The cost of ransomware passed $7.5 billion in 2019. In a recent independent survey commissioned by StorageCraft, 39% of IT decision-makers cited ransomware as a significant concern, representing a substantial financial risk to their organization if they are compromised. Therefore, it’s little wonder that the question “How do I make sure my company never pays a ransom for our data?” is becoming high on business leaders’ agenda from all types and sizes of organizations.
Investing in a ransomware strategy isn’t just a practical decision; it’s an essential one. While insurance can help if the worst happens, what happens to your reputation? What would your clients and prospects think? Rather than become a victim, take proactive measures now, so you never end up being held up by criminals.
The following are some of the steps business leaders should consider ensuring their business has comprehensive ransomware protection.
Undertake a Ransomware and Security Audit
Any one of dozens of service providers can audit your business. Their services might range from penetration testing to vulnerability risk assessments and more. Look into working with an outside expert that helps you identify vulnerabilities your team might not be aware of. You might have more exposure to risk than you realize.
Consider Cyber-Security Insurance
Major insurance carriers now offer affordable cybersecurity policies. Like other forms of insurance, cybersecurity insurance will cover your business if you lose data due to a breach or ransomware. In some cases, these policies will even pay out ransoms if your data becomes inaccessible. Note that paying criminals should be your absolute worst-case scenario. Sadly, however, some organizations, such as the city of Riviera Beach, Florida, have felt that they have no choice but to pay. Insurance may be a last resort, but it’s still wise to assess which policies can protect you if all else fails.
Develop a Data Protection Strategy
If you had your company audited by an outside firm (step one), you should now have a detailed list of security issues you can address. It might be as simple as upgrading to a newer and more sophisticated firewall, spam, antivirus, and backup solutions for many companies. For others, it could instigate a complex process involving a network infrastructure overhaul, new hardware, and more. If you and your team aren’t sure how best to proceed, consider working with an IT managed service provider who can do all the heavy lifting. Companies like these can also offer ongoing support and maintenance for your crucial systems.
The most iron-clad software and hardware is of no help if an employee is careless. Part of your strategy should include a plan for helping your users spot and avoid ransomware. Many businesses hold mandatory quarterly security seminars where admins help employees understand various types of cyber-attack. Your plan should cover everything from ransomware to phishing to the growing threats from social engineering scams.
Establish a Backup and Disaster Recovery Plan
Most businesses have data backups, but few have a plan for restoring data should something go wrong. Be sure your team has established recovery objectives. That helps your business determine RTOs (recovery time objectives) that define how quickly systems must go back online if there’s an issue. It also establishes how much data your business can stand to lose if there’s a hardware failure, ransomware, or another issue (RPO or recovery point objectives). These metrics help your team develop a strategy that keeps downtime and data loss costs to a minimum.
Test Your People and Systems
While you’ve already conducted one security audit, it’s wise to consider regular testing once your network is in tip-top shape. This includes network vulnerability testing, testing backups, and testing employees—people are often the weak link in the security chain. That’s why some businesses formulate strategies for testing employees. That could include sending fake phishing emails or even hiring companies to conduct mock social engineering scams. Whatever the case, testing should be a regular part of your security strategy.
Shridar Subramanian is the CMO of StorageCraft. He has more than 23 years of experience in information technology. Shridar joined StorageCraft with the acquisition of Exablox in January 2017. Prior to StorageCraft, Shridar was the VP of marketing at Virident Systems, a leading provider of PCI SSDs, and he also was the senior director of marketing at Monosphere Inc., a storage virtualization software company.
Ransomware stock image by Andrey_Popov/Shutterstock