How can Irish businesses minimise their exposure to ransomware?

Cybercrime is now big business and ransomware attacks have risen in prominence and frequency, targeting businesses of all sizes, all over the world.

In fact, ransomware has become the single largest threat to organisations globally: a company is hit by ransomware every 40 seconds (Kapersky Security Bulletin 2016). While media headlines talk about how organisations like the NHS and Telefonica are being hit, cybercriminals aren't solely focusing on large organisations; businesses of all sizes and in all sectors are being targeted.

An effective security strategy needs to focus on what we call 'defence in depth', where multiple layers of security controls are put in place including personnel, procedures, technology and physical security. Too many organisations invest in defence mechanisms (they install a firewall) and they lack preventative security measures, such as having a secure network, enacting security awareness programme, implementing next-gen security solutions and conducting threat analysis.

Proactive patching a necessary step

Implementing a proactive patching programme is a necessary step in any IT security strategy. Software and operating systems are updated regularly to ensure there are no vulnerabilities open to would-be hackers. While organisations should be taking this step as a matter of course, this isn't happening. Let's look at the WannaCry ransomware attack for instance: 92% of the machines infected were running an outdated version of Windows 7. Microsoft had released a patch for the SMB vulnerability in March 2017, a full two months before WannaCry was released. Those organisations affected by the attack had not made the necessary updates.

It's not just operating systems that need to be kept up to date, security software (anti-virus software) vendors will also frequently issue updates to cover specific exploits. By keeping up to date with these releases, Irish-based organisations can ensure that their software is as effective as it can be.

Ongoing training and employee awareness is key

While WannaCry targeted a software vulnerability, the majority of ransomware and other malware such as Trojans, typically use phishing emails to wriggle their way into an organisation's IT system. According to a study conducted at Friedrich-Alexander University, 78 percent of participants said they were aware of the risks of unknown links in emails. Yet 45% of them clicked the link anyway. 

This data, though worrying isn't entirely surprising. Phishing emails have become a lot more sophisticated; they're convincing and make use of social engineering tactics to encourage users to open them. And that's why raising awareness of this threat is so important. Training is key. And any security awareness training needs to reinforce the implications of cybercrime on a business and outline the dangers of clicking unknown links or opening email attachments. All training should be ongoing, and not just one-off 'tick-the-box' workshops. This will ensure that new threats are discussed and employees are fully aware of new cybercrime tactics and exploits. 

Rather than think "this will never happen to us", organisations at home and abroad need to assume they will at some point experience a ransomware or cybersecurity threat. By putting effective processes in place before that happens, they can dramatically reduce the potential impact of these attacks.