How Prepared Are You for a Ransomware Attack?

Photo from Unsplash

Originally Posted On: https://blog.surgemetrix.com/how-prepared-are-you-for-a-ransomware-attack/

If your staff received an email like this, would they know what to do?  Would they know to look at the URL in the From: field and see that it is not legitimate?  Would they know the appeal form listed is also illegitimate?  How would they know?  The fact of the matter is that you need to make sure that they know to decrease the risk of them, to you, and to your dealership.  You should get started training your staff now because by next year, you might be required to have cybersecurity insurance for your dealership.

Ransomware Attacks are Becoming More Democratic

You’ve probably heard that ransomware attacks are on the rise.  These attacks, which encrypt a server’s files, can lock down your business until you pay the ransom, and even then you might not get back everything you need.  Suffice it to say, if you get caught in an attack, you will feel pain.  

A Little History

The first ransomware attack occurred way back in 1989 when an AIDS researcher distributed 20,000 infected floppy disks to attendees of a WHO AIDS conference.  Called the “AIDS Trojan” or the “PC Cyborg” virus, the attack demanded payment to be sent to a fictitious corporation called the PC Cyborg Corporation.  The virus was designed to encrypt file names and hide directories after the 90th time the computer was powered on.  

Times have changed and ransomware has matured to the point where ransomware has shifted to be offered as a service to people who are not technically skilled.  Known as “Ransomware as a Service”, or RaaS, this mutation is the first step in making ransomware more “democratic” in its availability to the malicious masses.

Given the RaaS development, there are now criminal enterprises that have established ransomware businesses complete with their own call centers to process ransom payments.  It is a no joke serious business model that’s growing because of its success.

Adding insult to injury, the past (and still current) practice of “Big Game Hunting” (BGH), where these companies target large companies or industries, has expanded to target smaller companies and organizations as well.  The further “democratization” of the business model is what puts dealerships in the crosshairs, and thus gives the impetus and reason for this post.

Four Facts about Ransomware Attacks

If you’re reading this post and are a dealership principal, or an IT geek like me, then you be aware of some simple facts that propel ransomware forward:

1. Ransomware is growing because it makes people a lot of money.  We’re looking at an estimate in the billions of dollars, depending on how you count the crimes.  Individual attacks are measured in the millions.
2. It can affect any organization, especially those that are unprepared.  Remember what I wrote above?  Any organization can get hit these days.  The attacks have become simple enough that even small targets can be profitable..
3. Ransomware attacks you where you are weakest.  Have you trained your staff against attacks?  Have you checked to see if all your IT infrastructure is updated with all patches and is correctly configured to prevent penetrations?  Do you carefully monitor your networks for penetration attacks and have plans in place to respond quickly?  Have you validated the robustness of your network and internal training by a third party?  If you answer “No.” or “I don’t know.” to any of these questions, then you are likely to be at risk.
4. Ransomware typically starts with a phishing attack.  Most attacks begin with an email and accelerate when an unsuspecting staff member clicks on something that they shouldn’t, thus allowing a virus to be loaded on their computer and your network.

5 Things You Can Do to Protect Your Dealership Against Ransomware Attacks

There are a lot of things you can do.  Let’s look at 6 simple rules to follow:

1. Train your staff how to avoid phishing and social engineering attacks.  The simplest thing you can do here is to tell your staff to never click on any links, or download any files, that were sent to them via an email… even if it is from you.  The rule should always be that your staff should confirm that the file or link that they received is actually from the person who sent it.  Is this a bit cumbersome?  Yes.  But does it protect you and can your staff quickly adapt to move forward?  Definitely.  For “social engineering” attacks, just tell them that if they get a call from anyone asking for protected information, such as username and password info, then they should confirm the request with their supervisor or another relevant authority in your dealership (like the head of IT).  
2. Use “zero-trust” principles and policies to harden your infrastructure and people against exploits.  What are “zero-trust” policies?  Simply put: Don’t grant permissions to those who don’t need them and don’t leave things open or on that can be closed.  
3. Segment your network as much as possible.  A lot of organizations put all their eggs in one basket… finance, IP info, staff records, etc.  If you have any ability to break things up and limit access of some parts of your network to the Internet, then do it. 
4. Maintain well managed backups and logs.  Too many businesses make the mistake of not maintaining good backups or logs.  Get this right and make sure that your backups are layered including current backups and archives (as opposed to just one backup each night that gets rewritten every day) and that your logs are detailed and reviewed regularly for attempted intrusions or unexplained transfers of data that could indicate that your network has been compromised.   
5. Use a recognized security framework that works.  There are a number of security frameworks that you can follow, but one of the easiest to understand is the US Dept of Commerce’s National Institute of Standards and Technology (NIST) framework that has 5 key components: Identify, Protect, Detect, Respond, and Recover.  There is a lot of detail for each component.  Go here if you want to dig deeper.
6. Test how well your people and infrastructure are hardened against cyber attacks.  It is not enough to follow the policies outlined above.  If you want to be sure that your dealership is protected against an attack, then you should test your preparedness using a third party that specializes in simulated phishing attacks and technical penetration testing.  A company that does this type of work takes the role of the attacker and conducts phishing attacks to see what your staff will do along with technical “penetration” attacks to look for weaknesses in your technical infrastructure.  Once their work is done, they can then tell you where you are weak so that you can buff up your defenses.

Parting Thoughts

If you read this post and don’t know how well prepared your dealership is, then you should take the time to check.  If you want, just use this post as a quick checklist to get started, or contact me and we’ll give you a hand even if it is just a quick conversation and an actual checklist to follow.  Why does this make sense?  Two reasons: 

1. You don’t ever want to get caught with your digital pants down and be in hock to an attacker.  
2. It is likely that you will be required to have cybersecurity insurance starting next year (if your state doesn’t already require it).  

So, you have work to do…  Get started and reach out if you need help.