With all of the scams running around the Internet today, it’s easy to ask “what can we do?” Just last week I met with an employee of a company that had been completely shut down for a week due to ransomware (probably Locky, probably delivered by an email to an HR executive who had too much power over their IT systems). My client asked “what can be done” in a tone as if to imply that “these things just happen” and there’s nothing to be done.
In this case, there’s a lot that could have been done to mitigate this risk:
1) Ensure that multiple, rock-solid security scanners – preferably from different vendors – are filtering email messages and attachments before they get to the end-user’s machine. Why? Because the attack likely came in as an email attachment, purportedly a resume in Microsoft Word format, which contained executable code (a virus). (Yes – Microsoft Office documents can contain programs that are just as dangerous as EXE files!) Also, consider using Microsoft Word Viewer instead of Microsoft Word as your default handler for Word documents.
2) Make sure that the user is not running with admin rights over their own system or any other network system. Why? Because unless you are an IT administrator, you don’t need admin rights to perform your daily duties. In addition to the ability to install programs on your machine, admin rights give you the power to do great harm – things like taking down the entire company for a week…
This is a classic example of the principle of least privilege; meaning you have the rights you need to do your job but no more. Think about this for a second – why would you have more power than you need to do your job?
3) Restrict access to documents and file shares on the network to only include access to files the employee needs, not “share everything with everyone.” Why? Because not every employee needs access to every document on the entire system. Let’s again assume that this was a high-level HR executive who received the attack via email. It is logical to assume this staff member needed access to most or all of the HR documents in the organization, but not the entire company. This is another example of the principle of least privilege.
4) Have strong, validated backups of all of your critical data, and a plan to quickly and reliably restore it within a pre-determined window of time. These things should be tested so that recovery time is a known quantity – hopefully one that is less than a week of downtime (unless your business can tolerate that sort of thing – most can’t.)
Questions? Feel free to contact us for a quick chat – absolutely free – about these threats, and what you can do to protect yourself.