Phishing for trouble: How to avoid your company’s data being held to ransom

Ransomware has recently escalated in prevalence and is now one of the most prolific forms of cyber crime globally. Thousands of companies have had their data taken as digital hostage and money demanded in exchange for access.

The UK is increasingly become a hotbed for such activity and according to Symantec it is now the world’s most targeted nation for phishing scams and ransomware activity. British businesses, hospitals, schools and even local authorities are all being targeted. It is vital all organisations, big or small, must be vigilant and fully prepared for a ransomware attack.

When ransomware strikes companies can never truly draw a line under the ordeal. Even if a ransom is paid, the data that is returned is often corrupted. One mistake, one accidental click and a company will be subject to multiple attacks in an indefinite time frame – destroying customer confidence and burning a serious hole in the organisation’s pocket. There is often a reputational fallout to contend with too – be that through media coverage (in the cases of large organisations), or through the loss of clients.

Prevention is better than cure

So what’s the best way to combat ransomware? As the saying goes, an ounce of prevention is worth a pound of cure. Mitigating against the risks of ransomware comes down to four key steps:

Education, Education, Education

The top priority for a company concerned about ransomware is its users. Cyber criminals understand the environment they are attacking, and that employees are often the weak link. Using phishing campaigns, workers can be tricked into clicking insidious emails. Imagine receiving an attachment from your CEO labelled urgent - not many of us would ignore it! Therefore, companies have a duty not to place blame, but to educate their staff.

Awareness courses should be run regularly and informative educational materials distributed that outline how to spot a phishing email, what to do when you are unsure and who to alert if an employee believes an email or any other such documentation is dangerous. This way, if a phishing email does find its way in to an employee’s inbox, there is more chance it will be avoided.

Understand your users

However, not all the blame can be placed on negligent users. Of course, security education is a necessity, but accidents are often unavoidable. Therefore, organisations must protect themselves in a context-aware way. What position does someone hold within the company? What applications are they accessing? Where are they situated within the world, and what team or division do they work within? By knowing the details of an employee’s role, companies can ensure that they only have access to the programmes and applications they need, rather than granting access to the complete infrastructure.

Control access

Similarly, companies must also do their utmost to prevent ransomware from reaching employees. In order to prevent an attack, companies have to properly blacklist and whitelist certain applications. By strictly controlling access, the risk of a threat can be greatly reduced thanks to the blockage of malware. If properly implemented, employees should be protected from potentially dangerous emails or web pages and the risk of a user accidentally clicking on a dangerous page is therefore lowered.

Formalise the user lifecycle

Equally important, but often overlooked, are onboarding and offboarding procedures. These should be kept up to date religiously so security is maintained from the very beginning of the user lifecycle. To make sure that the user lifecycle is monitored and contained, organisations can outsource this function to companies that secure digital workspaces.

With minimal time invested, a company can ensure that the entire process is properly managed. Whilst often under estimated, an ex-employee who still possesses full access to the network could create an access point for hackers – a potential threat that can be relatively easily avoided.

It’s not just the crooks watching you

The European Commission has outlined General Data Protection Regulation (GDPR) which will come down extremely hard on companies that fail to protect confidential data. This means that the ramifications are greater than ever. The GDPR will revise outdated data protection laws, and force companies to take the issue of data protection far more seriously. For companies, the revised GDPR could mean hefty fines of up to 4 per cent of global turnover or €20m Euros (£15.8m), a cost almost guaranteed to be greater than the original ransom. Large companies will also be forced to employ a data protection officer and data breaches will have to be reported within 72 hours.

Ultimately, businesses must understand that ransomware is a very dangerous and serious threat. Stringent processes and procedures must be put in place to ensure that ransomware does not reach an employee, that they are educated in the event that it does, that the threat can be contained as much as possible, and that the number of access points are reduced.

Otherwise, a company could find itself the victim of both the criminals and the regulators.

Andy Buchanan, Area Vice President, UK&I, RES

Image Credit: wk1003mike / Shutterstock