In a memo released by the White House last week, the Biden administration urges business leaders to take immediate steps to prepare for ransomware attacks, warning that cybercriminals are shifting from stealing data to disrupting operations. As I wrote a few weeks ago, not just large companies are facing a ransomware problem — organizations of all sizes need to be mitigating their risk. According to Anne Neuberger, President Joe Biden’s deputy national security advisor for cyber and emerging technology:
“The private sector also has a critical responsibility to protect against these threats. All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.”
Many companies will get this wrong. Not because they don’t appreciate the risk, but the systems they have in place won’t adequately address the issues. According to the White House, there are five best practices:
- Backup systems, regularly test them and keep the backups offline.
- Update and patch systems promptly.
- Test your incident response plan.
- Check your security team’s work via a 3rd party.
- Segment your networks.
While this is all good advice, this assumes a few things:
First assumption: You know what systems you have and what their status is. The reality for most businesses is that technology has grown organically and may be in various states: modern, dated, really dated, or hidden. Let’s touch on the last one first. Unless you have recently had a code audit (something we can help you with) there is likely technology that nobody knows about. This technology may be something that a developer who is no longer with the company created or something a marketing person bought and then forgot. It’s surprising how many things are not on a company’s radar and serve small but mission-critical functions. The reality of business is that keeping technology up-to-date is always a case of ROI. If the return on investment isn’t there, the can is kicked down the road, and that process can be repeated for a long time. As a general rule of thumb, you can assume the following:
- Built in the last 3 years — probably ok
- Built 4 to 8 years ago — should likely be replaced
- Built 9+ years ago — probably in bad shape
This was still considered cool in 2012…
Second assumption: You have an ongoing roadmap with a support and replacement schedule for all of your technology. Knowing where everything is today is the first step — keeping things up-to-date is a never-ending responsibility.
Item #4 on the White House recommendation list is “Check your security team’s work via a 3rd party.” As a 3rd party technology consultant, I obviously have some bias.
Get ready personally
If you can’t influence the technology decisions at your organization, or even if you can, it’s important to start protecting yourself personally. This is not fun to hear, but there will be more security breaches, and your data is going to be compromised. Here are three things you can do to mitigate the impact:
- Install antivirus software
- Use a password manager
- Don’t click on links you don’t recognize
1. Install antivirus software
If you aren’t running antivirus software, you should be — EVEN if you are on a Mac. At Metal Toad, all of our machines run Sophos, and it’s worth either getting your organization to buy you a copy or buying one yourself.
2. Use a password manager
One of the most significant issues with data being hacked is usernames and passwords. 72% of people reuse the passwords, and 13% use the same password for all their accounts. When a website or application is compromised ALL of the websites and applications using that password are also compromised, potentially leading to a chain of data loss and/or fraud. The best way to avoid this is to use a password manager. At Metal Toad, we use Lastpass to manage all of our passwords and keep track of duplicates, etc.
3. Don’t click on links you don’t recognize
I’m choosing my words carefully here. Don’t assume because you received a call (or text) that appears to be from someone you know that it is a legitimate link. Emails and texts can be sent to appear to be from trusted individuals, and scammers can create phishing websites that may look like your bank, credit card, email, etc. If I receive an email notification, I’ll often go directly to the website it is supposedly originated from to verify its authenticity.