Ransomware - The Hurricane of Information Security

I love how they name different hurricanes and honestly, outside of my own name, I would love to see a hurricane named Hurricane Ransomware. If you are like me and have the privilege of living in Florida, you recently experienced the joy of preparing for a major storm, Hurricane Matthew. For those in the rest of the country, except California (you guys get the best weather!), you have had the experience of preparing for a snowstorm or some other significant weather event. Storm preparation depends on the person but there are always tasks to accomplish before the storm arrives. These tasks might include buying water, batteries, non-perishable food items, candles or other things you may need to ride the storm out. 

Ransomware is kind of like a hurricane, or some other natural disaster. We spend all our time reading stories online about how bad it is and we think, "Man, it stinks to be them, that will never happen to me,” until….it does happen to you. For me living in Florida for the past 12 years, I have experienced  close to 50 hurricane warnings. As warnings come and don’t come to fruition, I become complacent. I start to believe it can't happen to me. The same is true with Ransomware. Do a Google search for Ransomware, there are no shortage of examples of organizations effected by this type of malware. When we read them we might think, "How is that even possible?" or "Stinks to be them". We get complacent because it hasn't happened to us recently or ever. Don't do that. Don't get complacent because as soon as you're not on your toes, BOOM, you get hit with Ransomware (or a hurricane, your choice). So what can we do to avoid complacency? I am going to give you 2 tips, almost as if they were written by Jim Cantore from The Weather Channel himself (on a side note, if that guy shows up in your town to report the weather, run as fast as possible the other way):

• Prepare - Just like a hurricane, you have to prepare for Ransomware. How do you do that, you ask? Well, there are several things that you can do, which include implementing a Security Awareness Training PROGRAM. Notice that I added program to the end of that sentence? If you send out a training video once a year to check a compliance box, you are doing your staff and your organization a major disservice. Keep it fresh, fun, and in front of your employees. Next, test those employees. Send them a fake phishing email to see how many click on the link (you will be shocked at the results). It's better that YOU test them rather than them being fooled by hackers.   Use the results as a training opportunity to build a culture of security. 
• Secure Your Data - That's obvious, but, we are talking about Ransomware here so the twist on this is a little different. Remember, Ransomware wants to hold your data hostage, not steal it, until you pay. Just like a hurricane, you secure your house by moving flying objects (I'm looking at you, patio furniture) indoors. You put plywood or shutters over your windows. You remove loose tree limbs so they don't become wooden missiles hurling through the air at 125 miles per hour. Well, when it comes to your data, you MUST back your data up often and offline. What does that mean? That means don't have your backup connected to your network or guess what? You run a significant risk of having that data encrypted as well.

Prepare and Secure. Just like a hurricane or other weather event, don't get complacent and adopt the, "It can't happen to me mentality." The moment you think that way, it will happen to you! If you're looking for me, I will be buying batteries for the 39 flashlights I own and stocking up on water! Till next time...