Some of those reading this will become the victims of a particularly damaging form of ransomware attack. And it could happen tomorrow.
Why do practices fail to put in place the proper defences needed to protect themselves? There are 2 simple reasons. Both arise from misconceptions.
The first misconception is that you are not a target for cyber criminals. Well, regardless of your size or location, you are. Attacks are orchestrated by organised criminal gangs, using automated and sophisticated techniques. Your firm might not have been singled out to start with, but once a vulnerability is found, once an access route into your systems is discovered, more focussed attention and attacks follow.
The second misconception, is the assumption that your external IT support is qualified to look after your cybersecurity. In almost every case they are not. And that’s not having a go at your IT providers. IT support is trained to set things up for ease of access and productivity. Not security or cyber risk management. Cybersecurity is a very different discipline to generalist IT support. Plus it covers much more than just technology. You would not want your GP to carry out your heart surgery.
All too often, new clients come to us in a state of panic, after suffering a breach. Which means we see the types of attack which are taking place right now.
Ransomware attacks in 2020
Ransomware is a type of malicious software which encrypts your data. In other words, it scrambles everything, so it is impossible to access any information. The criminals then demand a ransom, promising in return to provide you with the key to decrypt or unscramble it all. Currently the going rate starts at $50,000 for the smallest firms, rising sharply into hundreds of thousands for larger firms.
We have found that very few practices have set up their backup systems correctly to enable them to restore everything, either within a few days or ever. Usually the technical configuration of the back up is wrong. Often the back ups end up as copies of the corrupted versions of the data. At best it can take a long time to restore everything. During which time your business and your client work has ground to a halt.
If you could avoid paying the ransom, there was still the question of what confidential data may have been accessed? Will the fraudsters strike again? Are they still in the network?
However, since late 2019, the stakes have got higher, because the alarming new trend is for the criminals to steal a copy of your data as a first step, before they encrypt the version you have on your system. That gives the fraudster 2 ransom opportunities. First, they ask for payment for the decryption key. Then they threaten to publicly release, piece by piece, the confidential data they have stolen about you and your clients, unless you pay up. Which means that even perfectly configured back up arrangements will not protect you or your clients.
Even if you do pay up, you cannot prevent the criminals later using the data to mount further cyberattacks. This could be on you, on your clients, or on your business relationships. It could include targeted phishing attacks against your staff and clients. Or they might sell the data to other criminals.
So what should you be doing to defend your firm? The starting point is to undertake a risk assessment covering a range of issues and behaviours across the 3 pillars of technology, people and process.
You need to look at your overall business set up. What technology do you have; how do you use it; what data do you hold; who has access to it; what remote working takes place; do people use their own devices; what third parties and collaboration platforms do you work with or rely upon; what controls do you have in place and how do you check they are working; how do you monitor security on an ongoing basis; and lots more. We assess firms against the following 10 themes:
- Digital behaviour
- Operating system patching
- Mobile phone security
- Remote working
- Application software patching
- Access management
- Network security
- Information transfer and handling
- Back up
As part of assessing and testing your security, it is advisable to undertake some technical Vulnerability Scanning. The frequency of this will depend upon your risk assessment and may change. This will help to identify vulnerabilities in your network and technology.
We are sometimes asked whether doing some old style penetration testing is alone sufficient to keep you safe. The answer is NO. Some penetration testing can of course prove useful or indeed necessary in some circumstances. But the traditional form usually only looks at one part of your technology within a defined scope, and usually just tells you whether an individual has been able to break into it. It is not assessing where your real business and operational risk is, or then addressing those risks.
Always keep in mind, that security is not just about the technology itself. It’s also about people and process.
You must give your staff cybersecurity awareness training, on an ongoing basis, so that they stay alert and are aware of the techniques criminals employ. This is not attempting to make them cybersecurity experts. It’s making them stop and think, before they immediately click on that attachment. It’s making them understand that they must not post certain types of information on social media, etc. This, together with testing of their understanding following training, and using simulated phishing attacks, dramatically reduces your risk of being breached.
Give your staff a cybersecurity handbook so they know the rules and what they can and cannot do.
You must have a risk management structure in place, which provides the right policies, and systems to govern your technology and the way it is being used. You must identify the controls which will manage risk. And there must be periodic checks to prove that your controls are working.
And security is not a one off MOT. It requires ongoing assessment and review.
If you become a victim
If you find that your business becomes a victim of any type of serious cyber breach, please urgently get a specialist to respond to the incident. You must
- isolate systems/data as necessary;
- ensure that the attack has ended;
- prove that the malicious software and connections have been removed;
- prove that your network has been secured;
- conduct an appropriate investigation so that you understand how it happened and what data has been taken.
We have found that if the incident is not managed correctly, it can result in the destruction of the footprint showing where the criminals have been, and what data they have taken. Which means you do not know what to tell your clients or the Law Society or the ICO. We have found that often, the criminals have not even been kicked out: they are still in the system and confidential client data is continuing to be removed. And lessons are not learnt, meaning the defences remain weak and the same thing will happen again.
And finally, ensure that depending upon the nature and severity of the incident, you comply with the appropriate reporting obligations which may include:
your PI insurer;
any cyber insurer;
the Law Society;
your employees; and most importantly
This article was produced by Mitigo. Take a look at their full service offer here.
For more information contact Mitigo on 0131 564 1884 or email firstname.lastname@example.org