There are few businesses that will not have heard about WannaCry, May 12’s ransomware attack that has affected – and often with devastating results – organisations across the world.
So, we’ve worked our partners over at Vuzion to compile a blog outlining advice that can help your customers better protect themselves.
Regardless of the type of ransomware – either lockscreen, where screens are locked to prevent user access, or encryption ransomware in which files are altered to bar users until an encryption key is applied – a business is unable to access its data until a ransom, usually demanded in Bitcoins, has been paid. The business is held over a barrel – pay up, or lose critical data.
Cybercriminals are becoming ever more sophisticated, and malware can enter an organisation via numerous routes. Typically, however, ransomware arrives via email, through a user linking to a malicious website, or resulting from issues with installed software and non-application of patches.
Whereas most businesses will have in place some – if not all – of the measures outlined below, it might be worth reminding customers of the importance of effective security safeguarding.
1. Install web filtering, firewalls and anti-virus
Preventing malware entering the organisation in the first place is the best way to secure against cyberattack, and through the adoption of a ‘layered approach’ to protection, implementing anti-virus, web filtering and firewalls. It’s essential that businesses ensure each component is accurately configured and always up-to-date. Scanning solutions today incorporate functionality to re-write links to verify safety when ‘clicked’, and to open suspicious attachments.
2. Keep IT up-to-date and patches applied
Malware can often infect an organisation, entering through bugs in software and applications. Businesses should ensure that software updates are implemented and patches applied as soon as they’re released. It’s believed that WannaCry exploits a Windows issue for which Microsoft issued a patch in March – but, which many organisations have not administered.
3. Backup – and regularly
Whereas organisations attacked by encryption ransomware will be unable to access their live data, their backup data will have been unaffected, and can be restored once infected devices have been cleared down. On the proviso that backup procedures have been performed regularly, the integrity of the data routinely checked, and well-defined and practised restoration procedures created, an infected organisation will lose relatively little data – and, importantly, can be quickly back up and running.
4. Keeping staff up to date with training
Email cybercrime is common, often sent by the cybercriminal as part of a mass random communication. Businesses should therefore consider investing in ongoing training to remind employees of potential hazards. Malicious links incorporated within emails create issues for many businesses. Give-away signs to look for include:
- Emails claiming to be from well-known, reputable organisations, sent from a variant of the authentic email address – a 0 replacing O, for example;
- Communications from organisations or on topics that arrive out of the blue;
- Poor quality text (spelling and grammatical errors, for example) can often indicate a fraudulent email – although it’s worth pointing out that cybercriminals are increasingly addressing this.
Emails received from legitimate contacts, but where the originating account has been attacked, still pose problems for businesses. These are often characterised by containing a short – at times often nonsensical message – and (malicious) link.
Social media networks or instant messaging may also contain links to malware.
Advising users to go direct to an official website rather than click on embedded links can help businesses guard against malicious attack, but the main point of advice is that it’s essential to keep reminding employees of potential ransomware threats.
5. Is it really the CEO emailing?
Spear-phishing is a second and growing form of cyberattack actioned through email, with the attacker posing as a company official requesting a specified action – such as a the ‘CEO’ of a company asking Finance to transfer funds. These types of email can also claim to come from official organisations – a bank, government department, or even the police, for example. Companies should be aware of this potential risk, and define procedures to help employees identify phishing attacks.
6. Formalise security policies
Customers should be advised to create and record in writing a set of formal protection policies and processes in consultation with their IT partner who can apply these policy requirements to every device.
7. Instigate a robust password and multi-factor authentication policy
It goes without saying that the more robust a password requirements policy, the harder it is for cybercriminals to infiltrate a business. However, many companies still have not addressed password protocol, and allow users to set up ineffective and weak passwords. Requiring unique ‘strong’ passwords for individual accounts, or implementing single-sign on solutions, helps reduce risk, along with implementing multi-factor authentication whereby access is gained only after successful submission of various pieces of information as an additional layer on top of the password control – such as requiring input of a numerical code texted to a mobile device.
8. Personalise anti-spam settings
Malware can be activated via an attachment. However, webmail servers can be configured to block potentially suspicious attachments, identified by extension type – such as .exe, vbs, or scr. A show file extension function is also useful to help users avoid accessing malware via attachments.
9. Block pop-ups, disable macros, disallow data transfer via USB
Increasingly, malware is spread through invitations to download macros incorporated within every-day type documents. A robust policy defining download privileges and regulating rights per employee can extend protection across the business.
10. Turn off immediately if suspicious activity is detected
And finally, if an attack is suspected, advice is to disconnect from the web. At an early stage in the attack, this can prevent malware establishing itself, but may also prevent ransomware spreading to other areas of the business.
The National Crime Agency (NCA) and the National Cyber Security Centre offer advice, and the Cyber Security Information Sharing Partnership (CiSP) is a national forum where businesses can discuss cyber issues.
If you would like to discuss any of the points above with us at Nebula, please email firstname.lastname@example.org or call on 01454 534009.