The ransomware gang DopplePaymer announced yesterday that it had breached the network of Digital Management Inc. (DMI), a provider of managed information technology and cybersecurity services that had apparently supplied services to NASA.
DopplePaymer claims to have stolen files relating to its work with NASA, leaking some of the files as supposed proof of the theft. The attack follows the current pattern of breach, encryption and ransom demand, with the threat being that if the victim does not pay the ransom, the data will be released. Other ransomware groups have started auctioning off such stolen data to the highest bidder if the victim doesn’t pay.
Large and medium-sized companies or those with high-profiles aren’t the only targets for ransomware. Automated systems make it easy for organized crime to cast a wide net, scanning the Internet for companies with vulnerabilities that it can exploit. Small companies are now as good a target as any other company, if not an even better one.
Small and medium-sized companies make prime targets for ransomware simply because they often spend relatively little on security, have poor backups and frequently put off updating their systems. A cybercriminal who infiltrates a small company’s system to steal and encrypt its data is able to bring the company to its knees.
Law enforcement is often busy with larger breaches and unlikely to focus on the case of a small company. Given the unsophisticated nature of the target, a cybercriminal can then extort the victim with relative impunity, making a modest sum for relatively little work.
So, are you still comfortable that your small or medium-sized company can continue to put off security as a priority? Think of it this way: an ounce of prevention is worth a pound of cure.
Here are some things you can do to be a harder target:
- Buy cyber-insurance today, not tomorrow. Invest in a policy that covers ransomware, wire-fraud spoofing and anything else your company and insurance broker think might be applicable.
- If you outsource all or part of your IT, ask the provider to point out how the contract addresses what happens if you are breached, who is responsible for restoring the systems, notifying affected customers and employees, responding to regulators and regulatory action, defending lawsuits, who pays, what their cyber-insurance policy states and whether you are covered (and have it written down).
- If you handle your own IT internally, then ask IT to show you:
- The company’s written data inventory. Maintain documentation of what data the company has, where it is kept, and how old it is. If you don’t know what you have, you cannot protect it or respond in an informed way if it is stolen (or lost).
- The company’s “WISP” or written information security plan. Review the plan to ensure that it covers all of the data on the inventory you just reviewed. Update it periodically, either when a material change occurs or at least yearly.
- The company’s data breach response plan. Know who is doing what, how they are doing it, who to call or how all of it will work. Role play different scenarios via a tabletop exercise to make sure you have thought through the problems.
- The company’s data retention plan. Determine what data you need to keep and for how long. A previous client that you haven’t worked with in many years is going to be upset if you notify them that their data was stolen and is being ransomed. Old data that you are not using is only a liability, not an asset—don’t be a data hoarder.
- The training plan. Create a plan for educating your employees about your data security, including what they need to be aware of, as well as what to do when there is or isn’t a problem (i.e., proactive security and routine security practices).
- Regardless of internal or external IT management, ask to see your company’s patch log. Make sure it is up to date, and if it is not, be sure to put in writing a reasonable explanation and a plan for remediation with a due date. Items that are not patched for a valid reason should then be dealt with, with a “compensating control”, i.e. something that compensates security-wise for the lack of patch. Failing to patch is a consistent theme in data breach.
Taking the above actions will help to prevent your company from being the victim of a cybercriminal. But, there is also more you can do. Talk to your privacy and cybersecurity attorney about the details. Talk to your crisis communications specialist about the details. Make sure everyone is ready and that everyone knows what they are expected to do in case of emergency.