A friendship made in hell, or why you need to take encryption seriously

By Charles Groce, CEO of Pearl Street Consulting

Republished from Graphic News magazine, October 2016

Imagine a scenario where you and your employees show up at the office one day and the doors are locked. And the only person capable of unlocking the door wanted $10,000 in “bit coins”, a type of anonymous online payment system. What would you do? Call the police? The person holding the key is based in Poland. Call the Feds? Get in line, and hope your customers can put their print projects on hold for a while. Want to make your own key? Sorry, that’s mathematically not possible (with your resources anyway).

This is exactly what “ransomware” does. In short, hackers find a hole in your network security architecture, and there are probably several, and use that hole to encrypt your entire network. That means your “mapped drives”, mission critical storage locations on your network, cannot be opened without a password. Hackers hold that password for money until you pay up.

So what do you do? You pay. If you refuse to pay, the price goes up. This happened to one of my customers. Here. In Michigan. In fact, across the country companies and individuals paid $325 million in ransom in some 400,000 incidents in 2015. Of those that paid the ransom, not all of them were given the password. After all, even if you pay you’re relying on the word of criminals to do what they’re saying they’ll do. Sound like a match made in hell? That’s because it is.

Fifteen years ago, major internet-based threats to most small and medium sized businesses came in the form of viruses, trojans, annoying popups from malware, and other code-based automated attacks. Buying a powerful firewall and implementing a robust antivirus solution for every computer in your facility was sure to be enough to protect most companies from these kinds of threats. The worst that was likely to happen was that your IT network would stop functioning, become unusable during the workday, and become a headache for an IT team to clean up. Customers could become affected, straining relationships at critical times, etc.

Today your business could be on the line. What’s changed? The tools for launching these kinds of attacks are now, frankly, widely available, and hackers don’t need PhD’s or really even an in depth knowledge of computer science to use them. And it’s become quite the business. More than two thirds of companies targeted for ransomware attacks pay up. The one third that don’t either have offsite solutions in place that ensure quick recovery on a new network or give up on the lost data and start fresh. Companies that aren’t ready or can’t respond in this way should protect themselves.

How does your company come under such an attack? There are multiple ways in. Hackers can, of course, send someone on your network a Word or Excel document which contains a macro that runs when opened. Hackers can gain access to a website frequented by your staff, it doesn’t even have to be yours, and become infected through outdated Flash or Java web browser plugins.

Your website can also be used to get in. Be sure your website forces HTTPS and is well hidden behind a firewall. Want to know if your website is protected? Add an ‘s’ on to the http when you visit your website domain name. If you get messages about it not being secure, you need what’s called an SSL certificate to be installed on your website’s server. Any connection not going over HTTPS (rather than HTTP) can be snooped on and passwords can be determined. An SSL certificate runs about $100.

Moreover, Google is going to start marking sites without SSL as insecure starting January, so you’d better make this change anyway. Last fall Google already announced it would give websites that default to HTTPS a boost in SEO rankings.

To best ensure your company is safe from these kinds of attacks, be sure your antivirus is up to date, always try to use HTTPS on your own websites, including email, and periodically review with your staff best practices for opening email and visiting unapproved websites. Make sure all company PC’s are up to date on java and flash. If this breaks your file exchange solution, you need a new file exchange solution. I won’t name names. But it’s 2016, and keeping your data safe is only becoming more important as time goes on.

About the author: Charles Groce is the CEO of Pearl Street Consulting, a Michigan-based IT, web, and software consultancy. Charles is also the founder of osforprint.com, an open source technology solutions provider for the printing industry.