If recent headlines about ransomware attacks on companies have you worried, your concerns are well-founded. Earlier this year, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency – you may know them as CISA – issued a Fact Sheet on Rising Ransomware Threat to Operational Technology Assets. The computer criminals who traffic in ransomware try to exploit vulnerabilities in technology and soft spots in human nature. The FTC suggests two steps your small business can take to bolster your digital defenses on both fronts.
Step #1. Make sure your tech team is following best practices to fend off a ransomware attack. One key protective step is to set up offline, off-site, encrypted backups of information essential to your business. Furthermore, share the CISA Fact Sheet with your IT staff. Underline, italicize, CAPITALIZE just how important it is for them to stay current on the latest word from the leading federal agency on defending against these threats and on updates from other trustworthy public-private partnerships. CISA’s ransomware resources – including its Ransomware Guide – should be required reading. This isn’t something to save for a slow day at the office. Your IT team should immerse themselves in the latest advice from CISA and other authoritative experts.
Step #2. Schedule a security refresher for your employees. Ransomware isn’t just an issue for IT professionals. Perps often use email to your staff as their entryway into your system. By clicking on a link or downloading an attachment, a distracted staffer could inadvertently hand a computer criminal the keys to your corporate kingdom. But as companies up their defensive game, the bad guys have responded. Some use publicly available information or stolen data about an employee to craft a more personal message. Rather than a misspelled mess that screams scam from the start, the email – or phone call, text, etc. – may appear at first glance to be legitimate business correspondence or even a message from a colleague. A small business’s best defense is a workforce trained in the tricks that cybercriminals are likely to use. Other important protections are: 1) rigorous authentication procedures; and 2) a company policy that requires passwords for employee credentials and administrative functions to be l-o-n-g and complex. In addition, educate your staff on the folly of using the same password on different platforms, and consider the many benefits of multifactor authentication.
Looking for the FTC’s big picture perspective? Read Ransomware prevention: An update for businesses. The FTC also has to-the-point resources you can incorporate into your in-house security training program. Our Cybersecurity for Small Business suite – created in conjunction with NIST, the SBA, and the Department of Homeland Security – features self-contained topical modules, including one on ransomware. Mix it up with our videos, fact sheets, and quizzes.
The bottom line for business is that ransomware is a federal crime. If you think you’ve been targeted by a ransomware attack, contact your local FBI field office immediately. In the meantime, shore up your defenses through technology and training.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.