Everyone has items in their personal life of great value. The intrinsic value is not based on what these things could be sold for, the value is because the items are of personal significance and can not be replaced. The same is true for your business; you have critical data and systems which are vital to the day-to-day operation of the organization, and they have immense value to your ability to stay in business, regardless of whether the data would have value to anyone else. This is the exact dynamic that is exploited in ransomware attacks. Cyber-attackers exploit some aspect of your business to gain access, they encrypt your data or systems to make them unusable, and because those systems have great value to you – regardless of whether the data has value to anyone else – they trust you will pay a large ransom to get back your access to keep your business functioning.
The largest waves of cyberattacks now are not targeted at specific companies; they come from widespread attempts to get unprepared organizations to make a fatal flaw in action to a seemingly benign request, they exploit that action, they do things like remove your ability to access data and systems which are valuable to you and your business, and they hold those systems ransom in an attempt to get you to pay to have your access reinstated. In general, the only market demand needed by the attacker to achieve financial success is to trust that you value your data enough to need to have access to the data for your business to run. It does not matter the size of revenue your company generates; it does not matter whether you are a global operation or a local business; they are typically not looking to sell what they have illegally accessed. The simple fact you now need what they have exclusive access to creates exactly the situation they need to create a market where they can profit.
This scenario may seem alarmist, but we continue to see a growing number of local businesses of a variety of sizes dealing with significant impact from ransomware scenarios exactly as described. Organizations that are not investing in a structured approach to information security practices are at a very high risk of failing to protect what is most valuable to their business. The investments should come in a framework of layers; there is no single tool or ‘easy’ button to adequately prepare an organization against the multitude of ways attacks can infiltrate a company in today’s hyper-connected world.
Organizations that are not investing in a structured approach to information security practices are at a very high risk of failing to protect what is most valuable to their business.
If you are not investing time and money in the areas of end-user cybersecurity education to better position employees to be able to detect malicious messages, you are doing the equivalent of asking a child unfamiliar with ‘stranger danger’ to keep people from getting into your house to see your valuable items. If you are not deploying security platforms which actively screen incoming mail messages, links, and attachments to create an entry barrier for malicious messages, and software which detects irregular behavior and malicious files on workstations and servers, you are doing the equivalent of not caring about dangerous visitors to your house and behaviors in your neighborhood which could indicate a risk to your home. If you are not consistently patching software to ensure identified security bugs are remediated in a timely manner and you are not doing regular vulnerability assessments to understand what potential attackers could exploit in an attempt to get access to your data, you are doing the equivalent of disregarding warnings from law enforcement about knowing your windows are unlocked and knowing thieves have been seen around your house trying to get access to your things of value.
To keep the comparison going, following an Information Security framework and implementing common practices for your organization is like having visible signs outside your house with a security fence, an alarm system, exterior cameras, and a neighborhood watch. None of those things assure you will not fall victim to losing things of value, but the presence of barriers creates more resistance than a random attacker might find worth his time. In information security terms, the email campaign the cyber attacker launches to try to get people to click on malicious links is only of value to the attacker if it gets delivered to the user, gets clicked by the user, gets executed on the computer of the user, and is able to spread. If your security framework breaks that chain of events, you are going in the right direction to protect your data.
Keller Schroeder has years of experience making positive impacts on our clients with respect to all aspects of Information Technology, including Information Security. If there is any aspect of protecting your environment where you would value some professional input discussing your current posture and common practices from our certified team, please reach out to us. We would welcome the chance to help you protect what you value most.