Part 2 in a series of blogs on ransomware. In the first blog, we covered some basic cyber hygiene as well as providing 6 top tips for single home computer backups. This second blog takes it up a level and is aimed at Small and Medium Enterprises (SMEs).
Ransomware is the installation you really don’t want – it’ll encrypt your files and you’ll be blackmailed into paying a ransom for the recovery key. What’s more, it’s a fast-growing menace. New data from Intel Security shows a 24 per cent increase in this kind of malware in the first quarter of 2016 alone.
By restricting the ability of systems to operate, ransomware has the capacity to cause long-term damage to the reputation and profitability of any business. However, due to their size, SMEs don’t always have the resources to counter the damage that an attack can cause. We hope that, by following these six tips, SMEs will be better prepared to prevent attacks or respond with confidence, should the worst happen.
Get the basics right first
Although covered in the first blog it is well worth repeating again and again and again. Recovering from a backup is not a preventative measure; it means that you have been infected and that one or more of your preventative controls has failed. You need to examine how well you are dealing with the basics to reduce your chance of infection in the first place:
- User education and awareness. When was the last communication to your users about the risk of malicious content infection and the part they play in prevention? Users are the first line in your defence but if they don’t know what they should and should not be doing then they can’t be expected to behave as you may wish. Push out some communications on the risks associated with malicious code and the most common means of infection.
CESG provides some useful additional advice: 10 Steps: User Education and Awareness.
- Running with least privilege. Your staff should understand that any account that has escalated privileges should never be used for routine activity such as email or Internet browsing. The more access an account has to the enterprise network, the more damage a ransomware infection will do. Normal users should only have write access to file stores that they need to do their business – the principle of least privilege should always apply.
CESG provides some useful additional advice: 10 Steps: Managing User Privileges.
- Patching and updates. Review your patching strategy regularly and conduct some internal tests to make sure that patches are being applied consistently within your IT estate. You dont need a formal IT Health Check to tell you when the last patches were applied. Use internal resources to report on patching status and ensure it is compliant with your strategy. Anything connected to the Internet should be patched at least daily.
Review your backup strategy – the risks are different
The impact on an SME being infected with ransomware will be very different to that of a home user. Information is critical to the success of any business and not being able to operate whilst the infection is sorted will no doubt impact on critical business operations and will probably cause damage to your reputation with your customers.
In addition, there are more users with many more files that may get encrypted and need to be restored from backup. Time to recover will increase and you need to be ready to manage the shortfall.
Six Top Tips for SMEs
- Use frequently changing tapes or disks that are then stored off-line, preferably off-site to assist in business continuity should a physical risk transpire that makes the normal site unavailable. Have separate tapes or disks for each day of the week or preferably month to provide greater resilience. Obviously, the longer you go back in time, the more data you will lose but some is better than none and infinitely better than paying ransomware criminal demands.
- Where possible and appropriate, keep files in read-only format that needs escalated privileges to change. Don’t forget, ransomware can only change files where it has sufficient privileges. If the disk or partition that a file is on is write-protected, the ransomware won’t be able to access the file to encrypt it.
- Disable macro scripts and use file viewers where possible. This reduces the chance of malicious code being executed in files downloaded from the Internet.
- Backup user files and system files. Some ransomware infects master boot records so you will need to be able to recover the system before you can recover user files.
- Be prepared for the worst. Have an Incident Management Plan and test that it works effectively. Prepare communications to your customers being honest about what has happened and the steps you are taking to recover. A positive stance at this stage will help allay users – worries and show you as a professional organisation taking security seriously. CESG provides some useful additional advice: 10 Steps: Incident Management .
- Set up contacts with service level agreements with companies that specialise in Cyber Incident Response . This will help you deal with any complications associated with cleaning systems of the infection and analysing how the infection tool hold to ensure appropriate steps can be taken to prevent it happening again.
CESG has guidance on finding a CIRprovider .
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss how our consultants could advise on any aspect of IA and cyber security, please contact Dave James at Ascentor.