Ransomware. Five ways for SMBs to prevent, prepare and respond.

Posted on Thursday, September 14, 2017 and filed under Articles

If you belong to a small to medium sized business (SMB), you are most likely to receive emails at work containing malware, which is malicious software that is often disguised as a legitimate e-mail attachment.

In 2017, ransomware (a kind of malware) made international headlines after either disrupting the services of organizations large and small around the world or putting them out of business entirely by locking down digital files and information within their computer networks. About 1 in every 110 emails sent to SMBs (size 1 – 500) contains malware. And the challenge for organizations in this size range is that many lack the sophisticated cyber security defences that are designed to respond quickly once a network is affected.

Unfortunately, the cost to reclaim or replace files and computer systems after ransomware strikes is often much higher than the cost of prevention strategies. And hundreds of thousands of ransomware attacks are initiated around the world each day.

As the leader of an SMB, how do you ensure your organization is protected and prepared to respond quickly if it is targeted by ransomware?

You implement prevention and detection measures, regularly backup somewhere away from your network, develop and deploy an incident response strategy, and seek support from qualified professionals.

This process starts by understanding how ransomware typically works. There’s a lot that happens before a company loses access to all of the files on its network and receives a digital ransom note demanding payment before files are restored (paying doesn’t guarantee anything will be restored).

1 – Implement prevention measures

An ounce of prevention is worth a pound of cure when it comes to protecting your network.

Training employees in IT security best practices, keeping employees’ personal devices off of your network, applying a content filter for websites, implementing an anti-spam strategy, and running antivirus/anti-malware software are your first lines of defence.

Ransomware is usually contained within a malicious attachment inside an email or in something called an exploit kit that is downloaded onto a computer when someone clicks a malicious ad or visits an infected website. For ransomware to start working, someone needs to open the attachment or the downloaded kit. To do this, they need access to infected websites and malicious emails in the first place and then antivirus/anti-malware software has to fail.

However, attackers are ingenious and adaptable and know their way around these defences. More sophisticated attacks can fall through cracks by taking advantage of vulnerabilities in networks and people, including methods like targeted emails with seemingly legitimate files attached and kits embedded into what looks like legitimate software. Simply, both people and antivirus software can be tricked into believing ransomware is legitimate.

2 – Detect Early

When you arrive here, someone within your network has opened a file they probably shouldn’t have. Although ransomware’s insidious process has begun, you’re technically still in the prevention stage because detecting that something is wrong now relies on something you needed to do before this happened.

Larger organizations have an advantage here as sophisticated intrusion detection systems can sense and then respond when something on a network is unusual, which it will be before a ransom note is digitally delivered and even before all devices on a network become compromised.

After installation, ransomware needs to make sure you don’t have any access to backup copies of files tucked away somewhere. So, it will search for these by searching for other devices on a network to infect and around the same time by starting to lock down things like files that have been auto saved or copied into places on a computer that most people don’t check.

Implementing a detection system is your next line of defence because this can allow you isolate an attack before you see it, power down the affected devices, and protect what hasn’t yet been compromised on your network before the ransom note arrives.

A qualified procurement advisor can aid you in finding a detection solution that’s right for your organization.

3 – Regularly Backup Somewhere Outside Your Network

If you’re backing up your entire system regularly somewhere that isn’t connected to your network as part of an adequate business continuity plan, you can recover your files and perhaps even keep business going while your company deals with the fallout.

Whether some or all of your files are in lockdown, storing copies somewhere outside of your network, where they are easily accessible to employees using backup devices, can make a critical difference in the organizational survival of such an incident.

4 – Launch Your Incident Response Strategy

Unfortunately, responding doesn’t stop with powering down infected devices, retrieving your files, and launching backup devices.

At this point, information and devices have been compromised and there may be regulatory, legal, PR, and other consequences you need to deal with on top of replacing your networked computer environment. You may have done everything you could have to protect consumer information, for example, but some consumers may lose trust regardless when you tell them what happened. Even if you pay a ransom and this unlocks your files, you’re still infected and your information is still compromised.

5 – Don’t go it alone 

To deal with this, your response strategy needs to include people with a range of expertise.

Let’s take this from the top and assume that your organization has an IT department. It’s important to note that cyber security is an enormous field with many areas of specialization that evolve constantly and there’s generally a shortage of professionals that are in high demand. Supporting your department with outside knowledge and expertise from the start, however, is an important step in ensuring the right skills are applied to the right solutions at the right times within your organization.

As well, preventing and responding to incidents is a coordinated effort among professionals in various fields — not just IT professionals. Involving a breadth of roles from the start, from planning to prevention through to response, will give your organization its best shot at surviving an attack if one slips through the cracks in your defences. Unfortunately, nothing offers you 100% guaranteed protection from ransomware. But, a robust strategy has a good shot at saving your business if something goes wrong.

Author Jim Stackhouse is the founder and president of NeoLore Networks Inc., an Ottawa-based technology services company that designs, implements, manages and maintains computer networks for small and medium sized businesses.