What is Bring Your Own Device (BYOD, also know as Bring Your Own Technology or BYOT) and why should your company be concerned about it? BYOD refers to the trend of letting your employees use mobile devices they own personally to access your company’s information and applications.
While it’s often convenient for both employers and their employees, BYOD may put your company at greater risk of being vulnerable to ransomware or other malware.
What Makes Mobile Devices So Risky?
When it comes to your company’s own systems, security is in your hands. This isn’t the case with personally owned mobile devices.
Obviously, a cell phone, tablet, or laptop owned by your employee is going to be easier to physically steal. But even if the device itself isn’t stolen, it can often be more easily hacked. This potentially allows hackers access to your systems. From that point, they may be able to lock down your files and information and hold them for ransom.
Physical theft isn’t the only risk you face. With personally owned mobile devices, you also have to rely on your employees to keep all security patches up-to-date and rely on them not to download vulnerable applications. This is difficult for even well-meaning employees.
Due to constantly increasing competition for victims among ransomware creators, mobile smartphone apps make a tempting choice. According to Symantec’s Internet Security Threat Report from April 2016, Android smartphone users are a main target of attack. However, Apple devices are not immune. Attacks on Apple devices rose considerably in 2015. According to the report, attackers are using newer, more sophisticated techniques to profit from their victims. For example, there were cases where phone ransomware was observed as it started to encrypt files on phones.
Mitigating the Risk for Mobile Devices
There are several features that should be included in your company’s security policies to protect against mobile malware. Some of these are:
Increased Risks Expected in the Future
In spite of all precautions, the current trend is for the risks associated with mobile devices to increase in the near future and possibly beyond. The increasing use of smartphones and all other mobile devices is simply too tempting for cyber criminals to pass up.
With warnings about ransomware appearing more frequently in the news, what do you need to know to protect your company?
What Is Ransomware?
Ransomware is a kind of software that makes it possible for hackers to block access to your files and data, often by encrypting them. You are then required to pay a ransom, often in the form of Bitcoin, in order to regain access to your information.
What Kinds of Computers and Devices Are At Risk from Ransomware Attacks?
According to a PCWorld article on ransomware from this year, while computers running Windows are a major target, there are also applications targeting Android and attacks on Linux servers have recently been on the increase. Mobile devices such as smartphones can also be especially vulnerable, as users often download applications to them without carefully considering security risks.
What Methods Do Cyber Criminals Use to Infect Your Systems with Ransomware?
There are several methods, and these are not always technological in nature. One method is phishing, which involves tricking users into giving away information such as passwords, credit card details, and more. You may also have heard of spear phishing, which is a particular type of phishing. In spear phishing, hackers present users with apparently trustworthy requests for information.
Can You Rely on Law Enforcement to Get Your Data Back After a Ransomware Attack?
No. Most of the time, law enforcement can do very little to help you recover your data. Your best bet is to focus on prevention, keeping your security patches and updates current, having effective data backups, and having a well-tested recovery plan.
It’s important to remember that your backups should not be connected to your main system. If your backup is connected, the ransomware can block access to it too, leaving you with nothing. Many security experts recommend the 3-2-1 rule. This means you should have at least three copies of your data, have it stored in two different formats, and have at least one copy stored offline or off site.
If All Else Fails, Should You Pay a Ransom to Recover Your Data?
There are differing opinions on this, even among law enforcement officials. In some cases, such as hospitals who face the risk of harm or even death to their patients if they can’t quickly recover data, it might seem advisable to pay a ransom.
However, there is never a guarantee that cyber criminals will actually return access. And worse, knowing that a business has paid a ransom may make that business or others in the same industry tempting targets for future attacks.
Can You Count on Security Updates to Always Protect Your Company from Ransomware Attacks?
Unfortunately, no. Your company’s information will still be at risk from zero–day vulnerabilities. A zero-day vulnerability refers to a hole in security that is at first unknown to a software vendor. There is a period of time between the creation of an attack exploiting that hole in security, and the release of security updates by the software’s developers. During that period of time, your information can be attacked.
Promptly uploading security updates helps to minimize this risk, but ultimately your company will need to be prepared to recover from data backups if you have to bad luck to be attacked during the period of vulnerability.
Ransomware is constantly evolving, making it a difficult challenge for companies to protect against. This makes it especially important to do all that you can to minimize your company’s risk from attack.
The threat of ransomware attacks is on the rise in 2016. Ransomware itself has been around for decades and is constantly evolving. This presents a serious security challenge for both small and large businesses.
The good news is that larger companies are improving their security as they become more aware of the risk. But in an ironic twist, their improved security can be bad news for small or mid-sized businesses. With cyber criminals having less success with large targets, they are switching to companies with smaller security budgets and less experience protecting themselves from attacks.
Ransomware History Highlights
Explosive Growth of Ransomware
From 2012 until the present, there has been an explosion in the growth of ransomware. This was due in part to the use of anonymous payment services, which made collecting payments from victims much simpler for ransomware creators. Symantec’s Internet Security Threat Report from April 2016 show the alarmingly rapid increase in ransomware discoveries:
How Can Smaller Companies Protect Themselves?
Since ransomware often blocks your access to your files, one of the best ways to protect your company is to make sure all of your data is properly and regularly backed up. At least one version of your backed up data will need to be stored in a system that is isolated from the rest of your systems. You don’t want your backups to be affected by the ransomware too!
You also need to make certain that your security patches and updates are deployed as soon as possible as these updates often involve security improvements to protect your company from known threats.
For companies without the same level of security resources available to them as larger companies, it’s also worthwhile to consider making use of companies such as Aperio–IT. We offer virtual CIO (Chief Information Officer) services, where we help you plan your IT strategy and budget.
Not every HIPAA security requirement is related to technology. Just two of the requirements to keep in mind when you work to make your company HIPAA compliant include Business Associate Agreements and Risk Assessment.
HIPAA Requirement for Business Associate Agreement
In addition to your IT department’s need to keep Protected Health Information (PHI) in electronic form secure, you need to consider issues not related to technology. For example, if a company you work with is considered a business associate under HIPAA, this means you must have a business associate agreement (BAA) in place with them before transmitting PHI to them. This BAA is a contract to uphold PHI security according to HIPAA guidelines. Failure to have the (BAA) in place at the proper time can result in fines and other penalties.
In a recent case, a surgical practice ended up having to settle with the Office of Civil Rights of the U.S. Department of Health and Human Services (OCR) for $750,000 after it improperly disclosed several thousand patients’ PHI to a service provider without first entering into a BAA with the service provider. This service provider had agreed to digitize x-rays containing PHI, in exchange for extracting and keeping the silver from the x-ray film. While this provider’s service might not appear at first glance to be related to health care, the fact that the x-rays contained PHI and the provider “created, received, maintained, or transmitted” the PHI without a BAA in place made all the difference in this case.
HIPAA Requirement for Risk Assessment
HIPAA requires all covered entities, their business associates, and subcontractors of business associates to conduct a risk assessment. As stated in HIPAA these entities must, “…implement policies and procedures to prevent, detect, contain, and correct security violations.” Further, a risk assessment is defined as a, “…thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
In another case, a Minnesota–based health care company paid a $1.5 million settlement after one of its business associates was investigated. A laptop containing PHI for the health care company’s patients had been stolen from the car of one of the business associate’s employees. The health care company was penalized both because there was no BAA in place between it and its business associate, and because it had not conducted an adequate analysis to the security threats to the PHI.
HIPAA Audits, Phase 2 – Business Associates May Also Be Audited
As we mentioned in our recent post, “Is Your Business Affected by HIPAA Regulations,” the OCR launched Phase 2 of its HIPAA Audit Program on March 21, 2016. In this phase, any covered entity or business associate may be audited. Per the OCR, these audits can involve onsite assessments or desk audits.
Need to Learn More about HIPAA Compliance?
If you’d like to learn more about how HIPAA compliance may affect your business, Aperio-IT will be holding a free Lunch and Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. You can find out details and register here to attend.
You can also take a look at our previous HIPAA-related posts:
In the first part of this series, we discussed the recent increase in ransomware attacks on hospitals, what ransomware is, and what features of hospitals and healthcare organizations make them especially tempting targets. In this final part, we’ll look at what organizations can do to protect themselves and their patients or clients from these attacks.
How to prevent attacks – or at least minimize damage
A recent study by SailPoint on security practices within organizations takes the stand that organizations should assume that data breaches are now a matter of “when” rather than “if.” That is, a wise organization should focus not only on preventing data breaches, but also on recovering successfully from them when they inevitably occur.
Since many ransomware attackers gain access from successful phishing attempts, organizations still need to focus on educating their employees to identify phishing. This means continuing to teach users how to identify suspicious emails and share them with their IT teams so those IT teams can keep track of possible attacks.
Phishing is a specific type of social engineering attack in which confidential information is acquired by fraudulent methods. These attacks often attempt to acquire user names, passwords, or other information useful to hackers. In the case of ransomware attacks, hackers are generally attempting to get information that will allow them access to an organization’s systems.
Potential phishing attempts can be identified by educated users. For instance, they often make use of link shorteners or embedded links in an effort to create links that appear legitimate. Then after these links are clicked, they take victims to websites specifically created for fraudulent purposes.
Phishing attempts also frequently use threats to create a sense of urgency and fear so victims will hurry and not think carefully about the potential effects of their actions. Emails that threaten to cancel accounts immediately, etc., should be considered highly suspicious.
Some of the other measures suggested by the Department of Homeland Security include:
In the case of MedStar’s ransomware attack, data backups were a key part of their solution. The organization reported that they were able shut down their systems, isolating the damage, and later restore their data from backups without having to resort to paying a ransom.
Future security requirements and guidelines
It is possible that HIPAA requirements will be changed in the future in response to ransomware attacks. According to Bloomberg BNA, Rep. Ted Lieu (D-Calif.) is considering legislation “that would require hospitals and other health-care organizations to notify their patients when they’ve been the victim of a ransomware attack.” This would involve updating HIPAA’s current requirements regarding breach notification.
The FBI also offered guidance regarding the risks of ransomware in its podcast from May 25, 2016, “Ransomware on the Rise.”
Additional Links:
United States Computer Emergency Readiness Team, Alert TA16-091A: Ransomware and Recent Variants
Bloomberg BNA, Ted Lieu mulls ransomware attack requirements
Sign up today for free & stay current with local IT news.