Arsgera - Fotolia
WELLESLEY, Mass. -- Data is a gold mine, and how to protect it from a ransomware attack was a hot theme at the 2016 Information Security Summit.
As hackers and businesses up the ante on their attack and defense strategies, attendees at the conference looked toward protecting their data and educating employees on the flood of cybersecurity attacks occurring daily. It's a problem especially rampant among small and medium-sized businesses that do not have access to the larger IT budgets and staffs larger enterprises often have.
Ransomware attacks can strike any institution, large or small, and were top of mind for many in light of the recent attack on the University of Calgary, which was forced to pay almost $16,000 to hackers. Meanwhile, hospitals have been under heavy attack, as well.
"A lot of clients have been hit with ransomware, and some have paid and some have not," said attendee Gaile Pranckevicius, account executive at Akuity Technologies, a provider of security services based in Auburn, Mass. SMB budgets vary, and it costs a lot of money to secure networks, she added.
"Ransomware is a big problem," said Greg Neville, vice president of information security and information security officer at Best Doctors Inc., based in Boston, during a panel discussion. Companies like Best Doctors can reduce the suffering with preventive measures and training employees on how to avoid phishing campaigns.
Ransomware attacks in healthcare are a concern, agreed attendee George Morgan, senior information risk consultant for Blue Cross Blue Shield of Massachusetts, based in Boston. He said he takes preventative measures by running Linux at home, and if he needs to "get into hacker stuff," he'll run his tests there.
It can be a tough problem for many victims who may not even realize their data has suffered from a ransomware attack until it's too late.
Pranckevicius asked: How do victims know they've been hit with ransomware? Companies in the SMB market are in a reactive mode, she said.
Attendees debated over how much to pay and whether it was necessary to give in to hacker ransomware threats. Larry Wilson, CISO of the University of Massachusetts, said the decision to pay remains dependent upon the data and not all ransomed data should be paid for its return.
Organizations should put backups in place, Wilson cautioned. If organizations don't have backups and they get hacked, they'll have to pay, he said, suggesting organizations store backups so they're not accessible to attackers. The University of Massachusetts has been running cybersecurity protection for more than five years, and they continuously run backups on their data, he noted.
Classifying data and placing controls around the assets might reduce the threat from hackers, but it requires organizations to conduct a business impact analysis, according to Janet Levesque, CISO of RSA, based in Bedford, Mass., speaking on a panel about online malware trends.
Some attendees criticized the FBI for confusing victims on whether they should pay for their stolen files or not. When ransomware began picking up last year, Joseph Bonavolonta, assistant special agent in charge of the cyber and counterintelligence program in the FBI's Boston office, said because the encryption used by CryptoWall is so good, the FBI "often advise[s] people just to pay the ransom."
However, this year, the FBI reversed that stand and currently recommends victims not pay for the files, said Linda Swartz, vice president of security and fraud investigation at Westfield Bank, based in Westfield, Mass. She likened the payouts to bank robberies.
For some businesses, not paying a ransom can put them in a tenuous position, with the potential for losing valuable data that can be sold or misused by the attackers. One way to prevent breaches calls for understanding hackers and getting involved with underground forums to learn how to think like the attackers. However, one attendee from Mass Bay Community College noted it was difficult for many to change perspective and put themselves in the minds of a hacker. Another preventative measure against a ransomware attack is to ensure all the data is backed up, but the industry worries those data backups may get breached by hackers, too.
In his keynote, UMASS' Wilson encouraged attendees to follow the NIST cybersecurity framework to protect their data and inventory, and manage all application assets to decrease risks. In addition to his role as CISO at UMASS, Wilson also teaches how to implement cybersecurity protection.
User education, cyberliability insurance required
Attendees were also focused on user education and ensuring employees were up to date on best practices for protecting their data and applications -- not just for enterprise resources, but also for BYOD situations.
Westfield Bank recently conducted employee cybersecurity training to spread awareness about today's cyber risks. Swartz explained to the bank's employees that applications downloaded onto their smartphones can contain malware, and once infected, that smartphone could infect their computer, as well as other systems on the bank's network.
"I warned them that social media is a feeding ground for looking for your information," she said, adding that it enabled hackers to conduct spear-phishing campaigns on their email.
Even the University of Massachusetts IT department sends updates to alert users to potential phishing campaigns and what ransomware means.
How organizations cover their assets and find a cyberliability insurance provider was also a hot theme at the 2016 Information Security Summit.
Cyberliability insurance is in its infancy, but it is an important tool to have, as the stakes are being raised higher than ever, said Paul Dumas, senior director of CIS management for Blue Cross Blue Shield of Massachusetts, during a panel discussion. He suggested budgeting for legal fees, forensics and notification costs to understand what could happen if a breach occurs. Dumas also noted insurers will ask a prospective client questions about their applications to determine the risks for the cyberliability insurance provider.
Choosing the right cyberliability insurance provider can be a confusing process for organizations.
"I don't know if people have filed claims yet," Swartz said. "What are the loopholes of getting insurance [companies] to pay you? It's a whole new industry that hasn't been time-tested yet."
Learn the difference between ransomware and extortionware
How Congress was warned about the rise of ransomware attacks
How to decide if cyberinsurance is worth it