Arsgera - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Ransomware attack, education highlight 2016 Information Security Summit

User education, ransomware attacks and cyberliability insurance are among the hot topics for infosec attendees at the annual 2016 Information Security Summit.

WELLESLEY, Mass. -- Data is a gold mine, and how to protect it from a ransomware attack was a hot theme at the 2016 Information Security Summit.

As hackers and businesses up the ante on their attack and defense strategies, attendees at the conference looked toward protecting their data and educating employees on the flood of cybersecurity attacks occurring daily. It's a problem especially rampant among small and medium-sized businesses that do not have access to the larger IT budgets and staffs larger enterprises often have.

Ransomware attacks can strike any institution, large or small, and were top of mind for many in light of the recent attack on the University of Calgary, which was forced to pay almost $16,000 to hackers. Meanwhile, hospitals have been under heavy attack, as well.

"A lot of clients have been hit with ransomware, and some have paid and some have not," said attendee Gaile Pranckevicius, account executive at Akuity Technologies, a provider of security services based in Auburn, Mass. SMB budgets vary, and it costs a lot of money to secure networks, she added.

"Ransomware is a big problem," said Greg Neville, vice president of information security and information security officer at Best Doctors Inc., based in Boston, during a panel discussion. Companies like Best Doctors can reduce the suffering with preventive measures and training employees on how to avoid phishing campaigns.

Ransomware attacks in healthcare are a concern, agreed attendee George Morgan, senior information risk consultant for Blue Cross Blue Shield of Massachusetts, based in Boston. He said he takes preventative measures by running Linux at home, and if he needs to "get into hacker stuff," he'll run his tests there.

It can be a tough problem for many victims who may not even realize their data has suffered from a ransomware attack until it's too late.

Pranckevicius asked: How do victims know they've been hit with ransomware? Companies in the SMB market are in a reactive mode, she said.

Attendees debated over how much to pay and whether it was necessary to give in to hacker ransomware threats. Larry Wilson, CISO of the University of Massachusetts, said the decision to pay remains dependent upon the data and not all ransomed data should be paid for its return.

Organizations should put backups in place, Wilson cautioned. If organizations don't have backups and they get hacked, they'll have to pay, he said, suggesting organizations store backups so they're not accessible to attackers. The University of Massachusetts has been running cybersecurity protection for more than five years, and they continuously run backups on their data, he noted.

Classifying data and placing controls around the assets might reduce the threat from hackers, but it requires organizations to conduct a business impact analysis, according to Janet Levesque, CISO of RSA, based in Bedford, Mass., speaking on a panel about online malware trends.

Some attendees criticized the FBI for confusing victims on whether they should pay for their stolen files or not. When ransomware began picking up last year, Joseph Bonavolonta, assistant special agent in charge of the cyber and counterintelligence program in the FBI's Boston office, said because the encryption used by CryptoWall is so good, the FBI "often advise[s] people just to pay the ransom."

However, this year, the FBI reversed that stand and currently recommends victims not pay for the files, said Linda Swartz, vice president of security and fraud investigation at Westfield Bank, based in Westfield, Mass. She likened the payouts to bank robberies.

For some businesses, not paying a ransom can put them in a tenuous position, with the potential for losing valuable data that can be sold or misused by the attackers. One way to prevent breaches calls for understanding hackers and getting involved with underground forums to learn how to think like the attackers. However, one attendee from Mass Bay Community College noted it was difficult for many to change perspective and put themselves in the minds of a hacker. Another preventative measure against a ransomware attack is to ensure all the data is backed up, but the industry worries those data backups may get breached by hackers, too.

In his keynote, UMASS' Wilson encouraged attendees to  follow the NIST cybersecurity framework to protect their data and inventory, and manage all application assets to decrease risks. In addition to his role as CISO at UMASS, Wilson also teaches how to implement cybersecurity protection.

User education, cyberliability insurance required

Attendees were also focused on user education and ensuring employees were up to date on best practices for protecting their data and applications -- not just for enterprise resources, but also for BYOD situations.

Westfield Bank recently conducted employee cybersecurity training to spread awareness about today's cyber risks. Swartz explained to the bank's employees that applications downloaded onto their smartphones can contain malware, and once infected, that smartphone could infect their computer, as well as other systems on the bank's network.

"I warned them that social media is a feeding ground for looking for your information," she said, adding that it enabled hackers to conduct spear-phishing campaigns on their email.

Even the University of Massachusetts IT department sends updates to alert users to potential phishing campaigns and what ransomware means.

How organizations cover their assets and find a cyberliability insurance provider was also a hot theme at the 2016 Information Security Summit.

Cyberliability insurance is in its infancy, but it is an important tool to have, as the stakes are being raised higher than ever, said Paul Dumas, senior director of CIS management for Blue Cross Blue Shield of Massachusetts, during a panel discussion. He suggested budgeting for legal fees, forensics and notification costs to understand what could happen if a breach occurs. Dumas also noted insurers will ask a prospective client questions about their applications to determine the risks for the cyberliability insurance provider.

Choosing the right cyberliability insurance provider can be a confusing process for organizations.

"I don't know if people have filed claims yet," Swartz said. "What are the loopholes of getting insurance [companies] to pay you? It's a whole new industry that hasn't been time-tested yet."

Next Steps

Learn the difference between ransomware and extortionware

How Congress was warned about the rise of ransomware attacks

How to decide if cyberinsurance is worth it

Dig Deeper on Security industry market trends, predictions and forecasts

Join the conversation

6 comments

Send me notifications when other members comment.

Please create a username to comment.

How does your organization deal with ransomware attacks?
Cancel
Education is not enough, we need to change the fundamentals of SW, then computer viruses (malware, ransomware) did not have a chance - http://www.slideshare.net/JiNapravnik/its-time-to-change-the-basics-of-ict-security
Cancel
I'd think the time for discussion is well past. We've patched and repatched every gaping hole. It's time for an entirely new approach to security and data integrity, 
Cancel
Thank you " ncberns". We're two. Add someone else, for example from the editors of TechTarget?

Programming software is a human work. Bug, backdoors or other vulnerabilities is result of POOR HUMAN (IT specialist) WORK.
Cancel
Thanks for your thoughts @napravnik and @ncberns. I think increasing cybersecurity has to come from all different angles. Not only are software development cybersecurity standards important to follow as you pointed out (thanks for your slideshare link @napravnik) but also end user education and instituting cybersecurity corporate business policy. Not all users are aware of what can happen if they click on a seemingly legitimate link. There can be dire consequences for themselves or a company if they do. Corporations have to make sure they teach their employees about cybersecurity issues and how to protect their own as well as company data. It's an ongoing process that I feel needs to be addressed from all different angles. 
Cancel
Education can only go so far... For decades we have stressed the importance of good back ups and disaster recovery plans. Yet it is amazing the number of users that do not seem to take it seriously. That's what the creators of ransomware are hoping on. Our lack of following through on the education we can we should have in place.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close