Ransomware First Aid & GDPR
On the BusinessBunker Xtra Radio Show we briefly discussed the amount of security/data breach that are being reported. There are many reasons for how these breaches were possible, but the most likely non technical attack method is via a phishing email. The same can be said of another topic we’ve touched upon, Ransomware. In this month’s blog I have asked one of our Cyber Security Analysts, Sanya P, explain what I mean.
In simple terms, ransomware is a type of malicious software that locks users out of their IT system until they pay ransom to the attackers. The attackers usually gain access through email or social media, luring users into clicking on infected links, which quickly spread malicious code that encrypts the system files, making them unreadable and inaccessible. A message is then displayed, demanding ransom. The premise is clear: if the user doesn’t pay, they lose their data permanently. A time-limit is usually imposed, after which, the price will increase significantly.
Ransomware is a profitable activity for cyber criminals. However, even if payment is made, there is no guarantee the files will be recovered and that data will not be made public. Business should, therefore, take cybersecurity seriously, even more so with the introduction of the GDPR. Once a business has fallen victim to a ransomware attack, there is no easy way to recover. Reputation harm, loss of clients and public criticism add up to financial losses and threat of lawsuits. This is why some businesses may have decided to keep quiet in the past However, the added damage to your reputation once it becomes known you have tried to cover up any data breach will be hard to repair and it’s now law you Report it.
GDPR states Data Processors and Data Controllers will have 72 hours to notify the ICO from the moment of discovering a breach. Once a breach has been notified, the ICO is likely to launch an investigation, looking particularly at whether you had appropriate measures in place to protect the data you held. Article 25 of the GDPR specifies that technical and organisational measures shall be implemented by Data Controllers and Data Processors for data compliance, proportionate to the risks of the potential loss of data.
Examples of the types of measures to put in place include:
• Ensure data is processed only on instruction and persons generally having access to the system have either controlled or no access to sensitive and personal data.
• Train everyone on the network to an adequate level. Giving admin rights to untrained personnel poses a huge risk, as admins can change files on the system, and if the system falls victim to cyber-criminals, they have the power to exercise full control over it. Two-factor authentication system may strengthen log-in attempts.
• Deleting files and emptying the recycle bin is not enough, as even deleted files can be recovered by the attackers. It is advisable that businesses subscribe to data-shredding software.
• Antivirus and anti-malware software must be up-to-date, suitable for the needs of the business and offer realtime protection.
• When necessary to click on a link, the use of content filtering may be handy. Content filters check the link against malicious site databases and ensure the visited page has up-to-date security protocols.
• As noted, infection usually happens via infected links and files. Users must be extra vigilant when opening an attachment and always check for a hidden file extension. (For example, a text-file is not supposed to have an executable extension “.exe”).
• Disable protocols that are not in use.
• Use strong passwords, which are a mix of capital and small letters, digits and symbols. It is not advisable to use the same password for everything. Furthermore, passwords must be changed regularly and never shared.
• Backing up is vital for restoring files quickly. The back-up folders must be inaccessible, ideally on an encrypted portable hard-drive that is kept disconnected from the network. When backing up the files, it is advisable to do so offline.
• Data-encryption means that even if control over the system is seized following a ransomware attack, the files will be of no use to the attackers as they won’t have the decryption key.
If an infection occurs, adequate decision making will be vital. At this point, crisis management and business continuity plans will be invaluable. In the first moments of a suspected infection, disconnecting the machine from the network or its forced shutting-down may play a crucial role in attack prevention. While it may sound complicated to those who have no IT background, it is important to remember that the best defence against ransomware is prevention. If you need any assistance with the above particularly incident reporting and management please let us know at email@example.com or for more info visit https://www.tenintel.com/audit-assessment/