While the increased risk of cyber-attacks, further fueled by the pandemic, is in the news daily, too many organizations continue to lag in their planning and preparedness. There are countless stories of entities across the business and societal landscape, from big corporations to hospitals to schools, navigating data breaches and other forms of cyber-attacks that put their organizations, employees and stakeholders at risk. Cybercriminals are always looking for their next target and their tactics are continually evolving. The question is how to keep one step ahead or, at the very least, to keep pace with best practices?
There are many steps and strategies to help your organization protect itself from cyber-attacks. These steps do not include waiting for a breach to occur before standing up an experienced incident response team. Nor do they include paying ransom to cybercriminals who have locked your drives and data. By submitting to a ransom demand, you are bolstering a criminal organization’s attack infrastructure and without guaranteeing restoration of your data or operations. Instead, organizations should focus on building a cyber-aware culture that works 24/7 to keep both information safe and employees on their guard against suspicious activity.
The intensity of the cybersecurity threat matrix is unlikely to diminish any time soon. Follow these five steps to ensure your organization is more fully prepared:
Step 1: Make a plan and consistently run through all of its elements before a breach occurs
Being prepared is your first line of defense against criminal cyber activity. If you are waiting to create a comprehensive incident response plan and culture of preparation until after a cyber incident occurs, it’s already too late. These security protocols must be developed and tested well beforehand. Locking in the best plan for your organization includes ensuring that everyone understands the protocols in event of a breach or ransomware attack, as well as their individual roles and responsibilities. An expert outside partner can help identify steps that will need to be taken such as:
- Disconnecting WiFi and Bluetooth and unplugging storage devices.
- Determining the scope of the attack, i.e. shared drives / folders, network storage, USB, external storage, cloud-based storage, etc.
- Knowing your RPO (Recovery Point Objective), your backups and your firm’s RTO (Recovery Time Objective)
- Using Google to try and understand the version of ransomware being used against your organization and key insights about it or the attackers.
- Using the ransomware program’s announcement try to determine if your data or login credentials have been copied, and if so, how much and what.
- Checking your logs and any data loss prevention (DLP) tools to look for signs of stolen data. This includes spotting any large unauthorized archive files (e.g., zip, arc, etc.) that contain data the hacker used for staging before they copied it. Also, look into any systems that might record large amounts of data being copied off the network, as well as malware, tools, and scripts that might have been used to look for and steal data.
- Lastly, if a cyberattacker tells you they have your data or credentials, believe them.
Step 2: Make employee training around top threats like Spear Phishing a business imperative
As all technology professionals know, Spear Phishing is a type of attack that specifically targets an individual or small set of individuals with cues designed to make the message feel legitimate. This technique is a major threat and makes it imperative that organizations schedule consistent and through training to help employees be prepared to spot fakes. Train those within your organization to not to open a message or a link simply because the sender seems to know a lot about them – or appears to be one of their colleagues. Empower employees to always ask before committing to any next steps requested by the sender, especially if the sender signals a sense of urgency.
You should consistently issue “voice of leadership” messages to all staff members containing guidance on what to look for, who to call, what to do, and that it is okay to not click or respond to any message that looks unusual or suspicious. Use every channel at your disposal – in person or virtual staff meetings, emails, intranet posts and more. Simulate phishing attacks against your users regularly to ensure they are sensitive to approaches attackers will take and offer a continuous learning platform to deliver tests and trainings.
Step 3: Educate employees on behavioral engineering techniques
Most individuals working in your organization are unware that attackers gain a foothold by investigating individual’s habits, actions, favorite things, or the names of their family and friends. When it comes to social media, inform those within your organization that they should own their online presence and share only to their comfort level, not beyond it. By giving out information freely on social media, cybercriminals can more easily guess passwords that contain items of significance (e.g., a favorite car, your wife’s name, your kids’ birthdates, etc.) and break into business or personal data. It’s important to always operate under the premise of “don’t know you, don’t trust you.”
Step 4: Proactively monitor logs and surveillance systems
“Dwell time” refers to how long an intruder is sitting within a given network and collecting information before the organization notices. The average dwell time is currently an astounding 180 days. By deploying a Managed Detection and Response (MDR) plan into your environment, you can be made aware of traffic that is outside the normal range and increase the organization’s threat hunting capabilities. This is another area where a trusted outside partner can help you assess needs and stand up the right capabilities.
Our experts at ConvergeOne often spot Remote Access Trojans (i.e., a RAT) included with ransomware that are hard to locate and eradicate. A RAT is malware that includes a back door for administrative control over the target systems. RATs are usually downloaded invisibly with other malware like ransomware. Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet or use it as a future entry point even after the ransomware portion of the payload has been thwarted.
Step 5: Increase emphasis on protecting customer data
The goal of nearly every cybercriminal is to gain access to as much protected data as possible and leverage it for monetary gain. This fact combined with increased regulations mandating protection of data mean intensified pressure on every organization to keep customer and employee information safe. This is even more critical in industries like healthcare or financial services.
When it comes to customer data, how it’s handled is just as important as the data itself. Both physical and electronic handling should be taken into account, in terms of who has access to the information and what they are doing with it. If there is no need to house customers’ data, then ensure that once the transaction has completed, no information is kept on the network. If there is a need to house sensitive data like credit card information, ensure proper masking techniques are employed. Only the last four digits should be visible and these should only be used for authentication and authorization purposes. Clients should also be made aware that they should never share this information over the phone, and that those last four digits should be the normal request.
Cybercriminals are relentless and have no remorse for their actions. By making cybersecurity a priority for your organization today, you can help prevent a cyber-attack tomorrow. To learn more about protecting your organization against ransomware and other cyber-attacks, please reach out to ConvergeOne’s Chris Ripkey and Vito Nozza.