“It will never happen to our organization.”
If there ever was an issue that prompts IT professionals to make the above statement, the rise of ransomware might be it.
But this week’s news that a medical facility based in Los Angeles paid out a US$17,000 ransom to hackers who infiltrated its electronic medical records (EMR) system and disabled its computer network — because paying was in the best interest of the hospital and the most efficient way to solve the problem, according to hospital officials — underscores a potentially frightening issue.
Ransomware, of course, refers to malicious software that is designed to restrict access to a computer or mobile device, whereupon the hacker can demand a fee in order to restore access and system integrity. In the case of the Hollywood Presbyterian Medical Center, sources say it was an email link that was clicked by a hospital employee on a computer with access to the EMR system that initiated the security attack.
While hospital officials maintain that its patient data remains secure and uncompromised, enterprises should expect to hear more about similar attacks in coming months.
According to Kevin Shahbazi, CEO of multiplatform mobile security provider LogMeOnce, paying any ransom should not be the first option.
“As painful as it may sound, such acts should not be rewarded…you really don’t know who you are dealing with. The hacker could be advanced enough to leave behind additional traps for you,” Shahbazi said.
Instead of paying off the hackers, he offered that organizations should first look to immediately patch any security holes within the environment
“Proper security best practices will help you in the long run, rather than sleeping with the enemy. Do your homework, have your backup, educate end-users, and use a solid password management tool that does more than keeping passwords in a vault. Look for one that has capability to detect hackers if they attempt to get in,” he said.
Recently law enforcement officials have noted the move to anonymizing networks and payment methods for security could potentially fuel the rise of ransomware, and Intel Security division McAfee Labs revealed in its recent threats report that “with upcoming new variants and the success of the ‘ransomware-as-a-service’ business model…the rise of ransomware that started in the third quarter of 2014 will continue in 2016.
“Although a few families—including CryptoWall 3, CTB-Locker, and CryptoLocker—dominate the current ransomware landscape, we predict that new variants of these families and new families will surface with new stealth functionalities,” McAfee Labs said in its latest 2016 Threats Predictions report.
And according to the security vendor, the three ways to best prevent such enterprise incidents include:
- Regular file backups: Disk drives can simply be wiped clean and restored in the event of a ransomware attack
- Minimize human error: Educate staff about Internet best practices such as not opening unknown email links or attachments
- Install security software: Firewalls and anti-spam filters can help to protect mobile devices and computers across the enterprise
The onus is often on the chief security officer (CSO) to establish a security methodology and determine how much time, resources and budget should be allocated to establish effective policies and controls. But, as Gartner recently noted, success in today’s complex cybersecurity environment demands breaking down internal organizational silos to help ensure stronger collaboration between the CEO, CIO and CSO. This can be key to ensuring a more holistic and comprehensive security approach.
Most importantly, establishing a proactive strategy — one that includes software, hardware along with stronger employee best practices — are key in avoiding cyberattacks and being the next company to have their name splashed on the front page due to a security incident.
While ransomware represents only a fraction of the security threats that companies can face, it’s still out there. And, as this week’s news highlighted, it can happen to your organization.
“Unfortunately, the industry in general has not had a measured approach to such persistent problems. Typically, it has been a static response, where the problem is truly dynamic at its source,” Shahbazi said.