Ask yourself: How much of your work life is spent on a computer or in front of a screen? Unless you are a park ranger, in retail service or on a manufacturing floor it is likely between 6-10 hours a day. Now ask yourself: How much of your data -that is – intellectual property, financial data, thoughts, ideas, proprietary company information, communication with your friends and family, emails, texts, silly videos of your kids – are stored somewhere in a computer, an iPhone or maybe the Cloud (whatever that means…)?
The truth is unless you are living the Ron Swanson lifestyle (out in the woods where no one even knows your address) the answer to the latter question is typically way more than people like to admit. True fans of Ron Swanson know that even he ended up throwing his machine hastily in the trash upon finding out that online ads targeted him by name and topic…sound familiar? (looking suspiciously at you Amazon. How did you know I was thinking about toasters, mattresses, and a super cool inflatable unicorn that I am totally bringing to the company pool party all at the same time?)
I think you get my point. There is a lot of stuff stored in these devices that we need to keep safe and it is information we want to be able to access anytime we need it – especially when it comes to the workplace. So it is pretty scary to think about how people may maliciously gain access to the data you need and encrypt it so that you cannot access it without paying them a substantial amount of money – a ransom. That is why this is called a Ransomware attack. The good news is there are things you can do to protect yourself and your business. Here are 4 things you can do right away:
#1 Educate your Users
Whether you are a business owner, an IT director, or even the manager of a department, your users need to know how they can be attacked. One of the most common ways is via a fake email asking for network user names and passwords. Make sure your people are on the lookout for the fakes and the phonies! This is your first line of defense for keeping the baddies away. There are some really great training services such as KnowBe4 that have done wonders for helping train users as well as testing them with some “safe spoofs.”
#2 Secure your Infrastructure
Time to open up your network closet and air out the cobwebs. Security starts here at the administrator level, with your hardware and software. Make sure your firewall is up to date, configured properly, and blocking potential threats. Next, make sure that all the right security patches are applied to all of the endpoints on your network like the server, switches, APs and PCs. (Windows updates!) Another thing: Install good antivirus software and make sure that is kept up to date.
#3 Set up Policies
Policies get a bit of a bad rap. Typically, you are having to weigh convenience with security. And hey, I understand that ‘password1’ is way easier to remember and type than ‘hLs$34$jgso!!’ but it is also much easier to hack. Something that we have been suggesting is encouraging all users to move towards passphrases like “Sense Objection Wage 7”. They are longer and much more difficult to hack, while also being easier to remember because users can remember a secure sentence rather than a shorter password that looks like your cat was just doing the annoying march across the keyboard. Check out this handy-dandy passphrase generator to help your users get started!
Another thing to do is to require users to change their passwords or passphrases every 6 months. This will ensure that anything that is somehow found out or leaked, gets patched up at some point. As a side note, I implore you as an IT person and as a friend…please do not write your password down on a sticky note and put it on your desk, your monitor, under the keyboard, in the drawer or any other of the 25 places I have seen users put this ugly terrible practice. I am not an angry person, but we may have fisticuffs if I find out you have this habit…
Finally – one for the Sys admins out there – change any of your default passwords. Do not leave the username on anything as “administrator.”Make them guess that part too.
#4 Make a plan for Recovery
Despite all the best efforts, sometimes things happen. Sometimes Janet in accounting does open the .zip file. Sometimes Phil in HR thinks that he is talking to someone helpful on the phone and he hands his username and password out. Boom, they’re in and Ransomware begins encrypting things on the network. What do you do now? This step happens well in advance. Having a solid business continuity plan is essential to making sure that when disaster strikes, you know what to do. Ask yourself a few questions:
- How much data can you afford to lose?
- How far can your business digitally roll back before it is extremely painful?
- Can it roll back to a day ago? Or do you need hour by hour backups?
- What machines and services are critical to keeping your competitive advantage alive and your doors open?
- What legal action might you have to take to defend yourself from missed deadlines or data breaches?
These are just a few of the questions to start answering before you must make a recovery effort.
Figure out your next step!
There is a lot of noise in the security landscape, but you can start to find your way through some of it by starting with these four steps. Educate your users, secure your infrastructure, set up policies and develop a recovery plan. If you need help with any of this, don’t hesitate to reach out to talk with a security professional today!