The US Government is signaling it is changing its posture on what it considers an acceptable action on the part of businesses to secure their data. Ransomware concerns have been rising in recent months with various malware protection providers releasing new warnings to users and customers to be vigilant about new and more sophisticated threats. With over 4,000 ransomware attacks per day in 2016 and $209 million paid in ransoms in the first three months of 2016, the threat is real.

During a recent ransomware workshop held by the agency, Federal Trade Commission Chairwoman Edith Ramirez stated, “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.” 

While it may feel like adding insult to injury to apply an enforcement action against a company that has just been a victim of ransomware, the government is making it increasingly clear they expect companies to take appropriate action to secure their data.  To date, the FTC has undertaken 60 actions against companies this year alone.  It may be tempting to think your company is too small to attract this kind of attention, and you may be correct.  And even if your organization does not store confidential health or credit information, consider the impact to your operations.

Business leaders are expected to secure their data by clients and stakeholders. Whether the data is highly sensitive such as health data or personal information such as credit card information, paying lip service only or taking minimal actions may hurt a business in multiple ways. The routine intellectual property an organization creates for use in daily operations is rarely considered when protecting information.  This is because there typically is no easily quantified monetary penalty tied to its loss.  Consider what would happen to your operations if a loss of all your intellectual property, sales documents, proposals, operation practices, client orders, etc. was stolen or held for ransom.  What would the cost be in time and money to recreate it?

Ransom demands may be small, from $500 to $1,000, but can be as high as $50,000.  With ransoms on pace to hit $1 billion this year alone, the number of attacks are significant.  However, paying a ransom is no guarantee you will actually receive a decryption to recover your data.

The sophistication of attacks are improving all the time.  Emails are declining as the routine vehicle for these attacks.  Inserting malware onto websites is becoming the most popular means to gain access.  Companies can successfully combat this threat by focusing on two areas:

  • Prevention— routine awareness training for employees and robust technical prevention controls; and
  • The creation of a solid business continuity plan in the event of a ransomware attack

Unfortunately, these strategies are often not routinely being applied.  This is likely driven by attitudes toward the threat.  In a recent survey of information security professionals, less than 20 percent of respondents considered ransomware one of the top two security threats to their company.  Now is the time to review and reform strategies and approaches to data security.

Knowing how best to proceed can be intimidating, this is one area where going it alone is not a good strategy.  An old African proverb says “if you want to go fast, go alone, if you want to go far, go together.”

Ransomware Prevention and Response for CEOs.pdf

Ransomware Prevention and Response for CISOs.pdf


Need a Cyber Security Assessment?