Worse yet, they may already have done so. A typical cyberattack accrues over weeks and even months, slowly gathering the information required to gain access to your network’s most valuable data. By the time many financial services firms realise that their defences have been breached, it is too late. The direct cost of ransom—which often exceeds a million pounds—is often the least damaging consequence of a successful attack. Operational downtime following a ransomware incident lasts 26 days on average, and your firm’s standing with both current and prospective clients will suffer long after that.
No single factor will protect your firm completely from ransomware attacks. But the following steps can work together to keep malicious activity off your network, and to limit the damage caused by missteps and minor vulnerabilities.
1. Back up your data frequently, regularly, and comprehensively
Backups copy your documents, applications, and system software to a separate location, letting you turn back the clock in case your system is damaged or compromised. That’s the theory, at least. In practice, few organisations back up their data thoroughly enough or regularly enough to withstand a ransomware attack.
Even if you have a backup scheme in place, take some time to review it. Basic online backup services can help restore data lost to human error or system malfunction whilst doing little to protect you in case of a ransomware attack. Many online backup services operate differentially: they start with a full copy of your system, and add regular copies of only the data that has been changed since the last backup. An aggressive ransomware attack, though, encrypts all of your most important files, often triggering the creation of another full copy of your data. The previous, clean version is deleted in favour of the newer, corrupted version, and your backup has come to nought.
A robust backup scheme can minimise the impact of ransomware attacks and even affect your leverage with cybercriminals should an attack succeed. Your backup provider won’t typically document that sort of scenario, so it’s wise to have a security expert review your arrangement.
2. Lock down your remote authentication
Remote work isn’t just a trend: it is a permanent shift to a new way of collaborating and sharing resources. It also represents a new way of identifying who belongs in your firm’s workspace. Access cards and fobs might have secured your physical office, but they benefited from the relatively limited foot traffic to your doors. Your IT systems are potentially open to anyone on earth who can convince your system that they belong. For a growing number of businesses, authenticating remote users is the single most productive step they can take toward averting ransomware attacks.
Remote authentication extends beyond direct access to your in-house systems. It also encompasses logins to cloud-based resources, third-party services such as Dropbox, and any other scenarios requiring your employees to provide usernames and passwords.
Speaking of which, the old username/password combination no longer provides reliably secure authentication in any scenario. Unique, complex passwords are still important, but additional means of authentication are absolutely necessary for today’s financial services firms. Multi-factor authentication adds at least one more identifying layer to the mix, typically a code sent to a different device or a certificate installed on devices owned by the firm.
Third parties such as cloud providers may be rightly proud of their security infrastructure, but those features typically apply only to their internal operations. Authentication is a different, far more vulnerable step. Be sure that cloud providers and other third parties honour the same multi-factor authentication policies that govern your own network.
3. Review your first lines of defence
The login pages, firewalls, and publicly available IP and domain addresses that let your organisation communicate with the world also invite some risk. It is not uncommon for IT departments to sacrifice security for functionality, and ease of use, when they install and configure firewalls. This can give cybercriminals opportunities to infiltrate your network.
Scanning your outward-facing web infrastructure for weaknesses might seem like a lot of work for little payoff, but consider it from a criminal’s point of view. An automated process can scan an organisation’s addresses, web portals, login pages, and firewalls with little cost or oversight, looking for weaknesses to exploit. You should scrutinise your systems just as closely. A security consultant can keep your first lines of defence configured properly by reviewing it every six months.
4. Restrict users’ privileges
Each user in your system is assigned a set of privileges that allow them to control, run, and edit items on your network. Too often, these privileges are overly broad, and include permissions that a given user will never need. Ransomware depends on this unwitting generosity: when a ransomware attack gains access to a user account, it seeks to exploit every privilege assigned to it, including the ability to change the security settings of sensitive files.
A policy of least privilege will give your personnel the freedom they need to do their jobs without leaving the door open for attackers.
5. Tailor access to users’ needs
Permissions determine what each user on your network can do with the data available to them. Access defines what they can see to begin with.
Most systems assign access parameters to directories or individual files, and most throw access open to everyone—even to users who have not been authenticated and authorised to use the system. This allows IT staff to add new users quickly and puts everyone on the same footing, but at the cost of a dangerous security weakness.
Some data and documents on your network might be useful to everyone in your firm…but how much of your network truly meets that description? To the extent that you limit access to the specific roles that need to use a given file or directory, you limit the ease with which malicious actors can do harm on your network. A full audit of your network’s access might take some time, but it is time well spent.
This can be a touchy issue with senior staff. Some executives might bristle at the idea of being denied access to some network assets, even though they seldom if ever have occasion to use them. Do what you can to make a case for limited access, even for top-level executives: the entire point of customised access to your network is to avoid the security vulnerabilities introduced by accounts with full access to your entire operation.
6. Keep your software up to date
Unlike most products, software is typically released with the full understanding that it contains some bugs. The range of possible environments in which most commercial software can be installed, and the nearly infinite variety of ways in which it can be used, mean that no software publisher can test every possible scenario before it releases a new product. When problems come to light, software providers distribute fixes, or patches, designed to set things right.
That’s all well and good, but announcing a patch also announces the bug that necessitated it. Criminals pay attention to these releases, too. The lag between a software provider’s distribution of a patch and your firm’s application of that patch represents fertile ground for malicious hackers looking to exploit newly publicised bugs. Be sure to reduce this lag by remaining aware of updates to your software and applying patches as quickly as possible.
7. Strengthen your email filtering
Email is your firm’s Achilles heel, the weakest link in your security chain. Shoring up your email security begins with training your employees to recognise potential cyberattacks and to respond appropriately, but it does not end there. Even the most conscientious employees can click the wrong link or open the wrong attachment in moments of weakness, and your system should be ready for these possibilities.
Every email platform includes filters that identify suspicious senders, questionable links, and problematic attachments, and take action to delete or quarantine potentially harmful messages. These filters might produce some false positives from time to time, but they are absolutely worth using. Some email providers include a lightweight version of their filtering mechanisms as part of their default configurations. If you use a major provider, their filters are probably sufficient; if you have reason to believe that your provider’s default filtering scheme is insufficient, ask what you can do to improve it.
8. Customise your anti-virus tools
Anti-virus software identifies and neutralises malicious downloads and email attachments before they are able to affect your system. Like email filters, you might have been using anti-virus software for so long that you take it somewhat for granted. And like email filters, anti-virus tools are so ubiquitous, and their default settings calibrated for such a wide audience, that they require careful attention before they perform as intended on your firm’s system.
Your IT team may be able to handle some of the other items on this list, but along with a semi-annual survey of your forward-facing network assets, configuring your anti-virus software might be best left to a network security specialist. Once you have established a customised anti-virus set up for your firm, make sure that every device on your network is covered, and that your software patches and virus definitions stay up to date.
You should also ensure that your anti-virus software is administered from a central account, not on a device-by-device basis. Most cyberattacks begin with an attempt to disable any anti-virus software they encounter, and central control over your anti-virus tools will frustrate this effort.
9. Use your web browser’s built-in protection
Your firm’s defence against ransomware attacks must anticipate mistakes made by your employees. Web browsers can provide a layer of protection against cyberattacks by alerting users when they attempt to open suspicious files or visit potentially harmful websites. Like many of the technologies listed here, we are all accustomed to these warnings, but any given browser’s bog-standard settings may not be enough to sufficiently protect your system.
When malicious hackers cannot defeat your system’s anti-virus software on its home turf, they sometimes use authentic-looking websites to deliver viruses to your system. Browser providers devote significant resources to identifying these fraudulent websites and flagging them before allowing users to access them. At a bare minimum, train your employees to always heed these warnings, and to proceed only if they are absolutely sure that they have clicked a safe link. Better yet, change your employees’ browser settings to block potentially malicious sites instead of throwing up a mere roadblock. Your employees may occasionally be inconvenienced when attempting to access legitimate sites that are poorly configured, but that inconvenience amounts to very little compared to the cost of a successful ransomware attack.
10. Prepare your response
We’ve said it before, but even the most assiduous security scheme can break down. Even when your employees are fully trained and on their game, even when your software protections are appropriately configured and updated, malicious actors can still find ways to break through. It’s their full-time job, after all. When all else fails and your network experiences a significant security incident, you should be ready to respond with an incident response plan—a comprehensive course of action that performs a sort of triage on your network after it has been broached.
The steps your team takes to isolate and manage the consequences of a cyberattack will vary with the nature of the attack itself, and are beyond the scope of this guide. But every incident response plan begins with timely alerts that reach the right people at the right time. These alerts should include phone calls to key employees since network resources might be compromised or quarantined. At a minimum, these should include IT personnel in charge of investigating and responding to the attack on a network level, and others who coordinate notifications to your firm’s employees, any clients who might have been affected.
The devil, as they say, is in the details, and each of these steps may reveal additional vulnerabilities in your IT infrastructure. But together, they represent a comprehensive approach to hardening your firm against the continually growing threat of ransomware attack. Please contact us if you have any questions about the steps described here.