By Ashley Ashbee
Ransomware is like something out of a psychological thriller.
Employees are locked from accessing the company data with a notice explaining that it and all of the data and systems within it are being held for a ransom of five to six figures. Maybe even more.
If you don’t pay it?
You won’t get access to your data, effectively disabling the business and the hackers may threaten to publish the sensitive data inside it — customer contact information, business projections, etc.
No, that’s not a ’90s movie plot. Ransomware is very real and not at all rare. The phenomenon is increasingly common in Canada and has recently been featured in a Globe and Mail article.
The article cites alarming data. According to Sophos, a leading cybersecurity software company, 39 per cent of Canadian organizations have suffered ransomware attacks.
Check out Sophos email and spam protection. Our agency provides it.
In the US, paying a ransom of millions is not uncommon.
The effects of these attacks are deep, long-lasting and expensive and companies of all sizes and wealth have been hit.
The Costs are Devastating
Paying to release a ransom is very expensive and there are countless additional costs, including sleepless nights.
The company under siege not only ends up having to pay the ransom, they need to hire a consultant to do the planning and negotiating with the cyber criminals.
And then there are the costs of losing trust: customers leaving the company, fewer people referring you to prospects, hiring a public relations firm to try to minimize the damage, investors selling their stocks if your company is publicly traded.
You’ll also probably at least partly be out of service while you rebuild broken systems.
You may need to pay settlements to entities and individuals whose data has been compromised. Even if you have insurance, there’s no guarantee your carrier will cover any losses, plus your premiums could go up.
You can also lose out on potential business growth and opportunities if your business plans and projections are leaked and then discovered by competitors eager for a leg up or journalists looking for a story to break.
Cybersecurity threats may account in part for the prevalent hesitance employers feel about letting employees work from home.
If such major events can happen in the office, how much more likely are they to occur with everyone working in environments you can’t control?
It’s no wonder a lot of employers are hesitant to let staff work from home.
There are indeed risks, as you can’t control how staff use their own devices at home and the device itself is often the point of vulnerability. You also can’t make your employees secure their routers.
Remember that just because you’re working in an office, that doesn’t by default make the company more secure.
Don’t fret. There are many ways to mitigate the cybersecurity risks of working from home, including ransomware, and it’s not necessarily a reason to require people to work in the office, which carries costs like losing out on talented staff who live out of your location.
Make it Secure to Work from Home
- Require staff to only work on devices you give them Outfit these devices with firewalls, encryption, ransomware protection and up-to-date VPNs with two-factor authentication, Only allow company server access to those devices. Ensure the device operating systems are also updated as soon as updates are available.
Set up systems to require strong passwords, two-factor authentication, etc.
2. Restrict access to employee home IP addresses
Some employees may be ticked that you’re not letting them work at a coffee shop, but you can’t ensure security there, even with a VPN. And if you let employees access a server from anywhere, it can be hard to determine where threats are coming from and isolate them.
3. Add validation systems to your domain (yourwebsite.com is a domain)
This involves setting records in your domain such as DKIM and DMARC that prevent unauthorized people from creating fake email addresses under your domain or masquerading as a company employee with their email address to trick staff into opening a link that launches the ransomware.
4. Secure Emails
Use an email security service that screens emails for threats before delivering them to staff members. If an email is suspicious and meets ransomware criteria, it is held for review by the IT administrator assigned to moderate them.
It’s imperative to make sure that the administrator understands cybersecurity small business threats.
Email security services also warns users of phishing, malicious links and spam.
It can be tricky to spot threats, so warnings are critical for safety.
5. Use secure remote access
When you secure and monitor access, you reduce the risks. Use an encrypted VPN to access networks and/or cloud applications and servers.
6. Educate Employees and tell them what to do
Most attacks happen because of employee mistakes. However well meaning and cautious staff members can be, many simply don’t know that they need to protect their devices, operating systems or how to do that.
They also may not know how to identify suspicious links and to never open them.
Or they may be hesitant to comply if they think you’re just micromanaging them and don’t understand the vulnerabilities of not being protected.
Explain how attacks happen and what to look for.
We show our clients and their staff the cybersecurity ropes with our cybersecurity awareness training. Contact us to learn more.
The most important thing is to remember that just because you’re a small business, that doesn’t mean you aren’t at risk for ransomware. Hackers know your guard is down and can take advantage of that.
By taking advanced cyber security measures, you make your company less attractive to cyber criminals.
The first step to secure your business is to find existing vulnerabilities. Take our cyber security assessment to see what you need to do.