Ransomware attacks are on the rise and continue to be the primary method of cyber infiltration by hackers. Experts estimate that this year alone, every 11 seconds there will be a ransomware attack against an unsuspecting business. In fact, the total global number so far this year exceeds the same period in 2020 by 150 percent. Recent high-profile ransomware targets include the Colonial Pipeline, JBS Foods, the NBA, and Kia Motors.
Reformed Hacker Wants to Help
While we all know the cyber protection basics—keep passwords safe, use different passwords for different accounts and private internet connections, etc.—sometimes it takes a thief to stop a thief, or in this instance a hacker. One self-proclaimed reformed hacker wants to help. While he was born Giovanni Natale, he hasn’t gone by that name in years. His hacker trade name is “Johnny Xmas.”
He began hacking by committing nuisance computer annoyances as a teenager, which escalated over time into much more serious and crippling cyber assaults. He’s since transformed from a cyberpunk into a cybersecurity pro. While he’s still a hacker, he’s no longer hacking bank accounts or corporations for fun. Instead, enterprises pay him to try and punch holes, exploit weaknesses, and find vulnerabilities in their internal and external networks. He then shows them how to fix those digital deficiencies.
Xmas has seen and done it all when it comes to hacking, and he recommends the following top protection steps against ransomware.
1. Install Multi-Factor Authentication (MFA) for All Company Logins
After a user enters their username and password, an MFA adds another layer of security by sending them a verification code that’s four-to-eight digits long to a pre-registered email or text account. The code then has to be manually entered by the user to finish the login.
“It’s devastating for a hacker when they see an MFA countermeasure,” says XMas. “From a hacker’s perspective, whenever they see that come up on a login, forget it. They’re going to go somewhere else and try something else. There’s no way to guess and test a multi-number verification code before that code expires in 90 seconds. That’s the simplest and best first step to take.”
XMas adds that MFAs present additional challenges for hackers when the system has a maximum number of login attempts and then lockdowns against additional tries.
2. Verify Vendors Have Edequate Cyber-Protection Systems and Protocols
If you use third-party vendors for HR support, web design, payroll, email marketing, accounting, legal services, and so on, make sure they’ve gone through their own security testing. This is especially true for any vendor that has direct access to your website of network infrastructure.
“It’s completely acceptable to request an affidavit from them confirming when their last security assessment was, what it found, the remediation steps taken, and when their next audit is scheduled,” Xmas encourages. “That type of request is becoming the norm.”
He goes on to say that the official name of the affidavit is a “letter of attestation.” If your vendor doesn’t know what that means, then they’re likely not taking those precautions and exposing your systems as well. Be sure to take this step before signing any contract with a third-party vendor.3.3.
3. Do Not Let Telecommuters Use Personal Computers for Work
Instead, provide workers with the most basic computer interface possible that can also be remotely managed. Xmas says one of the best and cheapest options is an “enterprise-class” Chromebook, further noting company-supplied devices can all be pre-loaded with the same malware protections. Those, in turn, can be automatically updated as new versions become available, as well as operating system security updates.
4. Have a Dedicated Cybersecurity and IT Support Individual
This can be the individual who does IT for you, but make sure they also have experience securing a small-to medium-sized business, which will be their responsibility to manage.
“They can also help draft a security policy, which doesn’t need to be more than one page for a small business,” Xmas explains. “It can outline the acceptable use policy of the hardware the company is providing and have each employee read and sign; list the frequency of security updates to remote devices and local firewall settings; and schedule weekly malware updates system wide. If you don’t think that’s a full-time job, remember that setting these systems up is just part of the process. Not only do they have to be monitored, they have to be audited on a monthly or quarterly basis. Just because it’s okay today, doesn’t mean it’ll be okay tomorrow. A lot of business owners don’t realize that.”
He says if your organization is large enough to need email and an external website to operate, it’s large enough to need an IT pro with security experience as well.
5. Systems Backups are Good; Audits of Those Backups are Essential
While making cloud-based and physical backups of mission-critical files are important, it’s even more important to audit those backups regularly.
“I don’t see anyone doing daily or weekly backups of their most important files, records or data,” says XMas. “When they do happen to back up their files, they’re not testing whether the backup services are working properly. Business owners can get lulled into a false sense of security that their systems are copied to the cloud or a nearby physical hard drive. But without testing and systematic audits of those copies, they won’t know if the backups captured all the necessary files accurately or if they can be easily and quickly restored.”
Technology is everywhere, and so are hackers. Cyber defense is a growing cost of doing business that wasn’t a necessity five years ago, but it is now. If you don’t protect the digital assets that belong to you, there’s an increasing likelihood they’ll soon belong to someone else.