A sharp rise in public sector ransomware attacks across the U.S. has drawn considerable attention in recent years – and for good reason. Such attacks can cripple an organization’s ability to conduct important operations or provide needed services to the community. They can also have a huge financial toll.
“Ransomware is not a new problem, but it’s presenting a bigger challenge for public entities,” said Kirstin Simonson, Cyber Lead for Technology and Public Sector at Travelers. “Ransoms are trending significantly higher, in years past ransoms were often in the five to six figure range. Cyber criminals now routinely demand seven or eight figure sums from local and state governments. Ransomware has impacted government agencies of all sizes, unfortunately, no one is immune.”
While ransomware has been a threat for years, newer variants are able to infect entire networks and cause considerable damage, often before detection. Here are some measures you can take to help protect your data and ensure an effective response in the event of a ransomware attack:
Back Up Data
A primary step is to back up critical data on a frequent basis. Backed-up files can be quickly recovered, which can help to restore operations in the event of an attack. Ensure the backed-up data is stored on a separate offline device that is completely severed from the working network. Otherwise, it’s likely to be ransomed along with your primary data.
Segment Network Access
Splitting your network into smaller segments is another way to protect critical data. This is typically done by business function or data type, so you can grant employees access to just the data they need to do their jobs. If an employee should fall for a ransomware attack, segmentation can help to prevent the virus from spreading throughout your network and operations. Employees should only have access to critical data, including all forms of protected information when it is required to perform their work. Otherwise, sensitive data should be restricted.
Use Multifactor Authentication
Multifactor authentication (MFA) provides an addition level of protection to your network data. This is a method of verifying an employee’s identity with two or more pieces of proof. The authentication factors typically correlate to a device (e.g., an authenticator app or text message on a smartphone), biometrics (e.g., a fingerprint) or information (e.g., a PIN).
Even if a cyber attacker has obtained a user ID and password, MFA decreases the risk that an attacker can gain access by requiring an additional means of validation. For example, they would need to steal both an employee’s password, as well as their phone, to be able to log in to your systems.
Monitor Network Vulnerability
It is important to continuously monitor your network to identify and mitigate security vulnerabilities. Begin with a complete assessment of the network; identify all systems that are not fully patched and take corrective action. This includes operating systems and software, especially older legacy systems that your municipality may depend upon, which often the most vulnerable systems.
If security updates are no longer feasible, you can reduce the legacy system’s exposure by placing it within its own network segment, making it inaccessible from the internet and restricting employee access.
Your monitoring should also include the systems that remote employees use to gain access to the network. Microsoft’s Remote Desktop Protocol (RDP), for example, can act as an open door for cyber criminals if not properly configured and secured.
Ransomware attacks can often be traced back to an employee who unknowingly clicked on a phishing email or malicious link. To minimize the risk of human error, provide frequent training on how to recognize cyber threats. Emphasize to your employees the importance of examining links and attachments to make sure they are from a reliable source. Also, warn them of the dangers of sharing company or personal information in response to an email, letter or phone call, and set up protocols for reporting suspicious activity to a designated contact within the organization.
Develop an Incident Response Plan
Avoid scrambling to figure out a plan after a ransomware attack occurs. Having an incident response plan in place in advance is key to a swift, systematic response to help contain the damage to your systems and minimize the response and recovery costs. To ensure that your plan will fulfill its intended purpose, test your plan and put it into practice before an incident occurs. You should also continuously update it as you become aware of new risks and vulnerabilities.
A comprehensive cyber insurance program should provide access to a data breach coach, who can review real-world claim scenarios and identify areas for improvement in our response planning; as well as provide complementary or discounted access to qualified cyber security services. Some of the most common services provided are:
Engage the Professionals
If an incident occurs, the first step a public entity should take is to engage legal and computer forensics experts, ideally those identified in your incident response plan or recommended by your cyber insurance provider. These professionals can assist with investigating the extent of the infiltration, removing the cause, restoring your network and determining whether or not to pay the ransom. You may also have an obligation to notify others of the incident if their information was potentially compromised as a result of the breach.