To access our COVID-19 related information, click here

Guest blog post: How a Small Business Owner Lost Everything – a tragic ransomware story and solution

Your information and data can be TAKEN FROM YOU by hackers.  Here is an account of one of the worst examples of ransomware that this IT professional encountered in his 15 years on the front lines.  

You wake up one morning and go through your morning routine, including logging in to your computer.  But wait … something’s wrong.  You see a weird set of error messages – something about a virus, your files being encrypted, and needing to pay to get the decryption key before your data is lost forever. You invite your colleague to take a peek, and she confirms that “everyone’s getting that message today.” The phones are ringing off the hook, but the company has ground to a halt. Without a contract and a great IT vendor, it is not until the next morning that an IT tech you never met shows up to help.  Unfortunately, after spending hours figuring out your system, you are told that your back-ups have been failing for a month and cannot be recovered.  Your option appears to pay the $8,000 Bitcoin ransom being demanded by the hacker or forever lose your data, so you pay the ransom.  Unfortunately, after paying the ransom, your servers and computers still fail to function.  You have lost everything.

***

While the above may seem exaggerated or a worst-case scenario, it is based on a true story. It’s one of the worst examples of ransomware I had ever encountered in the past 15 years of my IT and cybersecurity professional experience. I felt horrible for what happened to this business and what this meant, not only for the owner, but for all of the employees that worked for him as well.  While you may want to blame the IT vendor, this was the owner’s fault and it all could have been prevented.

Information Security and Business Continuity is the responsibility of the business owner. Your information and your data are YOUR responsibility. You have a responsibility to classify your own data, to label it, and to determine how important any data or application is to your business. You have a responsibility to create company policies, including Information Security Policies, that govern how your information should be handled (in theory, as a high-level concept), how your business should prepare for and deal with breach incidents and data being lost or compromised. Your inexperience or ignorance regarding how to do this properly is not a good reason to think that it is someone else’s responsibility. If you’re reading this and you are solemnly nodding in agreement: excellent. If you find yourself getting angry at me: good enough, it only proves my point further – you’re angry because you have a lot of pride in your business and if you admit I’m right, you’re also admitting your business is lacking a crucial need. You need official, written, documented corporate policies governing information security and business continuity.

Without corporate information security and business continuity policies being dictated by you, how can any IT vendor possibly know what to implement and configure for you? How can you have an expectation for business continuity (such as with successful backups) without someone who constantly tests these systems in accordance with a corporate policy laid out by you as the owner? Here’s the good news: many IT companies and law firms offer these sorts of services. You don’t need to be an information security expert; you just need to know the buck stops with you. Hire information security specialists or qualified lawyers to consult with you on crafting these corporate policies. Engage them and other vendors in good faith to implement technical controls that help enforce and comply with these corporate policies. Sign contracts with vendors to meet the criteria specified by your corporate policies in order to minimize the chances of something like this happening to you and your business. There is no Silver Bullet but believe me when I say that the only thing information security specialists and vendors want you to have to worry about in the morning is getting your kids ready in time for school.

Aaron Cervasio is a veteran IT professional at New Jersey Managed IT Services Company, Exigent Technologies.