Five years ago, in 2016, a business became a ransomware victim every 40 seconds. Today, it is one business every 11 seconds! And the damage continually escalates. Bad actors may first try to disable and delete your backups, and then encrypt all your data, so that you cannot recover from backup. And, even if you can recover from backup, the attackers threaten to sell your confidential information on the dark web unless you make a nearly untraceable bitcoin payment. This is madness and it is destroying businesses.
As an aside, as a society, we could come together to address the root cause of ransomware — that the anonymous nature of cryptocurrency allows bad actors to get paid with impunity. Unfortunately, creators and advocates of cryptocurrency have confused and misdirected concerns about the technology to the point where we will likely never have sufficient political will to take meaningful action to stop it. So, we must expect continually increasing cyber-security risks forever and plan accordingly.
Long-term cyber-security management looks like this:
- Assign one person the role of security officer for your organization (if you are a solo practitioner, it’s you) – you need accountability and must avoid the “if everyone is responsible, no one is” problem
- Schedule a security management meeting with all relevant parties with the following agenda:
- assess your risks, including reviewing security incidents since the previous meeting
- develop mitigation plans and action items to address those risks
- schedule your next meeting (no further than one year out)
Your security will never be perfect. Instead, you want protections that are strong today and that get stronger over time. Threats continually evolve and so do mitigation strategies. However, some key principals will remain constant such as the “many layers” approach. Imagine the security of a bank vault. Visualize the cameras, security monitoring system, a security guard, very solid building walls, even more solid vault walls, heavy-duty vault lock, dual keys for safety deposit boxes, silent alarm systems, well-trained employees, and so on. Banks depend on many security layers working together. Combined, these layers are vastly more powerful than any single layer. Build your security like a bank.
Some items to evaluate include:
- strong passwords combined with multi-factor authentication (MFA) for account access
- continually up-to-date software (all software must be vendor-supported and strong operational procedures must ensure you are fully patched)
- endpoint protection software (anti-virus, anti-malware)
- email security filtering (“spam filtering” and more)
- network security defenses (firewall, intrusion detection and prevention software)
- web content filtering and DNS filtering
- encryption of computing devices (mobile phones, PCs, servers)
- automatic screen lock, inactivity timeout settings
- backup and disaster recovery (are backups validated? are they separated from production so that they are not susceptible to a ransomware attack?)
- simulated phishing tests
- managed threat response (SOC/SIEM service)
- security training for employees
- wire transfer authorization procedures (can a key employee be fooled by a fake email pretending to be from their boss?)
- other employee policies and procedures
- physical security
- cyber-liability insurance
This is not a complete list. It is intended to be a good place to start your assessment. You must contemplate the unique risks facing your firm. The most important thing is that you assess your risks on a routine basis and continually make progress mitigating them.
For example, if your assessment identified an old Windows 7 PC being used somewhere in your firm, that would need to be fixed immediately. Additionally, if you discovered that your firm was failing to use multi-factor authentication to protect Office 365 accounts, you would quickly fix that, too. That is because it is simple to enable the protection, it creates nearly zero impact to system users, and it massively reduces your risk profile. These are examples of gross security problems that would require immediate action.
After you address the more basic items on the list, consider more advanced layers of protection such as a managed threat response (SOC/SEIM service). SOC stands for Security Operations Center and SIEM is Security Incident Event Management. Typical antivirus software can only defend against threats that software developers have already seen. The analysts at the Security Operations Center evaluate suspicious activity and respond around the clock to stop emerging threats where no automated defenses yet exist. A few years ago, this level of protection was only within the budget of Fortune 500 companies. But today, it is affordable enough where virtually every firm should have it. This is an example of why we must routinely review the risks and mitigation plan. We must continually respond to new threats and take advantage of new strategies and tools as they become available.
Take a moment to review your Information Security Plan. When is the last time you reviewed and updated it? If it has been over a year, schedule a review, and make sure the last item on the agenda is to schedule the next meeting. If you don’t have an Information Security Plan, schedule your first meeting. Managing security is a process and firm leadership must ensure it is a priority.