Earlier this week, USA Today published a warning about the Medusa ransomware threat and quoted the FBI and its cybersecurity agency, CISA, about ways to protect firewalls, etc. While they were logical recommendations for larger companies, they missed one key fact:
Most ransomware starts with email – not your firewall.
More than 90% of ransomware threats start with email, a much simpler, more effective way for bad guys to access your system than trying brutish attacks against your firewall.
Email is an effective delivery system — not because email is inherently weak, but because humans are. We click on emails we aren’t expecting from people we don’t know, opening our doors to strangers because they appeal to our impulses.
(Marketers already know this, which is why you may own herb scissors or an electric s’mores maker.)
In my view, today’s successful hackers and ransomware thieves are like talented marketers who have been drawn by greed to the dark side.
Why Email Works for Ransomware
Most of us are moving at 90 MPH at work. We don’t take the time to be careful with email. Both marketers and hackers are experts at catching our attention in a fast-paced day.
For instance, if one of your interests is advancing your career, and an incoming email says “Harvard study shows how to boost your career success,” you might click. If you do, and the email is actually from Harvard, you’re lucky, and their marketers win. But if the email comes from someone only pretending to have a Harvard connection, your click on the link in that email is all it takes for them to find a way into your system.
So remember:
Most ransomware infections start with a phishing email that tricks an employee into clicking a malicious link or opening an infected attachment.
And that’s why beefing up your firewall won’t protect you as much as you think it might.
Here’s my handy guide to protecting yourself from hackers and ransomware criminals.
- Educate Your Employees
Phishing Awareness: Employees need ongoing training to recognize phishing tactics, like fake invoices, urgent requests from “the boss,” and too-good-to-be-true offers.
Test: Companies that run phishing tests (mock attacks) see dramatic reductions in employee click rates on malicious emails.
Report, Don’t Click: Encourage employees to report suspicious emails before acting. A simple internal reporting process can prevent disaster. (We encourage our clients to use email filtering protection, which allows them to report phishing with a click. Simple.)
- Add Email Filters
AI-Powered Email Filtering: Ensure your email has phishing detection that scans for suspicious sender behavior, attachments, and links and filters them out before they reach your inbox. Bad guys are using AI to target you, so fight back with AI to level the playing field.
Enable Two-Factor Authentication (2FA): Even if an attacker steals a password through phishing, MFA can block them from logging in because they won’t know the verification code that’s texted to your phone.
Block Attachments and Links: Restrict certain file types (e.g., .exe, .zip) and use link scanning to check URLs before users have an opportunity to click.
Not using advanced email filtering is the business equivalent of wearing flip-flops in a snowstorm.
- How to Limit Damage
Small businesses are increasingly targeted by ransomware villains because they believe small business owners won’t take sufficient precautions. So, be the exception and put protective gear on your systems.
Think of it like a bulletproof vest. It will prevent most harm, but a determined thief will occasionally succeed. For small businesses, that’s a problem, because those that have been attacked have a low survival rate – 60% of them close within six months. And that can happen whether or not they pay the ransom, which is usually quite high.
But that doesn’t mean you’re helpless. Limit the damage from unwanted digital intruders and position yourself to recover quickly by preparing in advance:
Backup, Backup, Backup: Keep at least one offline backup that ransomware can’t reach, and another automatically backed up to the cloud – a cloud service that’s entirely separate from your Google Drive or OneDrive accounts, as those are tied to your system and are thus more likely to be compromised by a talented hacker. These backups mean you don’t have to pay ransom for your data because you already have a copy. This is how you eliminate the risk of going out of business.
Restrict Access: The days when every employee can have access to everything are over. That’s because ransomware spreads fastest when employees have unnecessary access to files and systems they don’t need to perform their jobs. Why? When a pirate breaks into Sam’s computer, they gain entry to everything Sam has permission to access. So, give Sam permission to access only the files he needs for his job, and nothing more.
Isolate Infected Devices: If an attack occurs, immediately disconnect affected devices to prevent a spread across the network. If you’re not sure what’s infected, disconnect everything. That’s right, just pull the plug out of the socket. It may shut you down for a day, but that’s a smaller problem than being shut down for weeks or months (or forever).
- Make a Ransomware Response Plan
Plan for the Worst: Creating a basic list – who to call, how to isolate infected systems, when to contact law enforcement – can make a difference. Your IT person or support company should be at the top of that list – and don’t be shy about reaching out to them, no matter what the hour. Most reputable external support companies have 24/7 emergency answering, and your internal IT people would rather hear from you immediately than wait for morning after all possible damage is done.
Never Pay the Ransom: Paying doesn’t guarantee you’ll get your data back. Instead, it marks you as a repeat target. Remember, most ransomware villains aren’t in the US, so American law enforcement can’t touch them, and you won’t get your money back. First, they’ll force you to pay in cryptocurrency, which is untraceable. Second, after they have your money, they have no incentive to give you anything back. There’s no moral code attached to these bad actors, and they don’t care about their reputations because they’re anonymous. So, don’t risk your future by turning over all your assets today.
Applying email filtering and security software before you’re targeted is far less expensive than leaving your door open to criminals.
The Bottom Line
Most small businesses don’t have the funds to build an impenetrable digital fortress around their company, but they can afford to buy the figurative equivalent of locks for their doors, bars for their windows, and an alarm system for anyone who gets past those. A combination like that keeps most intruders out. That’s what employee education, advanced email filtering, and backups do for your business in the digital world – together, they keep more than 90% of the danger at bay at an affordable cost.
Please use these simple steps to protect your business in these times of rising danger from ransomware and other forms of hacking.
