Published in The Business News on December 15th, 2022
Twenty years ago, we were warned against viruses. “Better get a good antivirus, so you are protected”. We don’t really talk about viruses anymore, because these types of cyber-attacks have evolved to include a whole variety of nasty risks, generally summarized by the term malware.
One specific type of malware is ransomware. This is where someone infects your system, then threatens to publish your personal data or permanently block access to it unless a ransom is paid. Some of the big ransomware attacks that you may have heard of are CryptoLocker and SamSam. I wrote about one company’s experience with SamSam in a previous column. You can read that here.
I have heard important, government-types say things like, “ransomware is terrorism”. This is true. They also say things like, “it’s not your fault”. That is not true. It is totally your fault if you get hacked and your files are encrypted. Why is it your fault? Because there are actions that you can take to protect yourself against ransomeware. The truth is, most don’t.
Just as Patches O’Houlihan (from the movie Dodgeball), had the five “D”s of dodgeball, I look to the five “P”s of cybersecurity: Patching, Passwords, Policy, Preparation and Phishing Training.
Patching
Patches are modifications or upgrades to computer systems. Sometimes they add functionality, but they almost always include security updates. The software or system manufacturer is plugging exploitable holes in their system through these patches. The simplest way for you to take advantage of these security upgrades, is install the patches.
Passwords
You know what a password is and we’re not talking about Jack Clark’s gameshow. Using strong passwords is an obvious way to prevent someone from guessing your password. Unfortunately, no one is sitting in a Russian cubicle trying to guess your password. They are using complex applications and algorithms to break through or, more likely, they already hacked someone and that someone had your password on file (see hacks on Target, Uber and a handful of others). Complex passwords are good but not enough. You also need to use Multi-Factor Authentication, you should avoid using the same password twice and you need a secure place to store all of your passwords.
Seems like a lot of messing around? Imagine your business being shut down for $200,000 ransom. Trust me, that’s worse and it can 100% happen to you. Bullies target the weak and you are neither too big nor too small to get hacked.
Policy
Human Resources and Information technology unite! When we are talking policies, we are talking about the policies that your company implements to manage employees and the policies that the IT team use to manage technical assets. While HR is focusing on acceptable use and file retention policies, IT is banging out group policies for patches, passwords, data access and Internet use.
Preparation
Vic Tayback (Mel from Tv’s Alice) once said, “the best defense is a good offence”. Preparation is the creation of a good Business Continuity Disaster Recovery (BCDR) plan. The best of these plans evaluate risks, then minimize the chance of those things happening.
Don’t let yourself be too busy to prepare. You might just spare yourself from a disaster or, at the very least, ensure that you recover from one. As of 2019, 60% of small businesses that experience a cyber-attack, go out of business within six-months of the attack. Don’t be a statistic.
Phishing Training
Phishing is where a bad person sends fake emails, in the hopes of ripping you off. There are many products out there to simulate a phishing attack, and most also come with training for your employees. Many insurance companies are now requiring this training for cyber policies.
Full transparency, I needed a fifth “P”. Training overall should be the message. Phishing awareness training is one great option, but your employees should also be trained to safely navigate the Internet, store data and use their systems. Training, as a whole, is the fifth “P”.
Aside from the five P’s, you still need gold old fashioned security, starting with a network firewall. Then we bring back that antivirus that we spoke about 720 words ago. Antivirus applications have evolved to business endpoint solutions, most now providing automatic detection and response if something malicious is found. Keep your facility physically secure and make sure your employees have common sense. The robot calling you does not want to renew your car’s warranty. Stop falling for this stuff… Common sense, people.