Ransomware attacks are in the news… again! Hackers gain access to a network in a ransomware attack, encrypt the organization files or prevent access to the network, and then demand a ransom be paid to release the records back to the organization. A small business (SMB) can be crippled if this happens.
What can a small business (SMB) do to protect themselves from a Ransomware attack? Can we afford to take the recommended actions, even if we want to? These are important questions, and we are going to address the issues and identify ways to protect your information without becoming a cybersecurity expert or paying a lot of money that you don’t have.
There are two approaches to be considered when protecting your SMB, and we will discuss them in two blogs. People and the technology they use have the greatest impact on the success or failure of SMBs against Ransomware. We are going to focus primarily on people in this article and policies SMBs can put in place to provide them with guidance on securing company resources, along with their personal ones.
The National Institute of Standards and Technology (NIST) recently updated and published some guidance specifically for SMBs that can also be applied to non-profit organizations to improve their security posture. The NIST recommendations, along with links to their information are below.
NIST is a non-regulatory agency of the United States Department of Commerce who operates six different research laboratories. One of these laboratories is the Information Technology Laboratory (NIST ITL). The NIST ITL mission is to cultivate trust in information technology and metrology.
NIST ITL has been accredited by the American National Standards Institute (ANSI) as a standards developer since 1984. The National Technology Transfer and Advancement Act (NIST ITL Standards Activities) charged them with supporting the development and use of voluntary consensus standards as the preferred source of standards to be used by the Federal Government. NIST ITL is the source for cybersecurity standards.
NIST published some tips and tactics for dealing with Ransomware on May 13, 2021 (Tips and Tactics). There is also a baseline security posture for infrastructure that is achievable for users of Microsoft Technology. We will review eight NIST recommendations and then the Microsoft tools.
NIST Tips & Tactics, and How SMBs Can Apply Them
1. Use antivirus software at all times.
Windows Defender antivirus software that is built in with Windows 10. If you already use Windows, just turn it on. There is no cost to you. Defender has a reputation for not being the high quality product it truly is. Defender consistently ranks as one of the best antivirus software products in recent years.
2. Keep your computer fully patched and updated.
Windows comes prepared to search for, notify you of, and install updates as they are published. These updates include patches for known security issues and fixes. You can let the updates occur automatically, and quickly and easily install them manually by searching for Windows Update on your machine.
3. Block access to Ransomware sites.
This simple sounding tip is often vaguely mentioned, if at all, by antivirus software. We use a virtual private network (VPN) with additional software that can efficiently block access to any internet site. But I have not yet discovered any antivirus software that I can recommend for accomplishing this NIST recommendation.
- Allow only authorized applications.
NIST recommends configuring on your own, or by use of third-party software, to allow only authorized applications to be installed on computers. Microsoft provides tools to implement this suggestion, but they are not simple to put in place. A policy that describes authorized software for use on company computers is a simple and easily emplaced method for meeting this suggested practice.
SMBs can list the software that can be installed on company computers and limit the number of people allowed to install software. This simple policy and implementation can go a long way in preventing many types of malicious software.
5. Restrict personally owned devices.
This tip can come with a cost. If you or an employee requires access to the company network, the company should consider providing a company phone to access it. The company can determine the apps and use of their phones, but not for personally owned phones of employees. The decision may come down to providing a phone and controlling the apps used on the phone, or not connecting to company information on personal phones.
This tip does not apply to using a personal phone for calls and routine text messages. But it does preclude an employee from accessing emails, files, and related data for the company.
- Use Standard User Accounts.
No one should use their computer with an account that has admin privileges. Period. Users who are authorized to install software should be given a separate account with admin privileges to install it. This security measure prevents accidental installation of malicious software and requires the person who is about to make that mistake to look at the install again.
7. Avoid using personal applications and websites.
Sites such as Gmail, Facebook, and Instagram should not be accessed on company computers or phones. These applications can remain on personal devices that do not access company information and networks. Microsoft provides tools to help enforce this, but a company culture and policy is the simplest way to implement this practice.
- Beware of unknown sources.
This tip could have been the first one NIST mentioned. The overwhelming majority of malware is spread through email. Do not click on links or open files from anyone you do not know. Look carefully before you do either of these anytime.
These tips from NIST are not meant to be the end all list for SMBs to use in preventing successful Ransomware attacks. They are meant to provide a simple and cost-effective start focused on people and policies that any SMB can implement. NIST provides additional information for recovering from a ransomware attack at the link listed above.
Jim Derry is small business owner and software engineer. Derry Software focuses on designing Software as a Service (SaaS) solutions for. Please contact us for more information on simple steps to protect your information ad resources at firstname.lastname@example.org.