Since 2011 the cybercrime industry has grown from $114 billion to an estimated $600 billion in 2016, and is expected to exceed $2 trillion by the year 2020. These dollar amounts, which are a rough estimation due to the fact that many instances of cybercrime go unreported, represent the amount of money that has been extracted from companies either by way of identity theft, extortion, or the cost of making repairs to systems and hardware, and do not include figures that represent lost wages and productivity. On average, 1.5 million people each day are effected by cybercrime, which includes ransomware, phishing, and stolen identities, and sadly many of these crimes could be avoided if IT best practices were followed.
The recent global ransomware attack (WannaCry) highlighted two things; one) that corporate networks are still incredibly vulnerable and unsecured, and 2) that this attack was avoidable. This attack worked by scanning the Internet for computers and took advantage of a known vulnerability within the Microsoft operating system that had been identified – and had a patch released to address the vulnerability – two months prior. Unified Threat Management devices, as well as end-point protection devices, had been automatically updated as early as the first week in April.
The widespread, global scale of this attack reveals that there were many organizations that did not deploy the appropriate patches in a timely manner, thus leaving their systems vulnerable. It is, quite frankly, concerning that enterprise organizations – especially those that deal with healthcare, banking, and package delivery – were armed with the tools and the notice to prevent such an attack and yet, they took little-to-no pre-emptive action.
Interestingly, non-business home-users were the group that was least affected by WannaCry, due to the popularity of Windows 10 and its automated patching process. At this point in time, Windows 10 holds a much larger market share within the home-user space versus the business space, therefore automatically protecting home-users, whereas small business and enterprise level organization are still mainly relying on Windows 7.
However, home-users are not immune to the threats of cybercrime and have suffered significant monetary loss. Mobile ransomware is up 225% in Q1 of 2017. The focus of many ransomware campaigns is on the home-user, since corporate devices can be easily wiped and redeployed, rather than having to paying the ransom to retrieve the data being held hostage. Home-users should also be employing IT best practices, such as backing up their data to the cloud using a service like Dropbox or Apple’s iCloud.
It is undeniable that cybercrime comes at a cost; an enterprise organization is expected to pay $3.4 million per cybercrime incident in 2017 and upwards to $150 million in 2020. Unfortunately, small businesses on the other hand – which represent the majority of businesses – are generally unable to absorb the costs inflicted by a cyber-attack, and 60% of them end up going out of business within six months of a substantial attack.
Regardless of the size of an organization, there are a few steps that most businesses can take to protect themselves from falling victim to a cyber-attack:
- Properly training the end user is key. Employees need to understand the threat, what is looks like, and how to protect themselves from it. Traditional security awareness training no longer works – IT departments should consider working with a marketing team to make security awareness training more social and interactive, rather than simply sitting an employee in front of a computer to watch videos.
- The simplest solution, in this case, is probably the most important – devices should be patched in a timely fashion. Come up with a schedule that works and be aggressive. Critical patches should be applied within days of the their release, while low impact patches can be applied within 45 to 60 days of their release. The biggest risk is relying on the end-users to deploy the patches to their systems themselves. IT departments should consider thinking about implementing a cloud-based solution that can force patches and account for those patches such as Microsoft InTune.
- Deploy modern operating systems such as Windows 10 Enterprise with the Advance Threat Protection added on. Although Windows 7 is still being sold (we’re going to skip over Windows 8), it is end of mainstream support as of 2015. All new deployments should be Windows 10, and a strategy should be developed for deploy/upgrading Windows 7 devices.
- An oldy but a goody – use least privileges. At this point, it seems like everyone is an administrator of their own computer. While this may be more convenient for the IT department, it is fundamentally not a good idea. Access should be restricted on local and network devices.
- Segment networks to prevent the spreading of worm time threats such as WannaCry.
- Lastly have a good, tested backup of your data and use hybrid solutions that includes both local and online backups. This is your last line of defense.
Taking these measures will not ensure you are bullet proof, however they will help to reduce your attack vector significantly.