A new blueprint offers advice for businesses to protect against ransomware attacks
JUANA SUMMERS, HOST:
Small businesses have paid hundreds of millions of dollars to cybercriminals in just the last year. And now a group of experts has released a blueprint full of advice on how to prepare for a possible ransomware attack. We're joined now by NPR cybersecurity correspondent Jenna McLaughlin, and she's going to help us break down the findings. Hi, Jenna.
JENNA MCLAUGHLIN, BYLINE: Hey there.
SUMMERS: So can we just start off with the basics here? What is ransomware? And I'm also hoping you can give us a sense of the scope of the problem.
MCLAUGHLIN: Sure. So ransomware refers to a very popular kind of cybercrime where hackers break into your system, lock it down, and demand payment for the key to unlock it all. It's really actually become a bustling industry. Some groups work on getting access to systems, and they sell that access, while others will write malware or malicious code. The Ransomware Task Force - which was formed in 2021, including stakeholders from government, academia, think tanks and the private sector - actually put together a lot of data about this problem. According to their surveys, victims paid over $600 million to these cybercriminals in just 2021.
MCLAUGHLIN: And, yeah, 70% of the attacks targeted organizations with 500 or fewer employees.
SUMMERS: OK. That is really striking. But what did they suggest then that businesses do about this?
MCLAUGHLIN: So it's not so easy to answer since cybercriminals are always adapting. But the task force partnered with the Center for Internet Security to take a stab at it. There's a timeline of actionable things that companies should do. First, it's really important that there's a deep understanding at the company of what your network actually looks like and how it functions on a normal day. It sounds simple, but here's the thing. Experts told me that criminals typically know their victim's networks a lot better than they do. Here's Valicia Stacchetti (ph) from the Center for Internet Security.
VALICIA STACCHETTI: There are a lot of attackers out there that I'm sure know the software much, much more comprehensive than probably some other folks, which is not good. And that's why we need this kind of work to make our defenses more resilient.
SUMMERS: OK - make our defenses more resilient. Yes. But on a practical level, what does that actually mean?
MCLAUGHLIN: So Stacchetti said that her top piece of advice is to use multifactor authentication. It's a fancy way of saying several methods of proving you are who you say you are - so not just a password but also an authenticator application, a physical token, biometrics. You also need to keep your software up to date. Keep an eye on patches that become available. Close up doors and windows that criminals like to break in through, essentially. And train your employees. Make sure they know the basics. The authors of the report recognize that sometimes cybercriminals will get in anyway, even if you're doing everything right. If they do, companies need to know what their plan is ahead of time, and they need to have backups that are encrypted and not connected to their primary network.
SUMMERS: All right. So I do not own a business, but none of this sounds cheap. I imagine that if someone has a small- or medium-sized business, they might not have adequate resources to handle this. And as you point out, these criminals are demanding millions of dollars in some cases.
MCLAUGHLIN: Yeah, that's a huge concern. So most of the action items in the report are meant to be pretty simple and affordable. But when it comes to actually paying ransoms, that's often when cyber insurance comes in. A new survey from BlackBerry and Corvus Insurance revealed that a lot of businesses are concerned their policies won't cover the cost of the damages, that their premiums are going up and that they aren't actually sure what their policies even cover. I talked to one of the authors of the blueprint, who comes from the insurance industry, and he says that insurance companies should be focused on proactively requiring companies to have some of these safeguards in place, to help defend but also limit really costly payouts in the first place.
SUMMERS: NPR's Jenna McLaughlin. Thank you.
MCLAUGHLIN: Thank you.
(SOUNDBITE OF TERRACE MARTIN SONG, "THIS MORNING (FEAT. ARIN RAY AND SMINO)") Transcript provided by NPR, Copyright NPR.