IMPORTANT Website terms of use and cookie statement
close

Ransomware - the alarming trend in 2020

Some of those reading this will become the victims of a particularly damaging form of ransomware attack. And it could happen tomorrow.

Why do practices fail to put in place the proper defences needed to protect themselves? There are 2 simple reasons. Both arise from misconceptions.

The first misconception is that you are not a target for cyber criminals. Regardless of your size or location, you are a potential target. Attacks are orchestrated by organised criminal gangs, using automated and sophisticated techniques. Your business might not have been singled out to start with, but once a vulnerability is found, once an access route into your systems is discovered, more focused attention and attacks will follow.

The second misconception, is the assumption that your external IT support is qualified to look after your cybersecurity. In almost every case they are not. And that’s not having a go at your IT providers. IT support is trained to set things up for ease of access and productivity. Not security or cyber risk management. Cybersecurity is a very different discipline from generalist IT support, covering more than just technology. You would not want your GP to carry out your heart surgery.

All too often, new clients come to us in a state of panic, after suffering a breach. Which means we see the types of attack which are taking place right now.

Ransomware attacks in 2020

Ransomware is a type of malicious software which encrypts your data. In other words, it scrambles everything, so it is impossible to access any information. The criminals then demand a ransom, promising in return to provide you with the key to decrypt or unscramble it all. Currently the going rate starts at $50,000 for the smallest practices, rising sharply into hundreds of thousands for larger ones.

We have found that very few practices have set up their backup systems correctly to enable them to restore everything. Usually the technical configuration of the back-up is wrong; often the back-ups end up as copies of the corrupted versions of the data. At best it can take a long time to restore everything, during which time your work has ground to a halt.

If you can avoid paying the ransom, there is still the question of what confidential data may have been accessed? Will the fraudsters strike again? Are they still in the network?

Since late 2019, the stakes have got higher, with the alarming new trend of stealing a copy of your data as a first step, before encrypting the version you have on your system. This gives the fraudsters 2 ransom opportunities. First, they demand payment for the decryption key. Then they threaten to publicly release, piece by piece, the confidential data they have stolen about you, your clients, and your projects, unless you pay up. Which means that even perfectly configured back up arrangements will not protect you.

Even if you do pay up, you cannot prevent the criminals later using the data to mount further cyberattacks.

Defence

So what should you be doing to defend your practice? The starting point is to undertake a risk assessment covering a range of issues and behaviours across the 3 pillars of technology, people and process.

Look at your overall business set up: what technology do you have? how do you use it? what data do you hold?, who has access to it? what remote working takes place? do people use their own devices? what third parties and collaboration platforms do you work with or rely upon?,what controls do you have in place and how do you check they are working? how do you monitor security on an ongoing basis? and lots more.

We assess firms against the following 10 themes:

1. Digital behaviour

2. Antivirus

3. Operating system patching

4. Mobile phone security

5. Remote working

6. Application software patching

7. Access management

8. Network security

9. Information transfer and handling

10. Back up

As part of assessing and testing your security, it is advisable to undertake some technical Vulnerability Scanning. The frequency of this will depend upon your risk assessment and may change. This will help to identify vulnerabilities in your network and technology.

We are sometimes asked whether doing some old style penetration testing is sufficient to keep you safe. The answer is NO. Some penetration testing can of course prove useful or indeed necessary in some circumstances. But the traditional form usually only looks at one part of your technology within a defined scope, and usually just tells you whether an individual has been able to break into it. It is not assessing where your real business and operational risk lies, and subsequently is not addressing those risks.

Always keep in mind, that security is not just about the technology itself. It’s also about people and process.

You must give your staff cybersecurity awareness training, on an ongoing basis, so that they stay alert and are aware of the techniques criminals employ. This is not attempting to make them cybersecurity experts. It’s making them stop and think, before they immediately click on that attachment, it’s making them understand that they must not post certain types of information on social media, etc. This, together with testing of their understanding following training, and using simulated phishing attacks, dramatically reduces your risk of being breached.

Give your staff a cybersecurity handbook so they know the rules and what they can and cannot do.

You must have a risk management structure in place, providing the right policies, and systems to govern your technology and the way it is being used. You must identify the controls which will manage risk and there must be periodic checks to prove that your controls are working.

Security is not a one off MOT. It requires ongoing assessment and review.

If you become a victim

If you find that your business becomes a victim of any type of serious cyber breach, please urgently get a specialist to respond to the incident. You must:

  • Isolate systems/data as necessary
  • Ensure that the attack has ended
  • Prove that the malicious software and connections have been removed
  • Prove that your network has been secured
  • Conduct an appropriate investigation so that you understand how it happened and what data has been taken

We have found that if the incident is not managed correctly, it can result in the destruction of the footprint showing where the criminals have been, and what data they have taken. Which means you do not know what to tell your clients or your business relationships or the ICO. Often, the criminals have not even been kicked out: they are still in the system and confidential client data is continuing to be removed. This can mean lessons are not learnt and the defences remain weak resulting in the same attack being more likely to happen again.

Finally, ensure that depending upon the nature and severity of the incident, you comply with the appropriate reporting obligations which may include:

  • Your bank
  • The police
  • Your PI insurer
  • Any cyber insurer
  • The ICO
  • Your employees; and most importantly
  • Your clients and business relationships

RIBA has partnered with Mitigo to offer technical and cyber security services for our members.

View the full service offer on our technical security page.

For more information contact Mitigo on 0161 88 33 507 or email riba@mitigogroup.com

keyboard_arrow_up To top
Cookie statement | Privacy policy | Terms of use
66 Portland Place, London, W1B 1AD | +44(0)20 7307 5355 | support@riba.org | Registered Charity No. 210 566. Incorporated by Royal Charter No. RC000484 | © RIBA 2024