Thanks for the responses to my initial Cybersecurity email last week. This is a concern for many of you, and it should be. This week the focus is on ransomware which is a form of malware that, once introduced, encrypts your own data rendering you unable to access. The hacker then demands payment from the victim to restore access. Victims are given instructions on how to make payment (frequently in bitcoin) and how to obtain the encryption key (and oddly enough, for one company, a one-year warranty!).
Ransomware stories have been increasingly present in the news the past year. Why? Possibly due to COVID-19 — more people at home, company cost cutting and less focus on management of security. The New York Times says over 200,000 organizations (which includes Fortune 500, middle market companies and municipal organizations) submitted files that had been hacked in a ransomware attack, and the average payment to release those files rose to over $84,000 in Q4 2019. We’ve noted payouts much higher.
Here in Dallas, a couple of middle-market companies have experienced ransomware attacks in the last year. There are common themes in their stories, here are a few:
- A lack of attention at the top of the organization, no designated responsibility for cybersecurity and no assessment of key vulnerabilities to address.
- A lack of policies, procedures,communication and training of their workforce on information security and common Cybercrime techniques, like phishing.
- Complexity within their application landscape, manual integration points resulting in more difficulty in securing operating systems and networks.
- Older systems and data that ultimately could not be brought back up, even after the encryption keys were provided by the hackers.
- Cybercrime insurance that paid most of the ransom but did not pay for remediation of faulty security processes and technology, or damaged systems.
- IT operational processes, such as backup and restore functions, that proved to be unreliable.
- Hackers accessing the systems for a month or more, giving them time to understand the company, the opportunity and the data to attack.
- On-premises data exposed; cloud-based data safe.
- Six-figure payouts in bitcoin, plus six-figure costs in remediation and replacement of systems.
We will explore implications of these themes over the next few weeks and talk about ways to reduce the odds of this happening to you. For now, some softball questions for business owners:
- How have you communicated the importance of information security to your management team and organization?
- What communications, training and tools do you have in place to address your organization’s awareness of your policies, and your ability to monitor compliance?
- Does your insurance portfolio include protection against Cybercrime?
- Who is responsible for securing your technology? When was the last time you asked them where the risks are?
Shoot me a note, I’d love to hear your responses.