This is going to sound like heresy. Stay with me.
The WannaCry ransomware attack may have been a good thing.
It delivered a diagnosis we desperately needed to hear—but nobody wanted to hear. We have an extreme case of vulnerability. The big question is whether or not we'll do what's necessary to cure it.
In a couple of ways, WannaCry was unique. It was a global attack. Its primary targets were large corporate or government networks. And the ransom price was small: first $300 in bitcoin, later raised to $600.
But ransomware itself is not only common but rampant. Along with large corporate, transportation, hospital and school networks, computers serving smaller businesses, individuals, and even local law enforcement offices have been held hostage by ransomware. CNBC reports that ransomware attacks grew 6,000% from 2015 to 2016! About 70% of victims paid the ransom to get their data back. And the costs can be staggering: 50% paid more than $10,000, and 40% paid more than $20,000! According to Business Insider, just one of the many ransomware strains has generated $325 million in payments!
And ransomware is just one attacker in a horde of cyber enemies. Malware, viruses, bloatware, and phishing attacks are too abundant to number. So here's the big question . . .
What's keeping your company safe?
Most people think of a firewall or anti-virus software. That's all good, but it's not enough—especially as businesses are increasingly dependent on the Web for data management and sales. In fact, you have two important defense strategies against cyber attack: You and Your Web Developer.
Your number one defense—YOU
That's right—YOU—in the plural: you and every individual computer user at your company. Let that idea roll around in your head for a minute. Your cyber security is only as safe as each individual computer user in your company. If that's going to make you lose sleep tonight, read on.
Try this experiment!
Ask each computer user in your company to write down three things they do every day to keep the company, its people, and its information safe online. When you get the results, you'll know whether to hold a congratulatory staff meeting or an emergency training session. Here are some essential skills for every computer user:
What YOU can do to defend against cyber attack
1. Be vigilant against malicious emails and attachments.
Know the warning signs of emails that are likely to contain malicious content: misspelled words, all capital letters, overuse of punctuation marks, big promises or winner notifications. A subject line like "!!!!!YOUVE WON 10,000 DOLLARS!!!!!" means an email should go straight to the trash bin unopened.
Some signs are less obvious though and require you to apply some old fashioned common sense. Earlier this month, a phishing scam spread through emails saying that a friend (who supposedly sent the email) had shared a Google doc with you. The scam had nothing to do with Google or Google docs, and Google quickly shut the scam down. But anyone who had already opened the email found that it was immediately sent out to everyone in their address book. If users tried to access the "Google doc," their Google login information was compromised.
Common sense tells you to ask whether you're expecting a Google doc from this friend. If not, at least call to ask if the person sent one. Rule to stay cyber-safe by: Never click an attachment unless you know what it is and know it is safe. If you're not 100% sure, ask someone who's more experienced than you are before you take the risk.
2. Stay smart on the web.
Websites can also contain dangerous content, so think before you click!
Be wary of a website that bombards you with multiple pop-ups, especially if you see those warning signs of malicious content. Avoid entering personal information into an unknown website, and question whether the information requested is necessary. Never enter company information into any site unless it is part of your job to do so.
3. Be very smart about passwords.
Use a different password for each account!
That's so important it needs to be said again: Never use the same password for more than one account. Earlier this month, I got an email from a company that super-securely backs up client data. They recommended that all clients enable two-factor authentication (if they had not already done so) and change their passwords. The reason—hackers had attempted to breach their system's security using passwords stolen from a widely-used professional networking site. The hack was unsuccessful, thanks to the vigilance and top notch security of this company. But the reason it could even be attempted was that professional people were foolishly using the same password for more than one account. Yes, one password is easier to remember. That's the reason for password manager software. Never, never, ever duplicate passwords.
Make every password unique! Keeper, a password manager, found that 50% of people use the same 25 most common passwords! If you're part of that 50%, hackers can breach your account in seconds. Here's some sound password advice: Make up a nonsensical sentence such as this: Yesterday my koala flew to Italy on a 27 foot skillet. Then use the first letters to make up a password like this: ymKf2I-oa27Fs. Use a password keeper to help you remember your unique passwords.
4. Set policies that protect your company and your employees.
Help employees set strong passwords, and then require less frequent password changes. When password changes are required too often, strong passwords tend to become weak ones. Policies that allow less frequent change and that encourage completely new, strong passwords lead to higher security.
Make sure computer systems and programs (including anti-virus) are set to auto-update so new security patches and other updates install as they are released.
Set computers to auto-lock after a specific (minimal) amount of time. An employee can easily walk away from a desk and forget to lock a computer, leaving it vulnerable to anyone who passes by. Employees may not appreciate the inconvenience of having to login again, but the benefit of computer security is more important.
Require admin credentials (given only to knowledgeable IT personnel) to install new programs. Simply mistyping a website URL can bring up a malicious site. One of the most common—and frequently successful—scams is a blue screen or pop-up that claims to have identified a problem on your computer and urges you to call a phone number immediately to avoid losing all your data. If you call, the scammer tries to take remote control of your computer and steals your data. An unsuspecting employee (hoping to avoid problems) might easily fall prey to this scam. Preventing any download without admin credentials can short circuit this kind of attack. (Btw, you may want to implement this strategy on your home computers too!)
The good news—and the bad news
Just taking these steps will make your network much less vulnerable to attack. That's the good news. The bad news is that it may not be enough. Obviously, you still need top notch defense software that is consistently updated by qualified personnel.
And there's more good news—We Can Help.
As website developers, we know how critical your website is to your business.
It's how customers find you. It tells customers who you are and what you do. It may also be where customers make purchases and how you manage your data. When your website goes down, your business suffers.
We help keep your online business safe.
We develop your website using Drupal, an industry-standard content management system. Drupal is the CMS trusted and used by the NBA and NCAA, GE and Verizon, major universities including Rutgers and Yale, the US Department of Education and the White House—to name just a few.
We make sure your website complies with HIPAA and PCI compliance standards to protect data and information for both you and your customers.
We offer maintenance plans to make sure your site is updated with the latest security patches as soon as they are released.
We offer back-up plans to protect your site and your data. If your site is ever damaged or compromised, we can restore it from back-ups.
Online security is a partnership. Working together, we can do everything possible to protect your website—your online business portal—from malicious attacks. Call us at (515) 868-6860, email us, or contact us through our website.
Let's get to work—so you can get some sleep tonight.