Protecting your data from ransomware attacks is becoming increasingly important and increasingly difficult. Author Kelly Sheridan, Associate Editor of Dark Reading breaks down the statistics and how you can protect your company.
Half of ransomware victims are likely to get hit again as threat actors change their strategies to target servers and accelerate the spread of ransomware.
Half of ransomware victims have been hit with attacks multiple times. Most (82%) of organizations believe ransomware attacks are on the rise.
These findings come from security firm Druva, which surveyed 832 IT pros across the globe to learn about their current responses to, and predictions for, ransomware attacks. Its Annual Ransomware Report shows this threat is evolving faster than businesses can keep up.
It's worth noting this data was consistent across businesses of all sizes and all are struggling with the same issues. Half of organizations surveyed had more than 1,000 employees, 31% had 1,000-10,000 employees, and 19% had more than 10,000 employees.
It's getting harder to prepare for attacks as threat actors adopt more advanced tactics. This week's global ransomware outbreak, the second of its scale in the last two months, has proven more professional and harder to stop than the WannaCry attack in May.
"What we see is, a lot of businesses are caught in the headlights," says Dave Packer, Druva VP of corporate and product marketing, who led the research for Druva's report. "Their ability to reach and build out proper protection infrastructure is being compromised by rapid morphing of ransomware attacks."
It's critical for IT teams to detect potential attacks as quickly as possible, yet researchers found about 40% of the time, more than two hours pass before IT becomes aware of the problem.
Sometimes this is because the ransomware was delivered through the mistake of an end user, who may be reluctant to notify IT. Other malware operates on a time-release basis, meaning it spreads among devices without encrypting data or causing other issues to attract attention.
The latter type lays latent for two to three weeks, says Packer, and in that time it collects information about how the system works. It attacks after it has made minor system tweaks to ensure it has the largest impact, and businesses don't know when the initial infection appeared.
The speed and spread of ransomware
Once it finds an entry point, ransomware moves quickly. One infected machine can sync to a shared file server or cloud application, driving the spread of malware to all devices connected to that share. Respondents said 70% of ransomware attacks affected multiple devices.
Packer says it's worth noting 33% of ransomware attacks hit corporate servers, which are becoming popular targets as they become more critical to operations. Experts anticipate servers will continue to be targets if they aren't regularly patched.
The cloud is susceptible to ransomware, he explains, because of the way it's architected. Organizations are most vulnerable to ransomware when they take their on-premise models and move them to the cloud. Native cloud models are less likely to experience ransomware attacks.
Many opinions about breaches and technology failures are actually myths, obscuring a clear path to increased security and better risk management. Debunking these myths is essential to improve security and begin the process of effective threat hunting.
Brought to you by FireMon
"In the news, we don't see as much coverage of server-side [ransomware] as endpoint-side, but this is a problem," Packer continues. It creates a mess for businesses, he says, because recovery has to be well thought-out; it's not as simple as recovering an end-user device.
What can be done?
Most (82%) of respondents rely on backup data to recover from ransomware attacks and get their businesses back up and running. This is more reliable than paying ransoms, which only 5% of respondents report doing. Many victims who pay a ransom don't actually receive their data back, or receive a demand for a second ransom.
"From our perspective, businesses should start looking at the cloud for secondary copies of data," says Packer. There is "no easy frontline solution" to ransomware. While malware detection is useful and solves a big part of the problem, many systems aren't prepared for the rapid changes in ransomware attacks.
Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio
You can lock every door in your house but if you leave the garage door open, or a window ajar thieves can rob you blind. Passwords are much the same; If they are not unique and at least a little complicated they just won’t work. Here are several techniques I put together with a little web research:
Try a Nursery Rhyme?
One method to come up with a complex password that will pass every IT security policy, even those with 15 character passwords is the nursery rhyme technique.
How does this work? Start with a memorable nursery rhyme, capitalize the first letter of each sentence, replace certain letters with numbers, and follow that up with an exclamation point or some other symbol at the end. For example, take the nursery rhyme Little Boy Blue, which goes like this:
“Little boy blue, come blow your horn. The sheep’s in the meadow. The cow’s in the corn.”
First drop everything but the first letter of each word: LbbcbyhTsitmTcitc. Now transform that replacing any “s” with “5” and any “L” with a 1 or a 7. Now we have: 7bbcbyhT5itmTcintc. Throw in a special character or two and every security geek will be proud of you: “7bbcbyhT5itmTcitc!
That’s a 19 character password that includes numbers, uppercase letters, lowercase letters, and special characters.
How About Word Combinations?
Correct Horse Battery Staple.
We’re often tempted to throw in a bunch of zeros for “O’s” and ones for “L’s” in our passwords or even add an incrementing number but the truth is these measures barely rankle hackers. Instead try using a gibberish phrase like “correct horse battery staple.” It’s long and sneaky, contains at least one special character and is strangely easy to remember.
DON’T use this example though, I am pretty sure it has worked its way into the hackers encyclopedia of passwords.
Are You A People Person?
Try the PAO Method (Place – Person – Action – Object)
This theory was put forth by Carnegie Mellon University computer scientists who suggest using the Person-Action-Object (PAO) method to create and store your unbreakable passwords.
Select an image of an interesting place (Mount Rushmore). Select a photo of a familiar or famous person (Beyonce). Imagine some random action along with a random object (Beyonce driving a Jello mold at Mount Rushmore).
The PAO method of memorization has cognitive advantages; our brains remember better with visual, shared cues and with outlandish, unusual scenarios. Once you create and memorize several PAO stories, you can use the stories to generate passwords.
For example, you can take the first three letters from “driving” and “Jello” to create “driJel.” Do the same for three other stories, combine your made-up words together, and you’ll have an 18-character password that’ll appear completely random to others yet familiar to you.
Don’t Assume, Put It To The Test
Got a great password that you love to use? Perhaps it is fairly complex and easy to remember? Want to make sure that you aren’t leaving the window wide open on your data? Run your password through an online password checker like the one at http://password-checker.online-domain-tools.com/.
Running a small business comes with many successes and challenges. Most small business owners not only have to worry about running their business, they have to concern themselves with their IT issues as well. They may find that they know just enough about technology to justify saving money by maintaining their networks and other technology needs themselves, often to be caught off-guard when a problem comes along that they are unable to fix and forcing them to hire a tech to come in after the issue has spiraled out of control. Fortunately, there is a solution – hiring an IT consultant to handle your technology needs for you. Here are some benefits that you will enjoy when working with an IT consultant:
More time to focus on doing what you love
Whether you enjoy fishing, participating in charity events, or being an active part of your business, hiring an IT consultant can give you more time to focus on doing the things that make you happiest. Figuring out your own technical problems is distracting and takes you away from what you’re really good at. IT consultants give you and your employees that time back by taking over things like researching new solutions, implementing technology, and fixing any IT problems.
Gain more efficiency
You may think you are saving money by handling your technology yourself, however with lack of experience comes lack of efficiency, costing you more money in the long run. Hiring an IT consultant gives you access to better, faster, and cost-efficient technology solutions and services, which in turn saves you the time and money you would normally spend on fixing your IT issues yourself. A skilled IT consultant can implement new technology solutions with greater speed and efficiency than a non-experienced person would be able to and reduce the risks of technology failure by doing it right the first time.
Save money and control operating expenses
Want to know exactly how much you are going to need to budget for technology expenses each month? Many IT consultants offer a flat rate fee, sending you a consistent monthly bill for the services they provide under your Service Level Agreement. Need flexibility? Look into an IT Consultant offering On-Demand, as needed support. You’ll reduce technology spending by up to 50% and will no longer have to worry about recruiting, training, turnover, and paying benefits such as vacation, sick time, and holidays for an extra employee.
Access highly specialized talent
IT is a rapidly changing industry. It requires a multitude of technical knowledge to understand even the basics. By hiring an IT consultant, you won’t have the added expense of constantly training an in-house IT person in order to stay up-to-date with current technology. You’ll have access to a wealth of knowledge from a team of consultants to provide you with more support than you can expect from one employee.
Increase on-demand flexibility
As a business owner, you know far too well how quickly your business can change. You may have to hire more people during a busy season and reduce staff during slower seasons. Keeping up with the technology to do that is cumbersome at best and can create a huge HR problem if unplanned. With an IT consultant, you’ll have the flexibility to scale your technology up or down as your business needs require and you’ll only have to pay for what you are actively using.
Communication is critical in the productivity of your business. Improved communication can lead to greater collaboration and knowledge sharing, supporting employee innovation. By hiring an IT consultant to plan, implement, and maintain your technology, you’re improving your communication across a multitude of platforms including file sharing, wireless connectivity, mobile platforms, and email exchange, resulting in fewer misunderstandings and greater productivity amongst your employees.
When your business is down, you’re losing money. Even just a few minutes can cost your business hundreds or thousands of dollars. Think about it; you’re paying employees, service technicians, and possibly losing business while everyone waits to get back up and running. IT consultants make sure that your downtime is at the absolute minimum. They can’t guarantee that you won’t experience ANY downtime, but they can make sure you experience less of it and see more up-time.
Gain a competitive edge
By utilizing an IT consultant, your business immediately gains a competitive edge in your marketplace. They’ll provide you with the latest technology and provide ongoing training and real-world experience to educate you on what is and is not worth investing in. You’ll be able to make rapid moves if necessary to get you back into the market quickly.
Hire better employees
You know what they say: people don’t leave companies, they leave people. While hiring an IT consultant can’t improve your people, it can reduce the stress they feel by having to manage their technology themselves. Employees want technology hardware and software that works and helps them to excel in their positions. When your employees have to face excessive downtime due to ineffective technology, there’s more time for them to find fault in the people around them.
Access to hard to get support
Without an IT consultant, it’s nearly impossible to get top of the line support from a manufacturers customer support line. Software manufacturers rarely give individual end-user support to businesses seeking it out. If they DO provide support, it’s usually very minimal and may be unreliable. IT consultants, however, can give you access to thousands of technology vendors including Microsoft and Cisco, oftentimes with priority access.
As you can see, there are many advantages of having an IT consultant for your business, regardless of its size or industry. If you aren’t currently utilizing one, you’re missing out on all the benefits that an outsourced IT department can provide.