Protect Your Data from Ransomware and Malware: 5 Key Steps from Security Experts

Ransomware attacks continue to negatively impact Chicagoland businesses. What do security experts recommend for business owners and decision makers to keep your customers’ data safe, your company’s reputation intact, and maintain your peace of mind?

Any business, private or public, small or large, is susceptible to cybersecurity attacks. We spoke to two experts, Rick Nordmeyer, owner of DigiTronix, a managed service provider (MSP) and data security firm, and Paul Hinds, owner of Mitarbet Consulting, a cybersecurity, IT risk, and privacy services firm.

Both Nordmeyer and Hines agreed that data security is about making your data difficult to access. You do not want to be an easy target. If your data is protected with strong security measures, chances are the hackers will move on to an easier, more vulnerable target. Top targets are often businesses that either hold personal or financial information (e.g., law firms, accounting firms, medical practices) or firms that have large financial risks if they lose access to their data (such as hospitals, manufacturing companies, and even universities).

A few recommended steps, outlined here, can make a world of difference.

Five Basic Safeguards
Step One – Activate a strong firewall with your Internet Service Provider (ISP) and your email provider. This will help to prevent inbound spam and malware. (If your business uses Microsoft, the security features that come with the system need to be proactively activated.) Security packages for laptops should be purchased online to protect against viruses and other attacks. Nordmeyer cautions that whichever application is selected, make sure it monitors 24/7.

Nordmeyer also recommends that his clients restrict what types of emails can be received and which websites employees can access from their work computer. He suggests that it is better to start off being restrictive, even to the point of blocking access to social media sites, shopping sites, and other non-work activities. The standards may always be eased up later if the need is warranted. He is also a big proponent of banning thumb drives at the office as they are notorious virus carriers.

Nordmeyer recommends that every business should limit the number of privileged access administrators. Hinds suggests that these administrators have two accounts, one for normal activities, and one that is very protected for privileged access functions.

Step Two – Remote workers need to have strong, well maintained virtual private networks (VPNs) or ensure implementation of HTTPS from their home offices. This ensures that the data sent back and forth is protected.

“A VPN and HTTPS both have the capability to encrypt your data, but a VPN encrypts more. HTTPS encryption only works between browsers and servers, and that’s only if it is enabled. A VPN, however, encrypts all data that passes through the VPN connection, no matter if certain settings are enabled or not,” said Hinds.

Step Three – Mandate your employees use multi-form authentication (MFA) for accessing any company or client systems. (An example of an MFA is after entering your email and password to a site, you are asked to type in a code sent to your cell phone.) An MFA forces immediate, live confirmation of one’s identity. It is good practice to institute. A common version of this is Microsoft Authenticator. One third of cyber-attacks come from third parties, so do not assume your business partners are protected.

Step Four – Employee education is an important aspect of maintaining these safeguards. According to Hinds, “over 60% of hacking comes in through phishing and email credential attacks. There has also been a big increase in attacks via known vulnerabilities in websites and third-party software.”

Nordmeyer recommends his clients review and update onboarding materials and the employee handbook. He typically will meet with HR and review the rationales behind the security precautions and emphasize their importance. If needed, he will provide a presentation to employees to emphasize the importance of changing certain previously accepted behaviors. Data security affects everyone in the company, from the most senior employee to the most junior.

Step Five – Invest in ongoing, regular security updates and maintenance. Without regular security updates and maintenance (e.g., applying software vulnerability updates), any system becomes vulnerable to hacking. Hackers are smart; if they want to break into your network, they will find a way. New viruses crop up all the time.

It is important for decision-makers to recognize that data security is a permanent line item in their annual budgets, one worthy of adequate and constant investment in staff, hardware, and software. “Staff” could mean hiring an outside firm to handle some tasks. In the past, a business owner might have been tempted to hire their neighbor’s kid who fixes laptops. Cutting corners with data security is risky and unwise, and any money saved will pale in comparison to the cost for recovery should your systems be compromised. Often this leads to much more costly financial and reputational costs to your businesses than the money saved.

Some businesses will want to consider shifting their IT work to the cloud instead of continuing to run everything in-house. Hinds acknowledges this could require an increase in spending, but the additional security protections provided, if implemented correctly, are often well worth the additional costs.

The Hacker’s Mindset
Nordmeyer and Hinds both talked about how sophisticated the hackers and bad actors are, and how U.S. businesses have underestimated the threats they represent.

Ransomware, extortion, personal identity theft, and stealing money for susceptible businesses and people is a multi-billion-dollar business. There are teams who scan the internet for targets and sell this information to hacking groups who will look for ways to exploit the easiest targets for smaller extortion payments. There are also teams who focus on the hard-to-compromise (i.e., break into) businesses for the large multi-million-dollar payments.

The cost of not protecting your data could devastate your business. One future trend to be aware of is regulations and industry / contractual terms are going to require implementation of these and other cybersecurity best practices. Laws may be proposed that require the same.

The bottom line is, no business or person is safe. There is a hacking group focused on you and your industry; they just may not have found you yet.

Note: The concepts and recommendations described in this article are edited from conversations with experienced security practitioners. They are not intended to be absolute mandates. We recognize every business entity and industry has unique security requirements. We recommend that you evaluate your business’ needs, talk to security professionals, and decide a course of action based on what is best for your specific situation.