Expert Corner – Preventing Ransomware – Part 2

security alert banner image

In this Expert Corner, inSOC CIO Jeff Gulick discusses critical practices needed to prevent ransomware. With payments and downtime, ransomware has cost $42.4 billion in 2019, according to Infosecurity Magazine. That is for reported cases. For total, including unreported cases, estimates are rising as high as $170 billion.

Baseline: Identify Vulnerabilities

The first and most critical point is to assess your company’s strengths and gaps through baseline evaluation.

“First, you need to assess and establish a baseline. All of this information could be compiled as a part of a security maturity or risk analysis as discussed in Part 1 of our Ransomware series. That’s the first thing I would do: take a good look in the mirror. Be safe, be secure, be proactive, because it costs you a lot more money to be reactive.”

The Needed Tension Between IT and Cybersecurity 

Arriving at a baseline understanding requires input from the internal IT department level, or by engaging companies such as inSOC.

Ultimately, how systems are secured is a business decision. To help make a decision, consider the relationship of your IT department.

“Your information technology team handles the systems, making sure that they stay up and doing what they need to do.” That side keeps the systems working, the email moving, and the hardware functioning.

But security holds the IT team accountable, which often means requiring adequate change and review processes to evaluate and implement security. When IT tries to take shortcuts to get more done with less, disasters can occur.

However, by following standards from reputable groups such as the Center for Internet Security, IT and Security can partner to ensure systems are performing optimally and are appropriately secured.

“You don’t have to secure yourself like Fort Knox. The goal is to reduce the threat surface. With security, there are several layers of protection. One of those layers of protection is anti-virus and anti-malware, and each layer of protection is going to protect you a percentage of the time. Nothing is foolproof.”

Governance: Protect with Policies

Companies need documented security policies that are consistent and clear. “It’s important that an organization has a well-defined information security policy and that the information security policy is disseminated to all staff.”

Gulick is often shocked at how infrequently policies are documented and understood.

“I think companies are surprised by the fact that they that they need to have policies and that those policies need to be written and approved.  They believe that just having some sort of agreed-upon policy that they’ve talked about in an informal meeting is adequate, but it’s not.  In order to hold people accountable to a certain level of compliance with policies it has to be written and it has to be approved. These things have to come down from the top, the senior leadership who are the ones who define the business rules.”

These policies are critical for proper training and communication. They also ensure all employees in the company work toward this common purpose.

Since cybersecurity professionals regularly send updates, this will mean updating policies.

“This is something that needs to be ongoing and repeated so security policy training should be given at least once a year and security awareness training should be delivered at least quarterly,” Gulick said.  

To keep policies updated, Gulick says the company needs to subscribe to regular content. This content, such as KnowBe4: Security Awareness Training keeps people up to date on changes in the environment, especially new threats.

“In addition to general security awareness training, I would make sure that your IT team subscribes to some regular security news groups to understand security trends… the most current malware and cyber-attack vectors. Someone in IT, or someone on your team, needs to accountable for security and review content so they understand some of the trends that are going on.” 

Training: Interactive and Regular

Here’s a scenario that often takes companies down, Gulick says. An employee at home gets an email from the company’s bank. The email has the bank logo, the bank’s name is in the domain, and the content is professional. The email is asking that the company update its information for security reasons.

The employee clicks on the link.

And we’re done. The company is, within minutes, hijacked. Or, the hacker sits and waits for that quarterly meeting, or the big expansion announcement. Then they shut it down.

According to Gulick, “The most important thing that they need to know about ransomware is that it is typically delivered through emails that have malicious links or payloads. It is also delivered through malicious websites that are accessed through click bait, which are those ads that you see on the sides of web pages. These malicious sites are trying to target someone’s personal interests, such as political leanings, or weight loss. When you click on the site, malware can move in without your knowing. .

So how could this scenario be prevented? Through monthly or quarterly interactive training, Gulick says, where employees pick between legitimate and fake ads and emails. Other training needs to include the most up to date trends, access, advertising links, email, web page usage, and computer usage.

“You should be doing regular assessments, and that includes actually sending a spoofed malware email to test your staff. You need to understand the staff that are having problems so you can deliver additional content to them or have one-on-one training sessions to help them overcome those gaps in understanding.”

Training also includes equipment.

“Too often employees at home are either using a family member’s computer, using the computer for other reasons, or allowing other family members to use a work-designated computer. All of these scenarios are dangerous, Gulick says.

“Some of the things that are the most effective are the ones that are most overlooked by companies.  An example of that is providing some kind of regular security awareness training to help people to understand how to identify these different attacks and to respond appropriately.

In our next Expert Corner installment, Gulick questions the safety of the cloud.

Contact us for information on how inSOC can help you to protect your clients from the threat of ransomware.

Find out how Makaye InfoSec leveraged inSOC to protect their clients from ransomware.