These cyber attacks have grown in frequency and severity and extortion demands have risen significantly. Additionally, ransomware developers and affiliates are more frequently publicly releasing exfiltrated data and internal company secrets despite the victim paying the ransom. Unfortunately, six- and seven-figure demands have become routine.
The impact of ransomware remains a disproportionate problem for small and medium-sized businesses. In fact, nearly 75% of attacks occur on companies with less than 1,000 employees with the median number of employees at 234, according to Coveware’s Q4 2021 Ransomware Report.
More ransomware information
Keep all systems including hardware, mobile devices, operating systems, software, cloud locations, and content management systems (CMS), patched and up to date. If possible, a centralized patch management system should be used. Implement application whitelisting and software restriction policies (SRP) to prevent the execution of programs in common ransomware locations, such as temporary folders.
Activate two-factor / multi-factor authentication (2FA/MFA) on all systems — including managed service provider software platforms, administrator systems, and end-user systems wherever possible. Efforts should also be made to understand the current state of 2FA / MFA strategies, upcoming enhancements, and multi-vendor relationships with third parties who are provided credit union network access. MFA provides a critical second source of identity confirmation that can eliminate a vast majority of data breaches within an organization.
Backup data regularly and verify the integrity — ensure backups are not connected to the computer or networks that are being backed up (i.e., securing backups in the cloud or physically storing offline). Backup systems should allow multiple iterations to be saved in case a copy of the backups includes encrypted or infected files. Routinely test backups for data integrity and to ensure it is properly operational, accessible, and protected. Ransomware has the capability to lock cloud-based backups when systems continuously back up.
Apply the principles of least privilege and network segmentation - the principle of least privilege states that an end user should be given only the privileges necessary to complete tasks related to their role in the credit union. If an employee does not need an access right, the employee should not have that access right. Categorize and separate data based on organizational value and where possible, implement virtual environments with logical separation of networks and data.
Help prevent phishing and identify other suspicious content by pre-screening emails for potentially malicious attachments and links. When suspicious content is detected, the system typically introduces a short delivery delay to perform additional checks.
Cybersecurity needs to run horizontally through your entire credit union. It is not just an IT problem. Every single staff member, regardless of department and status, needs to be engaged and held accountable. Anyone can mistakenly expose credit union or member data to risk.
Provide frequent social engineering and phishing training to employees so they are your first line-of-defense. Reminders to not to open suspicious emails, not to click on links or open attachments contained in such emails, as well as to be cautious before visiting unknown websites should be made regularly.
Third-party vendors are an essential part of doing business, but they do extend the risk of the exposure and misuse of your credit union’s data. It may seem simple, but your credit union should have an easily accessible list of all third-party vendors and what type of access they have to your credit union and member data.
If your third-party vendors are entrusted with your credit union’s member data, their cybersecurity strategy is just as important as your own. On a regular basis, it is important to ask what safeguards they have in place to lessen the risk of a breach of your data? Threats to cybersecurity evolve and so should your vendors’ risk management. You should know your vendors’ policies on reporting data breaches. Set expectations for your vendor relationships and make cybersecurity a part of the vetting process and ongoing monitoring.
Ask a risk consultant
Please complete this brief form to route your question to one of our risk consultants.Ask a risk consultant
Access the Business Protection Resource Center* for exclusive risk and compliance resources to assist with your loss control efforts.
On-Demand Webinar: Officer Hours-Cybersecurity (2/27/2021)
RISK Alert: Ransomware Risks Drive the Need for Critical Cyber Loss Controls* (12/14/2021)
Beazley cyber insurance policyholders can access resources and online training at beazleybreachsolutions.com.