Putting your systems "beyond use" is also the goal of malware such as viruses or, more lately, ransomware, only this time it’s acting from inside your firewall. Whether you're a home user or a large organisation, ransomware is the latest scourge. Like many other types of malware, it often infects devices through the internet, but can just as easily find its way onto your computers from a USB drive or an inadvertent click on a malicious attachment in an email. Having established itself with a cozy home on a laptop or PC, ransomware will studiously set about encrypting every file it can get sight of, and at an amazing speed. In the aftermath of a recent attack, more than 100,000 files were found to have been scrambled by the Zeus virus in under an hour.
Perversely, you could say that because your data is now totally encrypted it’s at least safe from prying eyes. Unfortunately, that includes your own prying eyes: it’s the bad guys who now have your data under lock and key, and they’re are not giving you the key to the lock unless you pay for it.
Frustratingly, your files are still there, staring you in the face, as is the demand from the perpetrators for payment. In return for which they’ll promise to give you the key to decrypt your files after paying a ransom, usually in the cyber currency of bitcoins. Rather than pay the money, the remedy is to restore from back-ups. However, this can be a lengthy process and it’s likely that some of the most recent data will have been lost. Either way, your operations will have been severely disrupted.
The extent of the loss in these incidents will be limited with good user-access controls. Giving every user account full admin rights is a sure way to guarantee that the ransomware has full and free access to every file. Better, then, to follow the principle of least privilege when granting user access to ensure that a user can access only those files and systems they need to do their job.
You might have noticed that we’re back to users here. Clicking on attachments, downloading dodgy files, cruising infected websites makes them part of the problem and, because they are on the inside of your perimeter defences it’s highly likely that they have access to valuable information assets, which is rightly denied to those outside the organisation.
Phishing emails are a common way to make people into unwitting accomplices, and cyber criminals don’t always need a malicious attachment to launch an attack. Simply including a link to a bogus website in an email with a request to "click here" will often do the trick. Using a phoney website with a clear instruction to comply, all manner of information can be gleaned, including user names, passwords, payment card numbers, mother’s maiden names – you name it and people are likely to volunteer it, often not realising what’s happened until they’ve clicked "submit", by which time it’s too late. These vital bits of information are in the possession of the hackers ready to be exploited one way or another.
It’s better, then, to make sure staff are aware of just what perils can and will befall them. A good information security awareness induction has become a must and can prepare employees and volunteers for the scams, cons and social engineering that they are likely to face in cyberspace. Encouraging people to report anything that doesn't seem right can often head off attempts to compromise and defraud the organisation, and it helps everyone to report such incidents to the police through the Action Fraud website. A search of its website will highlight a number of charity frauds and scams and provide useful insight.
Read next: 5 Clear rules required