The last few years have been fantastic and lucrative for those in the business of spreading ransomware and carrying out their extortion schemes by encrypting data:
- City of Atlanta: Could cost taxpayers up to $17M
- Colorado Department of Transportation: ~$1.5M
- Hancock Health: $55K
- Port of San Diego: Undisclosed
In Canada, small communities are also being hit:
Small communities, like these last three examples, already operate on very tight budgets; can you imagine what a $30K hit like that means to them? It could mean dipping into reserves, or cancelling some projects, or increasing the tax burden on citizens.
There’s also the personal impact that these incidents have on the people involved – the executives, the IT teams, etc. Can you imagine how tired they must be of constantly being held up as examples in news stories and blogs? Oh, sorry.
I reached out to Terry Cutler, an ethical hacker and Vice-President of Cybersecurity at SIRCO Investigation and Protection in Montreal. According to Cutler, “There are two types of businesses. Those who know they got hacked, and those that don’t.” In other words, it’s a question of when, not if, organizations will get hacked.
Information Governance to Tame the Ransomware Beast
Can a good Information Governance initiative at least put the chances on your side that you will not get hit by ransomware, or – at the very least – minimize the damage that it could potentially do to your data?
Stephane Bourbonniere, Regional Director for ARMA Canada, helped me reflect on that question. “In the ARMA approach to Information Governance, there is something called the Generally Accepted Recordkeeping Principles, which provide a high-level framework of best practices. The two principles that we’d be considering here are Protection and Availability.”
“The Principle of Protection,” he says, “states that an information governance program shall be constructed to ensure an appropriate level of protection to information assets that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection. This means that organizations absolutely need to consider how they are protecting their data, at all levels.”
“Additionally,” Bourbonniere continues, “the Principle of Availability states that an organization shall maintain its information assets in a manner that ensures their timely, efficient, and accurate retrieval. This logically follows the previous principle: if you protect your data as you should, it should be available.”
So, What Are the Top 5 Things an Organization Can Do to Protect itself from Ransomware?
According to Cutler, these would be:
- Ensure you have daily backups of all your data AND that you test restores! – “You’d be stunned to know how many organizations don’t do test restores, and when they need to restore data realize that they can’t,” says Cutler.
- Update and patch all your systems – “This continues to be a challenge in many organizations, as IT continues to fear that updates can break some systems and they just don’t have the resources to test everything. Still, it’s one of the most effective ways of protecting data.”
- Train and educate your users – “There is pretty much no way that any organization can be 100% immune from these types of attacks, but educating your users is absolutely one of the most effective things you can do!”
- Invest in robust security solutions – “This is one aspect that you simply cannot be stingy on: you need to spend good money on trusted and reputable solutions to protect every layer that goes down to the data.”
- Get your security tested externally – “Not nearly enough organizations do this! Beyond just penetration tests, you need to also test the social engineering aspect of your security efforts – who will click on the links? Who will open those email attachments? Where are the weaknesses and where do we need more training?”
Bourbonniere agrees with the education aspect. “Part of a good Information Governance strategy will definitely focus on training users on cybersecurity, otherwise so much effort is simply wasted. You can’t just put systems in place and hope that users will be protected. The human factor is too often neglected.”
As part of their Information Governance initiative, organizations can use IPRO to inventory permissions across the network. “Generally speaking, infected workstations can only go out and encrypt what the user has access to,” says Cutler, “so the more you work on the data access governance aspect of your network files, the more you mitigate the risk.”
Using audit ][ ENFORCE, organizations can also leverage the Epoch Data Protection feature to take regular (hourly, if need be!) snapshots of their high-value targets, such as financial files or HR documents, for example. If those files get encrypted, assigned data owners can very easily restore them from any point in time. Enforce can also notify administrators of any changes in network permissions, thereby helping them monitor any changes in security access.
Terry Cutler has also spent a lot of time putting together an Internet Security course that anyone can follow online. This course is based on his extensive experience and covers many key topics, including the “Ransomware Survival Guide”. You can view the curriculum here as well as enroll for the course. You can (and should!) also contact him for info on how to get a proper security evaluation done by accessing his profile page.