There have been several recently high-profile cyber-attacks in the last few weeks, including the biggest cyber-attack in history. On May 12, more than 200,000 businesses and institutions all over the world, including Fed Ex and the UK’s National Health System, were hit with a ransomware called WannaCry (also known as WannaCrypt).
A couple weeks before that, millions of Gmail users were sent a phishing email disguised to looked like an invitation to collaborate on a Google Doc.
There are a few key lessons every business should learn about cybersecurity from these attacks:
Don’t assume it won’t happen to you.
The large enterprises affected by cyber-attacks make the headlines, but that doesn’t mean they are the only targets. There doesn’t seem to be any rhyme or reason to the companies targeted by the WannaCry attack – no common industry and no common size. The only commonality was the vulnerability exploited by the attack.
The Google phishing attack targeted any Gmail users. Once one person fell for it, their email was then used to send our more phishing emails. Again, this wasn’t targeting just enterprises or any specific industry.
A lot of people, especially in small business, think it’ll never happen to them. But cyber criminals are increasingly targeting small businesses. They know and exploit the fact that small businesses don’t have the same resources to fight cybercrime that enterprises do, making them easier targets.
Upgrade your technology before end of life.
We’re not saying you need to update to the newest operating system as soon as it’s released. But when an operating system (or server or other system) reaches end of life (meaning it has reached end of support from the manufacturer and will no longer receive any feature or security updates), it’s time to upgrade.
Many of the companies affected by the WannaCry attack were running Windows XP and/or Windows Server 2003, both of which reached end of life several years ago. So, even though the vulnerability exploited by this attack had been fixed in a security patch released by Microsoft in March, companies running outdated technology didn’t receive it.
In this case, Microsoft did end up releasing an emergency quick-fix patch for end of life machines because of the enormity of the attack. This is not the norm, though. Once an operating system or server reaches end of life, 99.9% of the time, it will not receive ANY updates.
Please note: If you’re still running Windows Vista, it’s time to update. It reached end of life in April, so it received the patch that fixed the vulnerability in WannaCry, but has not received patched in a couple months and will not receive them moving forward. Upgrade your operating system as soon as possible.
Keep your systems and computers updated with the latest security patches.
Yes, it can be annoying to restart your computer (or phone) and install system updates, especially if it’s a big update. But these updates contain critical security patches and need to be installed by all employees as soon as possible.
The WannaCry attack exploited a vulnerability that was patched by Microsoft in March, so most users should have been safe. But if you’re the type to push off updates as long as you can, you will be vulnerable.
If your IT team pushes updates to automatically patch your computer, check with them to see if there is anything you need to do to make sure those patches get installed. We push security patches to customers as they become available, but they will only install properly if the computer is powered on. We recommend customers have all employees leave their computers on at least one night every week to ensure they’re getting patches.
Back up your critical systems and data.
It’s not known how many of the victims of the WannaCry attack have paid the ransom to get their files back. We’ll probably never know exactly. As of Monday morning, some security experts were estimating around 100 had paid (and that number will likely continue to rise).
The best way to guarantee you won’t have to pay to get your files back if you do fall victim to ransomware is to have comprehensive, off-site backups. At the very least, you should be backing up your most critical systems and information. If possible, these backups should be encrypted and password protected.
If you’re not sure how often you should back up your data, consider this: If you were to be hit by ransomware (or something else that takes out all your data), how much data could you lose and still be able to operate with minimal disruption? A day? A week? That’s how often you should run a full back up at a minimum. We have some customers who a full back up once a week and back up any information that has been changed every night.
Stay vigilant and train your employees.
Your employees are your first line of defense. All it takes is one employee falling for a phishing attack or clicking on a bad link and getting ransomware for your entire company to be put at risk. All your employees should be trained on data security best practices.
This includes knowing the warning signs of a suspicious email. Phishing attacks targeting users of specific programs are becoming increasingly harder to spot. The Gmail phishing attack was incredibly sophisticated. Having employees who can spot a phishing attack and know how to react can go a long way to keeping your business safe.
Widespread attacks this large aren’t the norm (yet), but cyber-crime is. Bring proactive about your data security can save you a lot of headaches (and a lot of money) down the line. For more in-depth reading on these kinds of attacks and other data security best practices, check out these blog posts:
- What You Need to Know about Ransomware
- How to Spot Phishing Emails
- Why Running Outdated Technology is Bad for Business
- Why Data Security Should be Treated as an Operating Expense