If recent headlines about ransomware attacks on companies have you worried, your concerns are well-founded. Earlier this year, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency – you may know them as CISA – issued a Fact Sheet on Rising Ransomware Threat to Operational Technology Assets. The computer criminals who traffic in ransomware try to exploit vulnerabilities in technology and soft spots in human nature. The FTC suggests two steps your small business can take to bolster your digital defenses on both fronts.
Step #1. Make sure your tech team is following best practices to fend off a ransomware attack. One key protective step is to set up offline, off-site, encrypted backups of information essential to your business. Furthermore, share the CISA Fact Sheet with your IT staff. Underline, italicize, CAPITALIZE just how important it is for them to stay current on the latest word from the leading federal agency on defending against these threats and on updates from other trustworthy public-private partnerships. CISA’s ransomware resources – including its Ransomware Guide – should be required reading. This isn’t something to save for a slow day at the office. Your IT team should immerse themselves in the latest advice from CISA and other authoritative experts.
Step #2. Schedule a security refresher for your employees. Ransomware isn’t just an issue for IT professionals. Perps often use email to your staff as their entryway into your system. By clicking on a link or downloading an attachment, a distracted staffer could inadvertently hand a computer criminal the keys to your corporate kingdom. But as companies up their defensive game, the bad guys have responded. Some use publicly available information or stolen data about an employee to craft a more personal message. Rather than a misspelled mess that screams scam from the start, the email – or phone call, text, etc. – may appear at first glance to be legitimate business correspondence or even a message from a colleague. A small business’s best defense is a workforce trained in the tricks that cybercriminals are likely to use. Other important protections are: 1) rigorous authentication procedures; and 2) a company policy that requires passwords for employee credentials and administrative functions to be l-o-n-g and complex. In addition, educate your staff on the folly of using the same password on different platforms, and consider the many benefits of multifactor authentication.
Looking for the FTC’s big picture perspective? Read Ransomware prevention: An update for businesses. The FTC also has to-the-point resources you can incorporate into your in-house security training program. Our Cybersecurity for Small Business suite – created in conjunction with NIST, the SBA, and the Department of Homeland Security – features self-contained topical modules, including one on ransomware. Mix it up with our videos, fact sheets, and quizzes.
The bottom line for business is that ransomware is a federal crime. If you think you’ve been targeted by a ransomware attack, contact your local FBI field office immediately. In the meantime, shore up your defenses through technology and training.