Ransomware: Are you prepared? A discussion on cyber security.

Breakfast with the Chairman

DuPage County business leaders gathered on Wednesday, October 27 for an intimate, roundtable session focusing on cyber security, ransomware, and what businesses can do to protect themselves. The event was moderated by Glenn Mazade, Senior Vice President of First Midwest Bank. Glenn led a discussion with experts in the field, Chris Perreira, Vice President of Information Security Operations at First Midwest Bank and Mike Del Giudice, CISSP, CRISC, Principal, Consulting at Crowe LLP. The event took place at Innovation DuPage.

To begin, Chris and Mike explained that ransomware is a type of malware that encrypts a user or organization’s files, databases, and applications so they cannot access them until a ransom is paid. “It’s a billion-dollar industry, and it’s not going away. It’s maturing and innovating.” said Mike.

Once a hacker breaches an organization’s network they can sell that access on the dark web, which is a part of the internet that requires special software to access, allowing users to remain anonymous and untraceable.

Alternatively, hackers will often lay in wait after breaching a system, gaining a stronger foothold and looking for other vulnerabilities, until they can effectively carry out their hack and ensure that you pay.

A recent example of how malicious hackers can breach a company’s network is the attack on candy-maker Ferrara Candy Co, which disrupted operations just before Halloween.

Often, business owners may think they are too small to be breached, but according to Chris, it’s a crime of opportunity. “It’s not who, it’s what – they are after money. Malicious hackers will cast a huge net – maybe sending 100,000 emails containing malware links. And they are just looking for one person to click,” he said.

How can organizations protect themselves?

Both experts agreed that organizations need to build a resilient environment, and approach cyber security from multiple angles. This includes training and engaging your staff with best practices such as password controls and multi-factor authentication. Furthermore, organizations can engage third-party vendors for monitoring and detection.

And while cyber security insurance is available, it can be difficult to obtain. Insurance companies are paying out for cyber-attacks and therefore raising the bar for what it takes to get that insurance.

The following offers businesses guidance on conversations they should be having with IT departments and vendors.

  • Are we segmenting networks? Doing this lowers the likelihood that ransomware could impact multiple lines of business or applications. 
  • Do we have an information security awareness program? Training prepares staff to deal with the threat of phishing – and phishing is how most ransoms start.
  • Does our backup strategy match our recovery objectives? Are the backups air-gapped/offline? Have we ever attempted to recover the business from these backups? 
  • When will we have multi-factor authentication enabled for our systems? It’s gotten much easier to enforce MFA for logins – especially in the cloud system.
  • Have we replaced or augmented our anti-virus with Endpoint Detection and Response Software? EDR is more capable than traditional anti-virus – but it is not a silver bullet and it’s expensive.
  • Do we have a vulnerability management program in place? Patching alone is not enough. End of Life software MUST be replaced (Win7, Server 2012). Know your external presence because it’s the most vulnerable. 

Additionally, businesses should ask themselves: 

  • Are we spending enough on Information Security? This should be separate from the IT budget – these are two difference disciplines. 
  • Do we really understand our reliance on systems? What is the impact of them being down for a day? A week? 
  • Do we understand our dependences on third-parties? What happens when a critical third-party is hit with ransomware? Does a problem at their business create a problem at ours? 
  • Do we have cyber insurance? If not, why? If yes, does it cover ransomware? Are we compliant with the terms? 
  • If we are hit with ransomware, will we pay? Understand the impact of your answer. Do we have a plan in place to pay? What is the impact if we choose NOT to pay? 

What should you do in the event of a cyber-attack?

If you’ve become victim of a cyber-attack, contact your IT department or vendor immediately. If you have cyber security insurance, call your insurance company. And if money is involved, call the FBI.

Additional Resource

Ransomware Guide, published by Cybersecurity & Infrastructure Security Agency and the Multi-State Information Sharing & Analysis Center