How to protect your business against ransomware
The good thing about methods of protecting yourself against ransomware is that they also work against other malware and other types of attack.
Tip 1: Ensure the organization has the right knowledge and culture
Considering that antivirus systems and firewalls routinely are updated and blocks regular mass attacks, the crooks are forced to find new, clever paths. A phenomenon that is rapidly spreading is that the attacks are directed towards individuals. By searching Facebook, LinkedIn or other social channels they find information about persons and their networks. Then they send e-mails to the victims, who feel safe on the basis of the personal character of the information.
The consequence of this is that businesses must establish a culture with sufficient knowledge of this type of approach, and therefore be extra attentive towards what might happen. A vigilant mindset towards e-mail and memory sticks must be part of such a culture. Firstly, not all e-mails should be opened. Secondly, not all attachments should be opened. Thirdly, do not reply to everything. And do not insert any unknown memory stick into the computer!
Tip 2: Establish routines for handling attacks and ensure that everybody knows them
Someone takes the chance of opening an e-mail because they do not want to be a nuisance or expose their “stupidity”. Clearly not a good idea. People need to know who to contact, and that they will be met in a friendly and professional manner.
If something occurs, the notification procedures must be crystal clear, the distribution of responsibility indisputable and the measures immediate. The organization must keep surveillance equipment and control this equipment, including making sure there are subscribers to security updates.
Part of the contingency is practicing. Practice may be done at different levels: from within the IT department to the entire organization.
Tip 3: Have a backup and make sure it works
You have heard this advice before: backup. But if your backup is reasonably new, and you have restore processes that work, you will be relatively fine even if you are affected by ransomware.
You cannot backup database-based systems (CRM, ERP, financial systems etc.) that are running. Such systems must therefore be set to backup their own data, and then you backup these backups. No backups are safe before you have tested that they can be used (restore). Cloud backups may be good, but remember that transferring large amounts of data can take quite some time.
Block the backup server for all types of users except the backup software itself. This way you prevent the infection from destroying the backup.
Tip 4: Segment networks and rights
This entails ensuring that different employees have read- or write access only to the specific areas of a server that they need. If they are affected by ransomware, this will only affect these areas.
Furthermore, the user should not be allowed to install any software or run software as administrator. This way any infection will be limited to the areas that the user has access to, and cannot easily take over the entire computer.
Tip 5: Ensure that all software is up to date
This applies to both clients and servers. Flash and Java are two vulnerable systems where most of the infections occur today. Outdated software may have security holes that the crooks can force their way through.
Tip 6: Limit what programs the users can run
Most people currently run antivirus, but antiviruses can only stop known malware. Every day there are new variants that the antivirus cannot recognize, since the attackers change the malware and test it against common antiviruses right before they send it out.
Whitelisting is the opposite tactic: Instead of, or in addition to, maintaining a list of programs you do not want to run, you maintain a list of software you actually want. Ransomware is not on that list, and will therefore not be run.
Whitelisting has proven difficult in practice, but is now becoming easier to use. It is the most efficient technique against ransomware.
Tip 7: Have an updated firewall
The firewall prevents outside users to access the local network. Classic firewalls block entrances. But some ports, such as port 80 (normally www/http) must usually be open, and a classic firewall will therefore not stop attacks via this port. More advanced firewalls therefore monitor content coming through the ports. In any case there are less risks connected to computer usage behind a firewall than in front of it.
Tip 8: Use intrusion detection systems (IDS)
IDS systems monitor the network traffic. If the system detects a computer that starts to send out large amounts of data or contacts servers it does not usually use, this is an early infection indication that can be used for blocking the computer and protecting others.