As we see more and more news stories about ransomware, security vendors are jumping on the bandwagon with their solutions. Most of these are incomplete and only offer a small part of the overall solution. Few vendors offer a complete solution and for those that do, configuration and deployment is a nightmare for the average IT guy. Most SMBs rely on endpoint protection (aka AV), UTM, etc., and vendors are taking advantage of that; rebranding and marketing to the ransomware hype.
The first line of defense is user education. What I am seeing when a company gets infected is that an end user opens an email and clicks on a link, or opens an attachment. When discussed after the fact, most end-users say something like, “I did not read the email, just clicked on the link,” or “The attachment said resume, so I opened it.” In these cases, endpoint protection (more on this in a minute) would not have protected the end user; education would have.
Speaking of end point protection, most vendors will say that they protect against zero day threats as well as ransomware, this may be true if you use the most restrictive settings on the product, however that comes at a cost and in most cases it’s the end-user’s ability to do their daily job. The key is a balance between education and configuration.
A strong security program that includes multiple levels of protection decreases your chances of being infected. An ideal solution would include web filtering (cloud based), Unified Threat Management at the firewall, endpoint protection on the desktop and lastly email filtering that offers URL scanning and attachment scanning. Let’s not forget end-user training, the human factor. A single vendor solution does not provide the defense in depth model that multiple vendors can provide (belt and suspenders).
Lastly when you do get infected – and you will – your last line of defense is solid backups. Bottom line, when all else fails, you have your backups (make sure you do test them, don’t assume). When thinking about backups think about recovery point objective (RPO). I will discuss in greater detail later (another post). Most SMBs backup once per day (most likely at night). Let’s say you back up Tuesday night at 8 pm and Wednesday afternoon at 2 pm you get ransomware, you can restore from the night prior and lose a day’s worth of work. Is that sufficient?
Something to think about.