When Jim Flynne started his career in the computer systems and data storage industry 25 years ago, he says, “I wasn’t a paranoid person.” But security took on a whole new meaning after he became vice president of operations and security at Carbonite nearly two years ago. “Now I’m incredibly paranoid,” he says. “Information is a dangerous thing.”
Ever since ransomware began proliferating in September 2013, Flynne says he has seen entire small businesses wiped out by Cryptolocker malware, which seizes an organization’s data and turns it into junk. “It encrypts your computers’ files and you have to pay a ransom to get them back,” Flynne says. “The alternative to paying the ransom is to have a backup. But we had a lot of people coming to us after the fact.”
Flynne explains that Cryptolocker was delivered by spear phishing—a standard method of sending fraudulent emails that entice recipients to log onto a bogus site and give up their credentials. It’s why more than 70 percent of all security breaches start with employees, “with stuff people do every day, and they don’t have any idea that they’re doing it,” he says.
Though early versions of ransomware have been shut down, Flynne has observed a new generation of it emerging. “Ransomware has netted the originators in excess of millions of dollars in $250 ransoms, paid one at a time. We expect it will continue to evolve and take on the appearance of new click-bait and emails that are more and more enticing so it can infect your system,” he says.
Flynne offered Yahoo Small Business Advisor readers the following advice to keep employees from infecting business systems with ransomware.
1. Don’t trust emails. “Emails are inherently evil,” Flynne says. “I’m a CSO I got a phishing email yesterday. I thought, ‘You tried it on the wrong guy,’ but I wondered how many of our 50-plus employees got this same email.”
Flynne says that email scams are ubiquitous and employees should be told to be wary of clicking on links they aren’t familiar with or opening emails that come from addresses they don’t recognize.
“It’s necessary to repeat this advice because spear phishing attacks have become quite sophisticated. The impact can reach laterally across an organization’s network,” Flynne says. His advice: never open attachments from unknown sources or enter personal or user account information into pages reached through clickable links received in email. Either verify the source or go to the page or portal screen yourself rather than through a link.
Flynne says he recently heard from the CSO at a university where a phishing attack duped faculty members into clicking on what they thought was a link sent from the IT department. More than a dozen faculty members went to a landing page that looked identical to their payroll system and followed the email’s instructions, giving thieves access to change their credentials and pocket their paychecks. “You begin to see why I’ve become paranoid,” Flynne says.
2. Use strong passwords. “A strong password contains a combination of uppercase, lowercase, alpha-numeric, and special characters and it is easy for the user to memorize,” Flynne says. He recommends that passwords be changed every 90 days. “Whether it’s a 3-person company or 500 people or 50,000 people, rotating the password ensures that whatever has been compromised is not usable beyond a certain date.”
Why does he recommend memorable passwords? “If your password is too tough to recall, chances are it’s written on a note stuck on your wall and that defeats the purpose. Also be sure your people are not using the same password across multiple accounts. “If they all have the same password then the entire landscape is compromised,” Flynne says.
3. Establish disk-drive-level data encryption for traveling employees. Flynne says this step adds a measure of protection for sensitive data while employees are on the road. “If your whole laptop is encrypted, then you must log on with a password in order for your apps to read your data. Encryption makes it unusable to anyone without the password,” he says.
4. Don’t leave desktop computers or laptops unattended with the browser open. “It only takes a few seconds for someone to use an open browser to collect login information and copy passwords,” Flynne says. “Take the time to shut down machines properly or set automatic screen locks to take effect after just a few minutes of inactivity. The best practice is to always lock your computer when you step away from it, and ensure it locks itself if you forget.”
How could a passerby grab information from an open browser? “Someone could put a thumb drive into your laptop, access the user settings from the browser, export them, take that home, and, if they’re adept at HTML, get usernames and passwords for all of the accounts,” Flynne explains.
5. Take the time to train and send accountability reminders. “People, not technologies, are the weakest link in the security chain,” Flynne says. “Communication is key when it comes to matters of security and prevention. If employees understand how their actions can potentially endanger your organization, they’ll be more likely to comply with best practices and keep heightened focus and awareness when it comes to data security.”
Flynne says business owners often assume that maintaining security is going to cost a lot of money. But he argues that much of it is free. “Protecting perimeters is important, but if you let someone in the front door, the locks are useless. The majority of hackers are going through the front door. They get full access to a system and blossom from there,” Flynne says. The best prevention: Train your people and given them the information they need to know in order to behave carefully.
6. Implement e-mail archiving. Though he estimates that only about 20 percent of security breaches are executed intentionally by company insiders, Flynne says it’s not unheard of for a rogue or disgruntled employee to attempt to delete sensitive information in an attempt to sabotage an organization. He recommends automated email archiving systems that backup and verify data in order to simplify recovery to an acceptable level of loss.
Follow Adrienne Burke at @adajane