Hey John, I believe we are hacked, can you come over quickly!

Hey John, I believe we are hacked, can you come over quickly!

A call many IT Partners, Managed Service Providers and internal IT Departments would love to avoid. Ransomware is every Business Owner or Director's nightmare! What can we do?

If your business experienced a ransomware attack, as a business owner or director you only have two options for recovery. One is to pay the ransom or the other is to go back to your last known good backup. By paying the ransom does not guarantee your business that your systems will not get encrypted again. Sophos a global leader in ‘End Point’ and Cybersecurity solutions claim in their ‘Sophos State of the Art Ransomware Report 2021’, on average only 65% of the encrypted data was restored after the ransom was paid. In Australia, the Australian Cyber Security Centre (ACSC) 2020-21 report shares that Australia experienced a 13% increase in cybercrime, which is roughly about 67500 cases reported. So, before investigating a solution today the Business Owners, Directors, and Managers of business units need to recognise that a security breach around ransomware (or data loss) is not anymore an IT challenge, it is a business-wide challenge and also end of the day it impacts you personally. As the ransom that you pay comes out of the profit that could have been distributed for your hard work.

Robert Half a specialist recruiter claims in their independent survey that post COVID lockdown, 79% of Australian business leaders say a mix of employees working in a hybrid of remotely and in-office are now a permanent fixture of the employment market.

Nicole Gorton, Director of Robert Half Australia says that “For employees, a key benefit is the ability to manage their professional and personal commitments more easily. For employers, hybrid arrangements give them agility in a shifting marketplace and access to a wider pool of candidates”. Unfortunately for you as a business owner or director of the business you now have a fiduciary responsibility towards the good health of the business to protect it, then the team, suppliers, and partners who rely on your ecosystem. It is not easy any more with your team needing access to the company data from “anywhere, anyplace from any device”.

With the acceptance of a hybrid environment where some of the business data is ‘on premise’ and another lot in the cloud the protection of the data is a significant challenge for the organisation's IT Department, in-sourced or out-sourced. Gone are the days when your team used the desktop or laptop provided to them by the company to use for work, it was easy then. All IT had to do was protect the End Point after the Router with a business-grade Firewall, install Antivirus and a Spam filter at the desktop, and introduce 2FA (Two Factor Authentication) complemented with VPN (Virtual Private Network) access back to Office. Their job is done.

The access game has changed. According to ACMA – Australian Communication and Media Authority says that today we use an average of 4.4 types of different devices. While watching Netflix your team now can access their Office 365, the CRM or the Accounting platform in the cloud using the split screen function on their Smart TV, respond to the email, or do a ‘Teams Call’ using their Smartphone, Tablet, or the Smart Watch. Some of our homes today have smart assistance like Google Home or Alexa to make our life easy. The challenge is, as easy as it is, the hackers or the smart actors out there can gain access and control them as easily too. If an IT Person does the install just the way they are wired, they will change the credentials (no disrespect to a non-IT person/s), as you as a non-IT Person are not wired like that you will possibly do the quick install and be very proud of yourself that you got it done without anyone helping you!?I hope you now get the picture that as the caretaker of the business the Directors challenge is to constantly educate your Team, and work with your IT to introduce the right procedures and tools to protect your business data. The next phase of the growth of your business can happen if your team have access to the current data about your products, customers, prospects and competitors that are held in various data silos in your organisation, if this data is encrypted, or lost it will be end of the game for your business.

So, the challenge for you as a Business Owner or a Director is how to mitigate or avoid a breach. The avoidance of a breach will be a sheer impossibility. According to ACSC 2021 Threat Report, Business email compromise (BEC) continue to present a major threat. In the 2020–21 financial year, the average loss per successful event has increased to more than $50,600 (AUD) – over one-and-a-half times higher than the previous financial year. The same report claims that self-reported losses from Cybercrime were more than $ 33 billion. So, as the guardians of the business entity your recommendation should be to focus on the ‘triangle of mitigation’, the People, Procedures, and Tools (PPT), they are interlinked with no priority of one over the other.

In an interconnected flexible work environment, Verizon one of the largest communication and technology companies in the world says that there are four key paths leading to your business; Phishing, Exploiting vulnerabilities, Botnets, and Credentials. As our data silos are everywhere, this writer's first recommendation is Multifactor Authentication (MFA), as MFA provides more layers than 2FA (two-factor authentication). Even if a password and the 2nd authentication are compromised, it is extremely unlikely that a hacker or bad actor has the 3rd or the 4th authentication factor. When MFA is supported by tools such as Okta or ForgeRock your organisation would have completed your access layer security. As these tools let the organisation verify their identity when they sign in, which makes it less likely that someone pretending to be the user can gain access. Then follows all the other technology tools such as business grade Firewalls, Sandboxes, Antivirus, Antispam, and VPN. Then ensuring that your devices are protected with an encryption software piece such as LastPass, BitLocker, VeraCrypt, FileVault, DiskCryptor or AxCrypt will give you that added level of comfort (always engage your MSP/ICT Service Provider as they know the best). Having the right technology stack to proactively monitor and manage your network with solid End Point Detection, Management, and Response tools will help with your mitigation strategy. Now getting this stack internally might be a major capital investment for an SMB business, then check with your Managed Service Provider if they can provide you with an outsourced Security Operations Centre, where they can leverage platforms from vendors such as Sophos, Barracuda and Red Piranha. Where there would be people and technology monitoring your environment for any anomalies 24 x 7.

Irrespective of the size of the business the internal procedures are what help to save a business. Unfortunately, the enterprises can have dedicated people managing the IT compliance and procedures, however, the Small to Medium businesses tend to be a bit complacent about the IT procedures or believe that they are too small to be hacked. It’s a big net that they cast in most breaches. The best is to leverage your Managed Services Partner (MSP) to harden your network. Ask your MSP/IT Partner to explain how all users inside/outside can be authenticated, authorised, and continuously validated with a framework called ‘Zero-Trust’, it is not a sledgehammer just being prudent to look after what is yours. So, let’s review common types of ‘Data Threats’ in a businesses and what you can do by introducing a flexible and a robust procedure and tools that can save a lot of pain later;

Malware, is a blanket term for malicious software including viruses, spyware, trojans, and worms. ?

The bad actors who create Malware can be anywhere in the world. Being alert to the threats and having up-to-date tools supported by good procedures such as regular updates of your software stack including the operating system, a policy to validate all incoming emails, verifying any USB Disk Drives or Thumb Drives that get connected to any company devices are checked by the Antivirus and Spam tools the device, have a cyber awareness policy and a procedure that all employees sign-up to, supported with cyber education would be a great start.

Your business must have the right procedures in place to mitigate a Phishing attack.

A phishing attack is suspect emails, text messages, weblinks, or phone calls designed to trick recipients out of money or credentials to your network or the bank. Criminals will often use email, social media, phone calls, or text messages to try and scam businesses. Remember, when it is a phishing attack most of these criminals have done some background checks of you and your organisation, they pretend to be an individuals or organisations you think you know or think you should trust. Their messages and calls attempt to trick individuals into performing specific actions. A case I recall very clearly is a business in construction, where the accountant received a request from the managing directors’ email to make a payment to a supplier, with an invoice attached. He paid as it was normal practice in their type of business. So, the procedure should be before any supplier should be paid, a supplier partner engagement form is completed, a verification email is sent to the partner business with their banking details, request for verification, and once received only the payment must be made. For any change to banking details a Director of the said supplier partner company must authorise the change (As we know in many cases where employees have transferred funds to their accounts). It is always the simple procedures that will save your brand, relationships, and reputation.

Another common type of cyberattack is Ransomware, which works by locking up or encrypting your data files or the entire computer so that you can no longer use or access them.?When there are no correct governance procedures for your team, the tendency in idle time is to go for a ‘walk about on the net’ thereby bringing bad actors to your network. The team member could genuinely be believing that they are accessing an authentic site when they have gone to a phishing site. The downloaded document, free software, or ZIP Files could have a ride along executable with ransomware hacks, these will reside in your network for 100’s days, collect data including key logs, passwords, your IP and financials then encrypt your computer or servers at a time suitable for these bad actors. Then request the ransom. As these bad actors have all your financials including the insurance details you would not have much negotiation powers. Unless you have the right procedures written down and your team constantly educated, a ransomware hack is an inevitable challenge for your business and most importantly a good solid Offsite Backup.

Your cyber hygiene procedures should be documented, reviewed, and tested to mitigate a ransomware breach. Your IT Services Team has the right tools in place to automatically update the operating systems in all the devices that are connected to the network, ensure that as a minimum you have adopted two-factor authentication (2FA), where funding is available to adopt multifactor authentication (MFA), have a procedure to conduct regular audits and secure your devices (on premise, off-site and cloud-based servers, desktops, laptops, tablets, smartphones), any internet exposed services on your network (Remote Desktop, File Shares, Webmail), and finally and Web Assets like your website, eCommerce site or online helpdesk that have forms or attachments, ensure these regular audits can scan for any vulnerabilities proactively. Lastly, in the event of a ransomware breach, accordingly the Australian Cyber Security Centre (ACSC) your final fall-back is a good backup. So your 3:2:1 backup strategy must be documented, automated, and tested regularly. Your business should have 3 x Copies of your data (production copy, 2 x backup copies), on two separate media and 1 x Off-site for disaster recovery. If your business like to maintain a local copy then investigate “Immutable Storage”, vendors such as Arcserve, Quantum and Wasabi have these solutions at SMB price points today. Today with the advancement of the internet capacity, many good data protection companies can hold an Off-site Backup and also provision that copy as a Disaster Recovery as a Service (DRaaS), if you do subscribe to this DRaaS service please ensure that you test the DRaaS Service at least bi-annually. Ensure that your IT Department has a different set of credentials to the network credentials for these backups and that the backup is in a hidden share. Remember, if you make it easy for you, you are also making it easy for Bad Actors.

People are the key to the success of a great cybersecurity awareness program. Educate them!?The IBM Reputational IT Risk Report says, “The biggest business risk for us and most companies is a data breach or system failure,” says Patricia Titus, Chief Information Security Officer of Freddie Mac. “But the biggest challenge is the potential for human error.” “We can secure the doors, we can button down the system, we can put on behaviour and insider threat detection and employ counterintelligence,” says Titus. “But we also have to remember how vulnerable an entire system can be to one person making a mistake.”

As a business owner, protecting your business is not only from new entrants and competitors, it also must include being aware of the security of your data. It could be overwhelming with today, where Cyber breaches and Ransomware can be acquired as a Service and even the most thought out ‘data protection strategy’ supported with an adequate cyber security insurance policy cannot provide a guaranteed outcome against an attack. So, the key to data protection success is the education of the Team, supported by good governance and procedures complemented with tools that are AI based, with the right security stack proactively managed and interpreted by humans.

So, in summary, importantly work with your IT Department, IT Partner or the MSP Partner (Don’t have someone, please connect with me and ask for an introduction). Ensure that anyone who access your organisations data silos are Multi Factor Authenticated, make it mandatory for your team be security aware (by providing them with training), ask your IT Team and the MSP Partner if they are following the ASCS Essential 8 Guidelines, develop a Cyber breach action plan (this should be driven by the Business, don’t make it ‘IT Driven’ as they have enough on their plate), confirm if your IT Department or the MSP Partner has business grade Firewall, Antivirus, Antispam and Extended Detection and Response tools enabled to mitigate and protect your environment. Finally and most importantly enforce the 3:2:1 Backup Policy (possibly with immutable storage) and ask your IT to simulate ‘Disaster Recovery as a Service’ at least biannually. Then protect your commercial impact with a solid ‘Cyber Insurance Policy’. ?

Need an introduction to a solid tool set supported by a reputable cybersecurity vendor partner, connect with me via LinkedIn, let’s have a no obligation chat.

Shamal Tennakoon (MBA, B Com, and SCRUM Master) is a Business Strategist and a Technology Advisor. A specialist in developing simple and effective strategies for business growth and passionate about data protection for growth-centric businesses.?