Kevin James - The IT Control Specialists

    Ransomware: to pay or not to pay…

    First, don’t get caught out by ransomware! That is by far the most important message in this post. It is not difficult to avoid in real terms. If you follow these simple steps you will avoid having to make this critical decision:

    1. Keep software up-to-date and keep daily off-site backups.
    2. Use active Anti-virus (preferably with Zero-day protection).
    3. Don’t open dodgy emails or click links in strange communications.
    4. Always ask your IT department to check out any strange emails or messages.

    Depending on the size of the company and its reliance on computers, you may want to have a business continuity plan in place: this may be reverting to paper processes temporarily, having backup systems not connected to the core network or have a cloud setup in place that negates core system exposure.

     

    However, if the worst does happen… should you pay the ransom demand?

    Put simply: No… Unless you have no alternative… then yes.

    It has been confirmed that people who paid the ransom in the Wannacry attack did get their files back. This is not to say that any previously infected machines are now free and clear – they may still contain hidden malware code that has a release trigger (such as a date / time). After paying any ransom, you MUST reimage (wipe and factory reset) any machine which was infected to ensure you are not the target of a follow-up attack.

    We are NOT advocating paying a ransom – we are simply saying that in some circumstances this may be the only option. Additionally, considering the cost to business and cost of services required to decrypt files on a single machine it may be worth it in the long run. That said, when dealing with criminals there are no guarantees – this should be factored into any decision.

    The lesson here is to make sure your machine is protected from the risks which exist out there. With a few simple steps you can prepare any machine, and any business, so that even if attacks do occur you are prepared and able to resolve the problem as quickly as possible.

    Again… Ransomware and the decision to pay a ransom is not the problem, people not taking active steps to give themselves a resolution is the problem. Much like you would not head into the Amazonian jungle alone, unprepared to face the dangers which exist there (or else you will end up in big trouble) similarly you MUST PREPARE for the dangers which your business WILL FACE in the coming weeks, months and years.

     

    What should you do if you get a virus? (When you are at work)

    [Once] the breach has occurred, there are four important elements to any breach management plan: 1. Containment and recovery 2. Assessment of ongoing risk 3. Notification of breach 4. Evaluation and response

    – ICO – Guidance on data security breach management

    1. Disconnect and isolate. As soon as you realise that a machine has been infected, disconnect that machine, and all connected machines, from the network (beginning with the infected machine). Inform your Manager so they can take the proper steps to protect the business.

    It may be a good idea to have an email ready to send to a contact list holding everyone in the business – with a title (and a step-by-step guide) along the lines of:

    URGENT: Immediately leave the business network and disconnect your machine from the internet.

    Doing this will drastically reduce the time required to ensure all machines within the business are protected from further infiltration. It will also allow any IT managers to focus on recovering the infected machines in the shortest possible time.

    TIP: A sure-fire way to protect your business is to prepare for the worst. This may mean simulating a cyber-attack in the same way as you would simulate a fire or other emergency to ensure an efficient and effective response. Doing this will ensure all staff are aware of their roles and will respond accordingly.

    1. Assess ongoing risk. Communicate important details. Write down information such as the exact time of infection and the number of machines which have been infected to the best of your knowledge – then give these details to your IT management Team (or individual).

    Ensure the person who reports the problem to your IT team does so concisely and does not ramble. This person will likely be given important instructions to protect your business – ENSURE THEY ARE IT LITERATE. This will shorten the time required to recover.

    1. Evaluate and Respond. Have a temporary way to work setup and ready.

    You should have some form of EAP (Emergency Action Plan) or Business Continuity plan in place to ensure staff are able to keep working with limited reliance on IT. This includes informing customers of any problems. This often means having customer records available offline in a SECURE location.

    It may also mean setting up a simple website used only for customer communications in emergencies. Twitter and Facebook are also valid ways to communicate updates to customers effectively.

    A possible alternative is to setup a customer notification tool with a third party company. This can inform them of any issues and send out updates as required. Communication companies around the world are able to perform this service.

    1. Notify the correct persons of the breach.

    In most cases a security breach will remain internal. There are two exceptions to this rule:

    Service providers (eg telecoms providers or internet service providers) must safeguard the security of that service.

    Network providers (organisations that operate and maintain the underlying network) must comply with any reasonable security requests made by the service provider.

    – ICO – The Privacy and Electronic Communications Regulations (PECR) Guidelines

    Current UK law states explicitly that if you are a network or service provider and you do not inform customers of any identified security risks or communicate breaches, you may be in direct contravention of the law and therefore exposed to large fines.

    If personal data has been taken, while there is no time based obligation for UK companies to inform their customers, it will come to light eventually. Either the data will surface on the dark web or the attack will be tracked by security services.

    It is better to inform your customers in the first instance rather than be discovered a different way. While notification may lead to a breach of trust, customers finding out they have been hacked by other means is a sure-fire way to lose the confidence of a customer entirely.

    For a full breakdown of the ICO’s recommendations in protecting your business from being exposed to security risks and future Malware attacks, please contact us to setup a security meeting or see the ICO’s guidelines below.


    You may also want to read:

    The Power of Data Protection (GDPR)

    What is a virus attack vector? (…and why should I care?)


    Sources:

    https://ico.org.uk/media/1562/guidance_on_data_security_breach_management.pdf

    https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/security-of-services/

    https://ico.org.uk/for-organisations/guide-to-pecr/introduction/what-are-pecr/

    https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/


    Leave a Comment

    Your email address will not be published. Required fields are marked *