11 Actions to Protect Your Employer Against Rising Ransomware Attacks

               (StartupStockPhotos / pixabay)  

Cybercriminals are opportunists, exploiting major news events to take advantage of the unsuspecting. The COVID-19 pandemic has been no exception. Over the past few years, criminals have ransomed millions of dollars from businesses using increasingly foolproof hacking tools as well as social engineering and phishing schemes.

Financial Services Industry in the Crosshairs

Of particular concern, financial services and insurance institutions have experienced the largest rise in ransomware cons and phishing tactics. Using these schemes, hackers blocked access to data or threatened to publish private information unless the business paid the requested price, or they used information gleaned by phishing to launch a corporate cyberattack.

More than half of the incidents involved “misdelivery” attacks where a scammer fooled victims into disclosing sensitive information. Stolen credentials and credential “stuffing,” in which stolen info from one site is used to breach accounts on another site, were also prevalent.

5 Reasons for the Rise in Attacks

Several challenges facing businesses and corporations today were directly influenced by the COVID-19 pandemic. Those difficulties include:

• Flexible work environments stemming from isolation and quarantine orders.
• Mobile and personal network vulnerabilities created by telework, turning remote workers into easier targets. (Most at-home networks lack the security a business would have.)
• Unfamiliar conditions created by lockdowns, quarantines, isolation, and sick workers, causing harder-to-manage incidents for an IT security team navigating uncharted territory.
• Easily obtained, user-friendly hacking software and dark web ransomware services-for-hire that allow almost anyone to get in on the con, not just those with programming skills.
• Stress, uncertainty, and curiosity caused by the COVID-19 pandemic, creating opportunities for phishing and social engineering scams capitalizing on the public's fears.

How Bad Is It, Really?

The first half of 2020 saw a 72% rise in ransomware campaigns. Newspapers across Ohio in counties like Montgomery, Licking, and Columbiana reveal that ransomware attacks can hit close to home.

In their 2021 Data Breach Investigations Report, Verizon figured the median loss from nationwide ransomware attacks to be $11,150, with a range of $70 to $1.2 million. Although the Verizon data does not differentiate between individual and organizational victims, small organizations tended to lose small amounts, and larger organizations lost more substantial amounts from ransomware attacks.

Using a sampling of data on breaches for which they had cost information, Verizon simulated the potential costs of being hacked by ransomware. Including a 5% devaluation of the company after a publicly embarrassing data breach, the most common (95%) figures a company could stand to lose ranged from $800 to $650,000.

Don’t Fall Victim. Beware Common Snares.

Most attacks fall into one of three categories:

1. Business Email Compromise [BEC]
2. Computer Data Breach [CDB]
3. Ransomware attack.

Your company’s IT Security team is your go-to for any questions you have regarding the technology you are using, but there are some things you can do as well to ensure that a breach does not occur on your end. To avoid putting yourself or your organization at risk, watch out for these commonly used lures:

❖    “Updates” to consumer social media applications and enterprise collaboration software

❖    “Free” downloads for in-demand technology solutions such as video conferencing platforms

❖    Information regarding the purchase of hard-to-find COVID-related vaccines and supplies (disinfectant wipes, hand sanitizer, etc.)

❖    Offers of monetary government assistance (hackers have mimicked government agencies) 

If in doubt, play it safe and check with your IT team first. Be aware of their best-practices guidelines.

11 Tips to Protect Yourself and Your Organization

1. BACK-UP YOUR DATA often, securing it by encryption or password protection.
2. Consider ways to create an additional copy of data sets and critical servers filed offline or in a way that computer hackers can’t access. This might include the 3-2-1 method in which three copies of data are stored in different locations, using at least two different types of mediums, and having at least one copy off-site.
3. Do not reuse the same passwords. Use a password manager, instead, to store long, unique passwords.
4. Promptly install system software updates per your IT department’s instructions.
5. Treat misspellings and poor grammar as suspicious and untrustworthy.
6. Ensure any employees that report to you are aware of what to do, what not to do, and common snares.
7. Enable two-factor authentication on email, work sites, and social networks.
8. If applicable, enable a Virtual Private Network before accessing sites containing sensitive information.
9. Consider a stricter ‘safelisting’ of programs essential to business operations.
10. Heighten the configuration of email phishing controls, which could include flagging any emails external to the organization.
11. Emphasize a “no blame” culture that encourages employees to report incidents they feel could have posed a security risk.

What to Do if a Breach Occurs

Having a set of instructions to follow in case a breach occurs is a great way to establish emergency preparedness within your organization. If no procedure currently exists, work with your employer or IT department to create one.

Next, educate employees on the necessary steps to take and how to access the list of contacts and procedures to ensure that precious time is not lost if someone discovers that the organization's network was compromised.

Your company’s hacking emergency “playbook” will be specific to your organization’s setup and requirements. Make sure you and your department know your roles and responsibilities in the security plan.

However your organization chooses to establish the emergency plan, make sure you and your accounting department know your roles and the appropriate points of contact.

Stay up-to-date on current events influencing the accounting profession, including cybersecurity, by enrolling in our on-demand, free CPE courses for Ohio accountants.