attacks have an instant response plan, and they train their employees with drills. Just like how we’re taught to handle an emergency in fire drills – we line up, exit the building calmly and stand in designated places outside – employees should know their roles in a ransomware emergency by rote. The more organized and practiced they are, the faster they will be able to contain the incident. Otherwise, we’re all just crowding the exits in a panic.

They cover the basics: Security really doesn’t have to be difficult, or even expensive. Strong passwords, security patches, continuous end-user training, isolated backups, and hardened systems and networks can make all the difference. Even free anti-virus software can go a long way. Patching is fundamental. What won’t help is …

… throwing money at the problem and investing in million-dollar software if customers are neglecting basic system updates. Attackers are opportunists looking for an easy way in, and they look where they think you’ll have your guard down.

Prioritize Security to Inspire Motivation

Few companies have proper network segmentation, even today, when ransomware and other cyberattacks are rampant. Those that do put in the work, spend money on security, develop incident-response plans and train their employees, though, fare much better.

Motivation is difficult to quantify, but a concerted effort and accountability from everyone in the organization can keep operations running smoothly. Some work up front, better organization and more acknowledgement of the importance of security all around can ease tensions and make for a more productive, efficient work environment, more attentive employees and fewer crises.

Asher de Metz, senior manager, conducts penetration testing and security assessments for Sungard Availability Services’ U.S.-based clients, helping them identify risks and secure their systems in order to avoid hacking attacks. With almost 20 years of experience in information technology and security, Asher has been involved in hundreds of IT-security projects and has provided security counsel to some the largest companies throughout the U.K., Europe, Middle East and North America within the financial, government, retail, health care, insurance and manufacturing industries.