Ransomware Protection is an Often-Overlooked Essential Part of Digital Security
To understand why ransomware protection is so important to associations and other not-for-profits, I first want you to consider how your organization currently uses and safeguards its digital resources. (And then I suggest you look here if you think only banks and the like get targeted.)
This blog was written over a month ago and finally landed on the publishing schedule today; it is pure coincidence that a major ransomware attack occurred the week previous to publication.)
Before I ever wrote marketing material or did anything pertaining to content, I spent nearly a decade doing on-site IT solutions for a prominent, Toronto-based market research firm. I spent much of my time helping visiting clients figure out why their laptops weren't working. These were people representing the research departments of major Canadian and international companies, yet I was constantly surprised by how little security they put on their roaming laptops. These were computers sent out into the world with little protection and then brought back into contact with their home networks in their office.
I often wondered how many disasters the IT departments from those client companies had to deal with when those laptops were returned. I imagine much the same can be said of organizations in the association and not-for-profit sector.
A vital concern is the (sometimes sole) focus on viruses, which often leads to reliance on installed anti-virus software. A result of this mentality is few effective strategies that address the most significant vulnerability of an association's computer networks to cyber criminals: it's human users.
By relying on software for their defense and not focusing on the software users, organizations and businesses become especially vulnerable to a relatively recent threat to computer systems, a devious hostage scheme known as ransomware.
Does Your Association Deploy Ransomware Protection?
In my experience, far too many organizations rely upon software to provide their security. Typically, they are content with "out-of-the-box" commercial solutions that seek to cover a broad base of threats without much customization to the user's operations. The popularity of such software is their greatest strength because their market share is a strong incentive to keep their services potent to avoid bad publicity. However, their popularity is also their greatest weakness. Their widespread use means figuring out how to defeat these services opens up lots of doors for hackers given how many systems use the more popular options.
Few of these platforms have yet to give ransomware protection the focused consideration it is due beyond treating it as they do any other type of malware. In my opinion, this is because so little thought is given it by their customers, creating a lack of specific demand.
So many organizations think they are safe because they have anti-virus software installed that they give little thought to what could happen if it were defeated beyond the broadest terms of "that would be really bad." Think about it for a moment: how often does your association have updates about cyber-security measures?
Does it meet with consultants who specialize in helping organizations stay up to date?
Has it ever had you and your peers gather for training?
Were you ever required to read and sign off on your understanding of an official policy governing use of your organization's computer resources?
Indeed, does such a policy even exist?
And, critically, does your organization have a strategy in place for handling things if its systems are ever penetrated by a virus or, worse still, taken hostage by ransomware?
If your organization is not yet taking ransomware protection seriously because it does not understand the growing threat it represents, that needs to change. Do your research.
The First Step of Ransomware Protection is a Digital Resources Policy
One of the first questions I ask when I take on a new job is what rules and policies does my new employer have regarding computer use and network security. It never fails to shock me how many times I've been answered with a blank stare of surprise followed by something as general as "you know, use common sense." As myself and anyone else who ever worked in IT often says, though, "the problem with common sense is it's not very common."
"Common sense" is not an acceptable digital resources policy. If you find your organization does not already have hard, clear rules in place for network and online computer use, then you need to fix this issue immediately. On the specific topic of ransomware protection, here are some of my suggestions:
1) Stop, Think, Research before Clicking
If an email, website, or link attached to anything on your computer seems suspicious, avoid using it. Do not click on something "just to see what happens." That is how systems get infected with viruses and malware (including ransomware.)
Instead, start by looking into it yourself. If an email is from a stranger or even someone you know, but contains a message that seems out of character, look up the subject online or search for a general description of what the email is asking you to do. Chances are, if such an email has been sent to you, it has been sent to plenty of other people and there is now a warning for it online. If you are still in doubt, go ask your IT person what to do.
Businesses and associations need to take special care to keep a look out for emails that seem to come from legitimate sources. Your business may deal with a lot of shipping for instance, so you may click on a link from a shipping company without thinking because the subject line says something like, "Final notice: your package is waiting for you to pick up" or "Your package was not deliverable." The email will then prod you to click a link for an attached invoice or the like. The only problem is the "invoice" is actually going to launch a virus or malware into your system.
If in doubt, don't do it. Leave it alone. Delete it.
When surfing online, avoid any "click-bait" websites because they are often launch platforms for malware, viruses, and scams. Your need to find out who is cheating on who or how that single mom in your area ended up earning $8,000 a day from home will just have to take a back seat to surfing securely. You may even want to look into a service like Web of Trust to add another layer of protection to online browsing.
2) Educate Your Staff and Volunteers
As previously stated, do not rely on staff and volunteers to have sufficient "common sense" when it comes to your organization's digital resources. Always assume that if there is a bad choice to be made regarding securing your network, someone will make it because they don't know better. To help reduce this risk, conduct training sessions with new staff and volunteers with access to your digital resources. This includes presenting them with a documented digital resources policy they must sign to indicate they have read it and understood the consequences of non-compliance. Be prepared to have annual refreshers.
3) Follow Through with Repercussions
If you learn someone is violating your digital resources policy -- either out of laziness, a lack of concern, or ignorance -- don't be afraid to enforce the rules by enacting the stated consequences. In fact, you cannot afford not to address the situation severely. If staff and volunteers see their colleague didn't face any repercussions for breaking the rules, they won't see a reason to follow them, either. Unfortunately, the threat of viruses, malware, and ransomware are so far removed from a typical system user's online interactions that most don't take the threat seriously until it's too late.
I suggest talking over appropriate consequences with human resources (or a consultant, if your organization has no such department.) You will also need to vet your repercussions with a lawyer or HR representatives who are informed experts on digital resource policies and labour laws.
4) Budget for the Worst Case Scenario
Obviously, it is vital to include the cost of ransomware protection and other network security measures in your budget, but are you prepared for when the you-know-what hits the fan? Whether by the need to remove ransomware or to pay the ransom (yes, some businesses and organizations have indeed taken this step), you are going to need money to deal with the problem. Is this in your budget? (Better yet, are you insured against such an eventuality?)
Recovering from ransomware or another type of severe cyber attack can be extremely costly. You certainly don't want your organization to find itself in a position where it has to shuffle funds, cutting crucial programs to deal with the expense. Worse yet, will the unexpected cost actually be a deathblow to your association?
I'm sure it comes as no surprise to you that associations and not-for-profits do not often have much room for error or course correction in their budgets, so be prepared. It's better to account for the worst case scenario ahead of time than to get caught off your guard and be left scrambling and set back by years (or worse.)
Now that you understand the threat that ransomware represents to associations, are you prepared to take the steps necessary to protect your organization?
The following infographic by Trend Microprovides a number of important, more detailed facts and considerations regarding ransomware protection and consequences.
Ransomware protection is ultimately easier and cheaper than ransomware removal. Does your association have a digital resources policy in place for proactively working to prevent your organization's computer systems being victimized? If not, have a look at the CSAE Digital Resources Policy template to get started. It is a free download available to everyone.
When it comes to your association discussing the risks posed by ransomware and other online threats, the CSAE BoardREADY Card Deck can help drive the conversation.
To begin with, does your organization know what it's legal accountability is should it fall victim to ransomware? What sort of digital and physical resources does it possess that can be compromised by such a threat, and what obligations is the organization under to protect them? Beyond the costs of protecting against ransomware, what would the cost to the organization be if it became a victim? Is it prepared financially to cope with such an outcome?
Looking at how such an attack can occur, have you looked at how your organization is comprised and governed in order to identify its vulnerabilities to ransomware? How many of these risks are a matter of internal operations and how many are the result of delaying protective measures because the associated costs create other sorts of risk to the association?
Click a Card to See its Content