Prevent and treat ransomware attacks
Companies manage incredible amounts of sensitive data about their employees, clients, processes and products. At the same time, information technology (IT) is not always at the core of what they do – caring for clients is. This makes various industries increasingly vulnerable to cyberattacks.
During the pandemic, that susceptibility became more pronounced as bad actors took advantage of heightened stress and demand on industries. In response to this increased risk, the U.S. Department of Justice (DOJ) and the U.S. Department of Homeland Security (DHS) collaborated with other federal partners to create a hub for ransomware resources. This new website, StopRansomware.gov, contains ransomware fact sheets, government alerts and helpful tips for public and private organizations as well as individuals.
- All companies should be on high alert around cybercriminal activity including ransomware.
- Be aware of the common types of intrusions or breaches.
- Educate employees about risks and how to keep systems secure.
- Have a plan and backup systems in place in case of a ransomware attack.
Understanding the Technology Risk
The IT environment in companies is getting more complicated, and complexity leads to potential vulnerability. In addition, the pandemic has created new issues – including managing remote workers on the administration side and more significant communication needs.
Ransomware is a technique that is used by hacker groups with the result of compromising a system or network, encrypting the files so users don’t have access, and demanding payment usually in the form of cryptocurrencies to have the files unlocked. Ransomware usually happens at the end of the compromise. The breach occurs days, weeks or even months beforehand, allowing hackers to get in and see what they can access. The initial access can be a phishing email including a malicious link or a login through a remote desktop.
Why are Companies Being Targeted?
Companies have unique characteristics that make them attractive to organized cybercriminals. The combination of these factors may make organizations more susceptible to breaches and more likely to pay the ransom to regain access – a boon for cybercriminals.
- Value of the actual organization: If a company is critical to the life or safety of clients and cannot continue to provide critical services due to a system lockdown, ransomware is more likely to be paid.
- Type of data: For many people, personal identification information is some of the most private data they have, and certain industries are heavily regulated to clients’ privacy.
- System complexity: Companies recently involved in mergers and acquisitions have had to merge tech networks and processes creating complexity and potential security lapses.
- The growth of remote working: The need for remote working, which was accelerated by the pandemic and will continue to grow, adds additional access vectors that need to be secured.
Preparation is Prevention
Preventing an attack starts with having a plan. To begin, educate your employees on protocols such as how to identify suspicious links, set up multifactor authentication, create stronger passwords, and how to select software and vet it for security. Advise them not to give user information, passwords, or financial data over the phone or on unsecured sites.
Make sure you have an updated inventory of the data and devices on your network. Identify legacy equipment, and if it can’t be updated or replaced, put compensating controls around it.
Establish a layered approach to security. Since email is a typical initial entry point for ransomware, add security to that layer such as spam filters, third-party monitoring, and disabling macros. Conduct phishing tests to demonstrate to employees how breaches can happen. Make sure devices on the system have up-to-date security patches.
Add network segmentation. Isolate essential systems and data, which makes it harder for hackers to get to key data. Create special controls around and back up critical functions, as well as valuable administrative side functions such as human resources/payroll, accounts receivable and payable, and vendor management.
Secure the banking environment. Limit the number of employees who can access online banking systems and establish permissions and checks, such as requiring dual approval on outgoing ACH (automated clearinghouse) or wire payments.
Track behavior and conduct mock incidents. Know what systems and users are supposed to be doing at what times and establish patterns that make it easier for an internal tech support team or a third-party monitoring company to identify anomalous actions. Make technological breaches part of your business continuity or disaster planning.
Invest time in preparation. Construct a response playbook and establish relationships with response partners prior to any security incident or breach. Consider purchasing cyber insurance to help minimize disruption in business following a breach.
What to Do in Case of a Breach
Despite your enterprise’s best efforts, your company may experience a ransomware attack – hackers are organized networks of criminals that are well-resourced and sophisticated. Reach out to the local FBI field office or IC3.gov early. While law enforcement can’t mitigate an attack, they may provide useful context about ransomware attacks that have been identified before you bring in a remediation company.
When a remediation company is brought in, they’ll see what backups are available and triage and investigate the incident while getting necessary systems running. Recommendations for affected companies are:
- Don't power down impacted systems. You may lose critical memory. However, you can disconnect them from the network.
- Understand the notification requirements if you carry cyber insurance. Reporting too late can lead to reduced payments.
- Activate your internal and external communications plan. Understand the notification requirements if personal identification information or financial data (including employee, client or vendor) is exposed.
- Contact your financial institution to make them aware of the situation and determine next steps.
Conclusion: Responding to the Ransomware Threat
With cybercriminals increasingly targeting a variety of companies of all sizes, now is the time to make sure your systems have the right prevention measures in place. Ensure you’re tracking alerts from government entities via StopRansomware.gov. Keep employees informed of threats and add security layers.
KeyBank is committed to helping you protect your business and your treasury management system from ransomware attacks. For more insights into cybersecurity and fraud, visit key.com/cybersecurity.