Criminals made more than US$5 billion in 2017 – through infecting computers with software that makes the machine useless, by encrypting key data, until a payment is made to the criminals. In other words, a company or an individual's computer (which may contain sensitive data, client databases, etc) is held hostage. Ransomware attacks are becoming more common and the 2018 Threat Impact and Endpoint Protection Report, by KnowBe4, shows that companies of all sizes are at risk, although more mid-market companies (29 per cent) say they suffered a ransomware attack in the past year. While the majority (85 per cent) of companies in the KnowBe4 survey chose not to pay the ransom, the remaining 15 per cent of companies did pay sums ranging from $500 to $1 million.
The question of whether to pay is determined by what type of data has been encrypted (is it sensitive, protected?), whether or not the company has a backup copy of the affected data and, of course, the size of the ransom demanded. KnowBe4's graph, below, shows that office files are the most common type of data affected by ransomware attacks, while other types of proprietary, sensitive data are often also targeted.
Companies sometimes choose to accept the loss of data and continue business regardless, which could be a more efficient solution compared to the cost of paying the ransom or working to retrieve the data. Beyond the financial impact, ransomware also results in company downtime and disruption. The report outlines the following methods of preventing or minimising risk of a ransomware attack – but the emphasis is on training employees and raising awareness:
- Rely on security-focused software. In other words, “fight evil technology with good technology”. KnowBe4 says it has seen a large investment this year in multiple endpoint protection solutions to create a layered defence.
- Employee training on the current state of phishing, malware, external attacks and ransomware needs to take place on a regular basis – once a year is not enough.
- Companies should consider monthly security training done via email or using videos to educate employees.
- They can also deploy mock phishing tests for high-risk employees, focusing on employees with access to more sensitive or critical data within the organisation.
Like this item? Get our Weekly Update newsletter. Subscribe today