Ransomware prevention – there’s no magic bullet

Our IT Director, Rupert Poole, on  ‘miracle’ ransomware prevention software and why you shouldn’t rely on them alone

To say that the last 72 hours have been a busy time in the world of IT is a bit of an understatement!

We are not referring to the havoc that has been caused to many NHS trusts across the country by the Ransomware outbreak, but rather the marketing departments of all the software suppliers now scrambling to take advantage of the free marketing and sell their ‘miracle’ software solutions designed to save us all from the horrors of Ransomware.

Those who work in IT know that the truth is somewhat different. While there are many good solutions in the marketplace which can help prevent a lot of the damage caused by having all your files encrypted, the reality is that the answer is not based around a single silver bullet, but good solid processes and procedures, which represent best practices.

For those hit with the latest Ransomware, ‘WannaCry’, there is plenty to do: identify infected machines, contain the malware and recover encrypted files – and ultimately some people will be sitting in board rooms toying with the question of whether to pay the ransom.

The bit I have been thinking about is what would I say to the smaller business who don’t have a large IT team, or who are struggling with the conflicting advice they may be receiving. Here are the top five actions we recommend to any firm who is not sure where to start when it comes to avoiding being a victim of Ransomware in the future:

  • Make sure the software on your devices is up to date. The media are now reporting that had the NHS updated the software on their systems last month – when they were advised to – the spread of Ransomware in the NHS could have been prevented. If you have a third-party support partner (supplier), get them to send you weekly reports to confirm that they are updating your machines for you, don’t just take their word for it. If you’re thinking of appointing a third-party support partner (supplier) to help with this then it’s key to make sure that your contract with them: details exactly what the supplier is going to do for you; allows you adequate recourse if the supplier fails to perform the services as promised; and doesn’t unfairly limit the liability of the supplier leaving you without remedy if the services don’t work as promised.
  • Install antivirus on all your computers and make sure that it is kept up to date.
  • Look at investing in some software which directly prevents Ransomware, there are lots of good solutions out there – one of which is a product called Intercept X from a company called Sophos.
  • While the technical elements are important, it is also key to address another often-overlooked vulnerability, the human element. A small investment in Cyber Security training and awareness can pay large dividends. You can have the best technical solutions in place, but if your staff have not been trained on what may be a suspect link in an email or how to identify a suspect attachment or the ramifications for the business if they do infect the system, you are going to have problems in the long run. Equally consider whether there are adequate security measures in place for visitors who enter your building who may be able to access your IT systems (think photocopier engineers). Consider appointing a cybersecurity champion who will ensure there is buy-in at board level and a business commitment to preventing cybercrime and ensuring a collaborative approach with the IT department.
  • As a starting point, sign-up to the government Cyber Essentials accreditation programme (here). This is a great starting point for understanding what you need to be doing to get your house in order, and there are many good providers out there who can help you on your way.

While there are no guarantees, and certainly the odds can be stacked against the guys in IT, there are ways to start to move those odds back in your favour. The secret is to get IT Security and Training on the agenda at a senior level and work to keep it there, and ensure that any contracts you have in place with third party suppliers are appropriate and provide you with adequate legal protection.

This isn’t a tick-box exercise, IT security needs to be looked at as an ever-changing threat. Getting the basics right is the first step.