Reports of ransomware attacks continue to pepper the news and victim companies are suddenly faced with big decisions. To make things even more complicated, the US Treasury recently issued new guidance urging people not to pay hackers, noting that businesses could face civil penalties if they pay ransoms because of the possibility the hacker groups may be affiliated with sanctioned nation-states (like Iran).
Given all the craziness in 2020, it is imperative you devote some of your time to this topic right now. As a decision maker, your first job is to set expectations for your organization with respect to information security, which is started by developing and implementing a policy.
Well before making any investments in security technology and processes, you should seek assistance to fully understand the risk you may be exposed to.
What do you do after setting a policy? I recommend a cybersecurity assessment because it enables you to understand your risk profile. The outcomes of an assessment are used to guide you in making smart investments in cybersecurity. Knowledge of the threat landscape, and where your risks exist, enables you to more effectively allocate investment. Every company has a different risk profile, depending on your business structure, philosophy, organization and technology capabilities. A major risk area is a lack of awareness on the part of your organization of techniques cyber criminals use to gain entry to your network and data via email phishing and/or social media. Other key areas include:
- System software patching and upgrading
- Authentication and credentials management
- Network segmentation and monitoring
- Endpoint security
- Data backup and restore capability
Companies that experience ransomware attacks would likely cite these points as vulnerabilities. Reportedly, Tyler Technologies ended up paying the ransom, indeed a position no business owner wants to find themselves in.
The first step I recommend is an assessment and penetration (“pen”) testing. Pen testing is essentially ethical hacking. It involves you engaging with a 3rd party to expose any security vulnerabilities that may exist by attempting to hack into your systems. If these vulnerabilities can be proactively identified and addressed, the damage can be reduced, or the attack itself even prevented. The cost of pen testing is a small fraction of the potential damage from a ransomware attack.
George Bower is an expert in this area. He’s the CEO of Axis Technologies and in our cybersecurity webinar he walked us through a few best practices:
- Implement Single Sign-on (SSO) and Multi-factor Authentication (MFA) for access management
- Use strong passwords
- Implement a company-wide VPN, and never use public wi-fi in airports or hotels
- Make sure your backups are working, and test your ability to restore from time to time
In the next couple of weeks, I’ll dive deeper into Cybersecurity. We received a lot of questions and feedback from the webinar and I encourage you to reach out to me if I can answer any questions.