Ransomware: Why It’s Getting Publicity and What to Do About It

Ransomware: Why It’s Getting Publicity and What to Do About It

Even though ransomware attacks decreased in 2018, they remain a major threat in the cybersecurity landscape. So much so, that ransomware was recently featured on 60 Minutes. The story primarily covers three major instances of ransomware, two that affected municipalities, and a third that targeted a hospital. 

All three were attacked in a way that encrypted every single one of their files and also encrypted some of the files within their backups, sending the organizations back to operating on pen and paper. Two, despite FBI recommendations, ended up paying the ransom to restore their data quickly, while the third decided not to pay the ransom and went about remediation on their own.  

The hospital was hit with a $55,000 bill, while one municipality (Leeds, AL) was able to negotiate payment down to $8,000. These ransom sums may not appear astronomically high, but that’s exactly how the hackers keep going. If they requested millions in ransom, no one would pay. An amount in the solid five-figures, though, feels doable for most organizations to get their precious data restored. The third entity (Atlanta, GA) suffered millions of dollars in losses and time in efforts to recover. Some of their data could never be recovered. 

The story presented a very clear picture of the dangers surrounding ransomware; however, there were two major issues in the story. First, the entities covered were obviously major entities implying that you needed to be in the public eye to be affected. This is certainly not the case. In fact, nearly 50% of small business owners say their business was affected by a cybersecurity attack in the last year. Ransomware is not just for highly public entities.  

Perhaps more importantly, the story painted paying the ransom as the cheaper and often faster way to go. In very rare occasions, paying the ransom is the only option; but if you’re stuck in a ransomware trap, we do not recommend jumping straight into paying the ransom. Here’s why: 

  1. Sure, after you pay the sum (typically in bitcoin), the vast majority of hackers suddenly become ethical and return your files. Let’s look at the reality, though. You’re relying on someone who just took your data hostage for an exorbitant fee to return that data to working order simply because you held up your end of the unwanted bargain. Sounds a lot like using hope as a data recovery strategy to us. At any point the hacker could respond, “Thanks, but no thanks!” or “Well, we thought this would be a sufficient amount”; but we ran into snags with your recovery. We’ll actually need x number to finish the job.”  

  2. Prevention is a better strategy. If your back-up is set up correctly with an on-premises and multi-tenant off-site solution, you should be able to roll back to data that existed before the ransomware attack. Granted, you may lose some data in the process if the encryption gets into the backup like it did in the attacks covered in the 60 Minutes story. Losing some data is a lot better than putting yourselves up the creek financially by paying a major ransom. In addition to proper backup, ensure that you’re effectively training employees and stringently monitoring data coming in and out of your network.  

  3. Isolation is possible. In short, don’t store all of your valuable data in one place. If, on the off-chance, ransomware breaches your network, you don’t want to give it an open door to encrypt absolutely everything of value. Keep all critical applications on isolated networks to maintain global network safety.  

Ransomware attacks may be on the decline. However, that just invites the hackers to come up with a more creative way to scam you out of time and money. Perhaps phone ransoms are coming next. Regardless of what the hackers create, make sure you’re prepared and don’t have to rely on paying a hefty ransom to keep your business in operation.  

Compliance Alphabet Soup

Compliance Alphabet Soup

No matter what industry you’re in, compliance acronyms are abundant, filling your days with both confusion and regulation. We call it the compliance alphabet soup. It’s time to make a little bit more sense of all those acronyms and what they likely mean for your business. 

GDPR (General Data Protection Regulation): While this regulation only applies to the European Union and information leaving the EU, we are seeing its effects state-side because it requires businesses that interact with EU citizens to comply, regardless of location. The goal of GDPR is to create greater data privacy and protect from breaches. If there is even the slightest likelihood that someone from the EU will be visiting your site or interacting with you online, make sure that you comply with GDPR regulations. We’ll cover GDPR in greater detail in our next blog.  

HIPAA (Health Insurance Portability and Accountability Act of 1996): While this law has been on the books since 1996, many medical practices are still not HIPAA compliant and believe that they are too small to be touched. Even if you aren’t directly in the medical industry, pay attention! Beyond the practices themselves, any organization that works with a medical practice has responsibility in HIPAA compliance through associate agreements. These agreements particularly apply to IT companies, law practices, accounting firms, and others that might have access to patient data in any way. Bottom line, all patient data must be protected, encrypted, and safe. You also need to have a specific HIPAA-compliance plan, breach response plans, and data recovery methodology. HIPAA has gained notoriety with larger scale medical breaches in recent years, in addition to larger fines levied for HIPAA breaches. The largest fine currently on record is $16 million. Small companies are also being hit with violations costing about $1.5 million apiece.     

HITECH (Health Information Technology and Clinical Health Act): HITECH entered the picture in 2009 and brought teeth to HIPAA violations. This regulation specifically covers the electronic transmission of health information. In its best form, it’s meant to improve patient care through better doctor coordination, better sharing of information, and strong data security of electronic health records. In practice, all those privacy forms that you sign whenever you go to the doctor really do have an important purpose.  

I-9 (Employment Eligibility Verification): This is the form that new hires must fill out within three days of employment to verify that they are eligible to work within the US. While this piece of paper may get lost among the sea of new hire paperwork, it should never be overlooked. Even if you’ve been correctly employing the I-9 form for years, you may want to go back and check for form updates. Some updates will have no impact; but to be truly in compliance, you’ll sometimes need to go back and have every employee update their I-9 information and verification documents.  

PCI DSS (Payment Card Industry Data Security Standard): Do you collect credit card information within your business? Any payment data collected and stored must be PCI compliant. To ensure compliance: 

  • Employ strong security standards, like firewalls, anti-virus protection, and regular updates that protect your network as a whole 

  • Encrypt all credit card information transmitted across open networks 

  • Maintain strong data access controls to ensure that rogue people don’t gain access to your information   

These are just a few of the compliance acronyms you may encounter in your daily work. Don’t get lost in the compliance alphabet soup. A quality IT firm can help you comply with the vast majority of these and will be able to put a clear plan of action in place to increase your cybersecurity footprint.  

To Renew or Not Renew, That Is the Question

To Renew or Not Renew, That Is the Question

You’re prepared, at least mentally, to begin your migration to Windows 10 because you’ve read What Does Windows End of Life Mean to My Business? and Getting Ahead of Windows End of Life. Is your hardware ready, though? How you handle your IT (on your own, as needed support, or with a fully managed agreement) will change how you will have to deal with your transition.  The following items should help you decide how to prepare your hardware for the Windows 10 migration.  

 

Do It Yourself 

If you own all of your own equipment and deal with IT issues in house, then you will want to get started on migrating your devices now. The good news is that Windows 10 is highly compatible with just about every PC out there. If you run into trouble, it’s likely a vendor incompatibility issue, not Microsoft, itself, so you’ll want to contact them directly. When you have that handled, upgrading from 7 to 10 is as simple as running the ISO file from Microsoft.com, from a USB, or DVD. The bad news is that it will take significant time migrating every PC in your business. You’ll also need to deal with a backlog of Microsoft customer service support if you happen to run into any issues.  Remember that almost 70% of the world’s computers are still running Windows 7. It’s almost guaranteed that others will run into issues and need support, as well.  

 

MSP 

If you are with a managed service provider, you should be just fine. In fact, you likely already have a plan in place from your most recent business review. Over the course of the next few months, your IT company will ensure software compatibility with all of your line of business applications and contact any necessary vendors and schedule a time with you to come out and run the update once their sure everything will go smoothly. Now, would also be a good time to consider any hardware upgrades that you’ve been needing. All new PCs will automatically come with Windows 10, alleviating any upgrade issues now or in the next three years or so. The best part of it, you have to do nothing. No downtime for your business, no extra IT work for you, and no worries. 

 

If you’re on a full managed services agreement, the upgrade is more than likely covered and any hardware needs will be handled on a new monthly payment plan (HaaS agreement). If you’re on a partial agreement or break/fix model, you’ll likely be billed for the time required to complete the upgrade. Either way, your IT company will have you completely in hand. Just remember that your service provider will soon be booked solid assisting other clients with this transition. It’s important to schedule now so you’re not left waiting.  

 

Time to Get a Contract? 

If you’re reading this blog as someone that had planned to do this upgrade on your own but have now decided that you don’t have the time or desire to do so? It’s time to contact Winsor Consulting. We’ll make sure that you’re taken care of through Windows 7 end of life and well beyond.