Ransomware – It Can Come from a Trusted Source or Supplier

Yes, we’ve all seen it on the news. Software vendors are being attacked by ransomware or malware. Now that’s a problem for customers! Didn’t we use to call this being hacked? Still, so many of us remember the old maxim, “your security is only as good as the weakest link.” So now the weakest link (or at least, a weak link) can be your very own software vendor. Let’s look at what we might ask or require of our vendors. If nothing else, they should at least be doing as much as we do in our internal systems.

Someone making a large software investment recently asked me what should be included in a contract for ransomware prevention and/or afford protection from a ransomware attack from a vendor? Well, among the litany of security best practices – which I hope this organization already has in place – one additional item would be to require similar protections in all vendors serving this organization.

If you find yourself in this boat, read on. And who knows, maybe one or more of these will turn into another article!  If you are reading this and find some information daunting, please engage and partner with your IT people.

You might as well require the same of your vendors.  A comprehensive security program is a vital component of your digital success and business success.  Loss or corruption of data would most likely lead to loss of reputation and eroded customer confidence.

Cyber insurance covers tangible loss of data, loss of revenue, and more. So many insurance carriers will require much or all the above items to be in place as a condition of coverage. Make sure your cyber insurance policy (and your vendors’):

• Covers notifying and possible breach protection of customers.
• Covers the cost of recovery and forensics. You might (or your vendor) engage outside professional help – and they’re expensive.

But yet, cyber insurance alone is not sufficient.  Cyber insurance needs to be part of a more comprehensive security program.  Some of the more important elements are highlighted below.  You should already have this program in place, and require the same of your vendors, whether those are vendors of software you run internally or systems you use that are “in the cloud.”

Let’s recap briefly, at a high level.  They (the organization and their vendor) should already have:

• Policies that are board- or council- adopted. This includes acceptable use policies, security, and data policies – at the bare minimum.
• User training. Users need, and lots of it.  The organization should have regular, directed training, and it should be required. Security training is needed beyond computer skills, application, and departmental training.  Several companies specialize in end-user security awareness and keep the material up to date.
• Email filtering. Inbound emails should be automatically machine-screened against possible mal-related content.  Email providers do this, but it’s not always free or low cost.
• Include email. You might have to subscribe to a service to get the latest “list” of bad actors.  This takes a certain amount of manual updating.
• Network segmentation or separation. You don’t want computers talking to each other if it means sharing an infection.
• Endpoint protection should be behavior-based. Business-quality antivirus solutions nowadays have been updated to look at the machines’ behavior – heuristics. Any unusual or unacceptable behavior (like encrypting a bunch of files like ransomware causes) should result in a machine being immediately and automatically quarantined – isolated – for repair.
• Internal network scanning for machines’ poor behavior or widespread data changes If your inbound and endpoint protection misses something, the network scanning might pick it up.
• Data backups. There is just no substitute for backups when it comes to recovering from ransomware.  And the backup system should be configured to be secure from ransomware.
• Data diverse locations. If your data is stored in diverse locations, it might be harder or more time-consuming (giving you time to respond) to corrupt. Many files or documents can be stored in multiple systems within the cloud, making data harder to corrupt, and more available in cyber or other incidents.  But, yes, it’s more to keep track of.
• Incident response plan. You need a plan to respond to cyber emergencies. Again, like segmentation, some regulations require this.
• Practiced. And your plan needs to be rehearsed and updated at least yearly, or in the instance of a variety of big system or staffing changes.
• Notification system. It’s vital your IT staff are notified of any anomalies, possible attacks, or corruption. Many organizations upgrade to a – a security incident event management system – which can provide that notification, but it might take up some labor resources.

Consider hiring a chief information security officer (CISO) and capable staff. Or consider adding outsourcing to a managed services provider that runs a security operations center.  Either the CISO or SOC can stay abreast of and fluent in the rapid pace of development and evolution and cyber issues, events, and practices.  And they can and need to stay abreast of the constantly evolving regulatory environment pertinent to the organization.

SDI provides comprehensive cybersecurity services – from initial vulnerability assessments through 24X7 cyber incident monitoring and response programs – to reputed clients in the US. Whether you need comprehensive IT services across the security spectrum or need assistance to drive vigilance and resilience across your enterprise, SDI stands ready to serve you with executive-level experience and government expertise to help leverage your technology investment now and into the future.

If you have any questions or want more information about our cybersecurity services, please give us a call at 888-YOUR-SDI (888-968-7734) to explore how the SDI Cyber Team can protect your organization’s IT asset.

ABOUT SDI’s GUEST BLOGGER

SDI’s IT Consultant Tim Williamsen is an experienced IT leader, a licensed and degreed electrical engineer, specializing in IT management, control systems (SCADA), cybersecurity, service delivery, and business solutions.

Mr. Williamsen has more than 35 years of experience, with more than 20 years in public sector IT leadership, and is widely regarded throughout the industry in all levels of IT management, system troubleshooting, design, installation, and administration. His skills range from project accounting, management, estimating, and scheduling to fiber optics, to software development, systems integration, and maintenance.