Stu Sjouwerman, CEO of KnowBe4, has a similar message. “In principle, don't pay because that encourages the criminal business model,” he said, “but in practice, it's not that easy.”
He said for most organizations, it comes down to a cost/benefit calculation. “It becomes a no-brainer if you are faced with a failed backup and more than a month of lost data that could shut you down.”
And Ed Cabrera, chief cybersecurity officer at Trend Micro, also noted the divide between what should happen and what does happen. “The consensus is clear that paying ‘should’ never be an option,” he said. “However, as companies fail to plan, they are planning to fail when it comes to ransomware attacks. This is obviously a very lucrative business in the Deep Web and is only going to continue evolving to different file types and systems that are very important to companies and consumers.”
It is pretty clear that many organizations are failing to plan, which is somewhat of a mystery, since the ways to prevent ransomware are fairly straightforward and widely publicized, including on the FBI website.
The most important, of course, is to back up data regularly, and secure the backups – don’t leave them connected to the computers and networks they are backing up – so they can’t also be infected by an attack. Beyond that, experts say organizations should:
- Disable macro scripts
- Install all updates and patches – especially for buggy programs like Adobe Flash or Java
- Set antivirus and antimalware solutions to update automatically
- Only download software – especially free software – from known and trusted sites
- Train employees – emphasize that they should never open an attachment in an unsolicited email.
Krebs has his own Three Rules of Online Security:
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it.
- If you no longer need it (or, if it’s become too big of a security risk) get rid of it.
So, why don’t more people follow that advice – especially organizations that could be crippled or taken down by ransomware?
It is not just a matter of being lazy, according to Sjouwerman. “The reality is that many IT departments are undermanned, overloaded, and coping with 16 fires at the same time,” he said. “The problem is that as a defender you need to be right 100% of the time, and as an attacker only once.
And even doing the right thing doesn’t always work. “Weapons-grade backups are paramount, but backups fail much more frequently than you think,” he said.
Wueest said sometimes it comes down to denial. He said while best practices can prevent most threats, “some companies do not plan for ransomware attacks or do not test these scenarios in their security process, as they wrongly believe it cannot happen to them.”
Sign up for CIO Asia eNewsletters.