Ransomware - Ransomnote on ComputerI hope you were not affected by last Friday’s WannaCry ransomware hack.  If you were, you are unfortunately part of the biggest on-line extortion scheme seen to date.  And it may not be over, as new variants are appearing, so although you may have dodged the bullet for now, experts suggest that this attack is “nothing compared to what might be coming.”  So who are the lucky ones whose data is safe?

Annual (daily?) checkups

Simply, they are those who practice good digital hygiene.  They promptly apply software patches, religiously back up important data, and have strong filters and security awareness.  In an ideal world, they also use the most up-to-date operating systems and keep their licensing in effect to be eligible for routine updates from Microsoft and others.

Disruption or blackmail?

The hackers who distribute ransomware do so with various motives.  Some simply want to disrupt your business, making it expensive or impossible to continue to operate without the data they have locked.  A variation on this theme is disruption of governments and their agencies, or political hacktivism.  A third motive is more traditional blackmail, i.e., demanding money in return for not revealing compromising or injurious information.  In this circumstance, we are reminded that having too much information can create a tremendous liability.  Why, for example, keep outdated customer information, or early drafts of public documents, or confidential data that has outlived its usefulness—information that could be sold to the highest bidder or simply released for the “lulz”?
Keeping these types of information can be hazardous.  Knowing what to keep and for how long is guided by retention rules, and an up-to-date, legally validated, and enforced retention schedule is the foundation.

But I run a small / solo business

Doesn’t matter.  Or maybe it matters more.  A recent Symantec report indicates that spear-phishing attacks on small businesses have steadily increased over the last five years, and in 2015 comprised the majority (43%) of spear-phishing attacks on all sized organizations.   Kaspersky, the international cybersecurity and anti-virus provider, states that “small businesses faced eight times more ransomware attacks in the third quarter of 2016 than in the same quarter last year.”  The fact is that small businesses are more vulnerable and therefore easier targets than larger organizations with dedicated IT security staff and systems.
Increasingly, professional services firms such as engineers, architects, lawyers, physicians, and financial brokers—many of which are small—have been targeted because of the sensitive information they hold on behalf of their clients.  Other small companies have been targeted because of the clients they connect to.  The easiest way into a large company is often through a smaller, less protected vendor.

What do I do now about WannaCry?

A good starting place if you have not already been compromised is to follow the advice in this bulletin from the FTC consumer division:
Once you have applied patches and backed up your information, spend some time considering your information and how to apply good information hygiene:

● What makes your business run?

● What would your competitors most like to have (the “secret sauce”)?

● How much do you rely on your customers’ good will and trust?

● What is your tolerance for business interruption?

The answers to these questions should help you decide what information you should keep, and coupled with a retention schedule, help you know for how long (absent a legal hold).  Be wise, be safe, be prepared.