by Andre Bourque

How to keep ransomware from human resources

Mar 27, 2017

HR makes for an easy and lucrative target for hackers.

ransomware ts
Credit: Thinkstock

Ransomware is not your friend. It’s lurking out there to take over your computer and business systems to extort money from you. Keeping this wolf from your door takes some doing.

The sneak attacks come attached to emails. When opened, these attachments infect your computer and lock it up until you pay the ransom demanded. According to Infosec Institute, “Small businesses usually lack sophisticated computer defenses thus making them very vulnerable. An overwhelming majority, some reports by Intel say as much as 80%, of these small and medium-scale businesses don’t employ data protection or email security.”

Impact of ransomware

In a 2016 Osterman Research survey of 540 CIOs in four countries, 40% of the respondents said that their businesses had been attacked. A total of 47% of those were in the United States. Ransoms demanded ranged from $1,000 to more than $150,000, and 40% of the hostage companies paid.

While 60% of the respondents said they spent nine hours or more fixing the problem, 19% said they had to stop business altogether. And the attacks endangered lives in 3.5% of the cases. A main concern is the fact that most intrusions occur on desktop computers inside the business’s existing security setup.

Research International conducted a survey of IT experts and found that “43% had customers fall victim to ransomware” across 22 industries. They found 41% of the victims were small businesses that lost three days of their access to data.

Some 71% of those infected paid ransoms, typically under $500, but “while 71% of ransom pirates restore the customers’ files after being paid off, 1 in 5 customers who paid the ransom failed to recover their files.” While relatively little was paid in ransom money by the companies surveyed, the financial impact of lost time and recovery is significant and foreshadows future losses.

Reuters, on the other hand, quotes FBI reports of business losses of $209 million in the first quarter of 2016. Pirates have hit large users like Hollywood Presbyterian Hospital, Michigan’s Board of Power & Light and the Texas North East Independent School District, among others.

“The loss and exposure of confidential data from a cyber attack is costly to both the people victimized and the businesses whose data was compromised. The goals and methods of cyber attackers are evolving and will continue to evolve. With proper visibility of devices entering and leaving the network, education and training for staff, data encryption, and real-time scanning can minimize the risks if combined with proper backup and disaster recovery planning,” warns Dave Philistin, CEO of Omnificent Systems.

How it works

Criminals infect computers in three ways:

  • Botnets, rootkits and malware installation infect a computer with malicious software that spreads to other computers and can be managed by the criminal initiator.
  • Spam and social engineering schemes target individual users, enticing them to open messages or offering them some opportunity for clicking through to something seemingly desirable and then releasing a virus to infect and spread.
  • Drive-by download and malvertising offer a double threat. The drive-by downloads malicious software without even asking you, and malvertising attaches poison to ads that attract users.

“It only takes one PC getting compromised to lead to a widespread attack. One machine can encrypt network file servers and begin attacking other PCs on the network,” explains Don Pezet, super host of ITProTV.

In any business, the human resources (HR) department receives more email than other offices. HR staffers are forever getting emails from job applicants. Moreover, HR data is a priceless pirate trove of personal identity information that thieves can use to expand their enterprise.

How to safeguard HR

Writing for The Society of Human Resouce Management, Aliah D. Wright reports on studies that show, “81 percent of IT professionals said laptops — both company-owned and personal ones employees use for work — are most vulnerable to a breach. That’s followed by desktops (73 percent), smartphones (70 percent) and tablets (62 percent).”

Pierluigi Paganini analyzed a study by Intel Security with alarming results. Participants were given a list of emails and asked to identify those that were phishing. Paganini says that “only 3% got all answers right” and adds that “80% of the surveyed people got at least one wrong answer.” If users only recognize one in four phishing emails, you get some sense of the vulnerability. So if HR is an easy and lucrative target, the business must defend itself forcefully. It’s no longer a question of if the company will be attacked but when.

Everything depends on intensive education. Most of the malware comes through employee error. HR staffers must learn not to open attached files with .doc, .pdf or .txt designations. New and current staffers need training and reminders. Corporate trainers should prepare documents and calendar sessions on instruction and updating.

IT must give them what they need in the form of strong web filters and spam management. The CIO must have systems in place to evade, quarantine and shut down invasive ransomware. Just as important, IT must have a working backup plan distinct from the business network. “It’s extremely important that companies secure their backups offline to prevent them from becoming infected as well,” says Pezet.

IT must implement businesswide and department-specific strategies to detect and remediate invasive software. And management and staff must know the response mechanism.

IT can segment databases and restrict access to authorized users. Segmentation could defeat contagion and networkwide damage.

HR can restrict traffic in incoming applications to a dedicated workstation. The staff can work as a unit or as trained individuals to confine such traffic to the one system.

The future of ransomware attacks

There’s good news and bad news when looking into the future. The good news is that small businesses are small pickings for cybercriminals — though ransomware is a troublesome nuisance when you consider the price of defense and remediation.

The bad news is that the people behind ransomware-as-a-service(RaaS) schemes apparently see the financial promise in broader and deeper infections. That they are criminally willing and able to serve and support other criminals makes it something to fear now and into the future. The ability to field a rapid variation of infections concerns CIOs who race to get ahead of the curve.