Achieving Business Continuity

Data security techniques needed for business continuity

An accountancy thought their daily backups were protecting their data. They thought encryption was protecting their data.

But weeks ago their office manager clicked a malicious link in an email. And nobody ever knew about it. Operations continued as normal.

Until they didn’t.

Despite only needing to access payroll records, the office manager had been given access to all client files, so when ransomware was silently unleashed by that one click, it was able to spread through the entire system and steal the data of dozens of clients.

And later that ransomware maliciously encrypted all the files, so all the contents of the company’s computers and servers became inaccessible.

They tried to restore their files from their backup, but only then found that many backed-up documents were corrupted. The backup system hadn’t been regularly tested. The integrity of files hadn’t been checked.

The result was nearly two weeks of downtime, thousands in recovery costs and dealing with many client-confidentiality breaches.

What might have prevented this

The accountancy was backing-up and encrypting its data – that’s great. No one can argue with those kinds of defenses. They’re essential. But the accounting firm’s experience could have been dramatically different with a comprehensive security plan in place.

No single solution can prevent every attack, that’s why Bryley advises using multiple barriers that force attackers to work harder and increases the likelihood of pre-attack detection.

The following security measures, prioritized based on their potential impact in preventing or limiting attacks like the one that crippled the accounting firm, represent among the most critical defenses for every business (caveat: every circumstance is unique and it’s always best to evaluate your real-life needs). This layered approach works together to help shield an organization from becoming another cautionary tale.

• Implement the Principle of Least Privilege – The office manager only needed payroll access, not full client file access, which would have limited or slowed the ransomware’s spread. Restricting access to job-essential files can cut a breach’s impact when any account is compromised.
• Regularly train employees about phishing – The entire incident started with a clicked malicious email link that could have been avoided. Regular phishing training helps employees recognize and avoid the suspicious emails that launch many cyberattacks.
• Test backups periodically – Restoration testing would have revealed corruption issues before a crisis.
• Use enterprise-grade Endpoint Detection and Response – Professional endpoint detection tools can often stop ransomware before it encrypts files.
• Antivirus and anti-malware software are made to stop known viruses and malware.
• Have an Incident Response Plan – When ransomware hits, confusion, worry and blame increase damage and costs. A definite plan helps people keep their cool, minimizes downtime, client impact and recovery expenses.
• If there’s multifactor authentication, enable it (as Garin put it) – Even if the office manager clicked the bad link, multifactor authentication (MFA) could have halted that account’s compromise. MFA blocks a lot of automated attacks even when credentials are stolen.
• Keep software and systems patched – Updated systems are harder for ransomware to exploit after an initial account compromise. Patching closes vulnerabilities that ransomware uses to spread through networks.
• Encrypt data – While there are criminal work-arounds (like capturing data in a state of use [when data needs to be decrypted] versus rest [when it can be encrypted]), it protects client confidentiality if files are exfiltrated.

Nobody knew about it

Five months after implementing proper security measures, an accounting firm faced a tricky attack. An employee received a fake client email and clicked a bad link. But there were no weeks of silent data theft.

The Endpoint Detection and Response flagged the suspicious behavior and quarantined the malware before it could establish itself and hide surreptitiously in their systems. Bryley was alerted. The employee’s access was temporarily restricted to block any possible malicious movement into other network accounts.

The employee never knew that click was for enabling ransomware. No accounting clients were affected. No data was stolen. No ransom was demanded. From the accountancy’s perspective this was a non-event.

And that is Bryley’s work – to make all this terrible distracting, costly, harmful cybercrime be like nothing to your organization.

If you’d like to speak to Bryley’s Roy Pacitto about a business-continuity approach to cybersecurity for your organization, please complete the form, below, schedule a 15-minute, no-obligation call. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.