Basic Cybersecurity Hygiene Tips Are Ransomware Vaccine

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Companies that follow basic cybersecurity hygiene are likely to avoid the ravages of global ransomware attacks such as the one that crippled thousands of computer systems June 27, cybersecurity pros told Bloomberg BNA.

The global ransomware attack struck at the core of major organizations, such as shipping magnate A.P. Moller-Maersk A/S, large law firm DLA Piper, and pharmaceutical giant Merck & Co. Inc. Companies in Russia and Ukraine were hit the hardest, but the impact from the massive hacking attack has been felt around the world.

Some companies that were hit told their employees to not use internal information technology systems and shut down email. Although that may be one way to halt the cyberattack’s spread, companies can take other steps to maintain business continuity and help lessen the impact of any future attack, the pros said.

There is no “silver bullet” to stop or mitigate these kinds of cyberattacks, but companies should follow general cybersecurity procedures to minimize their impact, Gordon MacKay, executive vice president and chief technology officer at cybersecurity company Digital Defense Inc. in San Antonio, told Bloomberg BNA June 28.

Companies “should make patching their systems a priority"—even if it causes some server downtime, he said. They should also institute security awareness training for employees at all levels, engage in a vulnerability management program, and implement an incident response program that includes ransomware scenarios, he said.

Although the ransomware attack has only netted about $10,000 in bitcoin ransom, the overall return on investment of the ransomware business model may lead to more attacks, the cybersecurity pros said.

David Dufour, senior director of security architecture at cybersecurity company Webroot in Broomfield, Colo., told Bloomberg BNA June 28 that ransomware attacks aren’t going away anytime soon because they are “an awesome business model” for hackers. There will possibly be future attacks, and cybercriminals have “almost no risk of getting caught,” he said.

Basic Protections

Although some cybersecurity procedures seem basic, many companies around the world don’t implement them due to concerns about business continuity and the costs of updating legacy information technology systems, MacKay said. Companies that take the time to patch their systems and make sure their cybersecurity procedures are up-to-date will be in a better position in the event of another global ransomware strike, he said.

David London, senior director of cybersecurity risk management at consulting company The Chertoff Group in McLean, Va., told Bloomberg BNA June 28 that companies must employ good governance and risk management strategies, such as understanding where the “most critical assets and processes are” located and “how vulnerable they may be” to cyberattacks.

Also, companies that readily participate in public-private cyberthreat information sharing programs or private-sector groups will be able to “look to trusted practitioners in the field” for advice and guidance on how to mitigate an attack, he said.

If they haven’t already, companies should employ Microsoft Corp.'s security patch, released in March, London said. If companies had used the patch early on, the recent ransomware strike’s effects “would have been much more contained,” he said.

But not every company or organization can employ all the necessary security patches as soon as they are released. For example, London said, some companies “sit on top of legacy infrastructure, and introducing a new patch could have far reaching disruptive impacts on enterprise functions.” Mature companies supporting critical infrastructure, such as those in the banking, manufacturing, or telecommunication sectors, “want to test and understand the potential impact of the patches” so critical systems aren’t disrupted, he said.

Security patch fatigue may also be an issue. Some organizations can be “overwhelmed” by mounting vulnerabilities and security alerts, London said. Although most companies should prioritize updating their systems, they also have to deal with a “large stack of other severe vulnerabilities,” he said.

Offline Data Backups

Another critical step toward mitigating a ransomware attack’s impact is backing up important databases and sensitive information, the cybersecurity pros said.

Although backup protection may seem “mundane and boring,” it will greatly help mitigate cybersecurity risks, Dufour said. The “typical risk management procedures” of implementing offline backups, updating computer operating systems, and eliminating outdated operating systems is worth the investment, he said.

London said simply backing up systems without segmenting backup copies might not adequately protect company data in the event of an attack. The June 27 ransomware strains appear “relatively automated and self spreading looking for additional avenues for infection,” he said. If a company doesn’t segregate company filing sharing systems or backups, the “data can be locked up from the ransomware just as well,” London said.

Companies also need plans to get servers and data centers back up and running in the event of a ransomware attack, Dufour said. At some point, it may be beneficial to wipe the infected servers, but companies should “wait a couple of days” to see if cybersecurity researchers or internal teams “can reverse engineer an encryption algorithm,” he said.

Cybersecurity pros were able to find a work-around for the previous WannaCry ransomware attack in May that infected more than 300,000 computers worldwide, Dufour said. That fix wouldn’t have helped if infected computers had already been cleaned, he said.

Having a good cybersecurity insurance policy will be helpful to companies when faced with a ransomware attack, Dufour said. Getting the business back up and running might be costly, but having a good cybersecurity insurance policy that covers ransomware attacks and other incidents can help lower the amount of out-of-pocket expenses a company would have to shell out, he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security