If you’re talking to a hotel general manager and the subject of ransomware attacks comes up, they’ll probably take one of two stances:
- They don’t know all that much about it and figure their IT people are taking care of it
- They know all too much about it from painful –and costly – personal experience
General managers who fall into the first category can stay out of the second category by working with their information technology (IT) support resource – whether internal or outsourced – to make sure they have developed, and are following, solid ransomware prevention practices.
Say you’re the GM of a large, complex independent resort property. You’re having a scheduled meeting with your in-house IT director and want to know just what she’s doing to protect the property from ransomware attacks.
Try asking these questions:
Q1: What’s our overall strategy to defend against ransomware attacks?
The response should include phrases like “start with a written plan” and contain words like “multilayered,” “training and awareness” and “endpoint security.”
You want to hear them say something like:
“We employ a two-tier strategy, each with multiple layers of defense. The first tier is all about prevention — keeping ransomware from entering the network in the first place. A big component of the prevention tier is training and awareness: email is the most common threat vector by which ransomware gets into a network. We train employees to recognize phishing threats that arrive in their email. Another layer is perimeter and endpoint security. The second tier is what we’ve done in advance to be able to react to a ransomware incursion and restore normal operations quickly, without having to pay up.”
Q2: Tell me more about training and awareness.
“First, we have an acceptable use policy (AUP) that every employee with computer access has to review and sign annually. It clarifies that each employee understands the risks involved with computer use and agrees to do everything possible to contain those risks.
Hand in glove with the AUP, we have an online training tool that shows how to recognize a phishing attempt and other threats to avoid.
Four times a year we engage a vendor to stage fake phishing attacks to our company email accounts. Any team member that falls for the phishing attack is a candidate for re-training.”
Q3: We invest in training, email security and endpoint protection, but ransomware can still get in. Why?
Fair question! The bad guys only need one colleague have an off day or be inattentive for one moment. They can be in and build their attack from there. So, yes, eventually, some malware is likely to get in.
Q4: What else do we do to keep ransomware from getting into our network?
Some 70% to 80% of ransomware incursions start with a phishing email. Use commercial-grade email security software and endpoint protection tools that go beyond just anti-malware.
For perimeter security, use enterprise-grade firewalls and keep them current. There’s a whole new generation of advanced endpoint protection tools that I’m looking into. They use artificial intelligence (AI) and machine learning to look for any anomalous behavior and can kill a process before it executes and then quarantine the device.
Patch servers and desktops religiously. We can immediately apply any patches we identify as critical for our environment.
Control user access rights. Even I never use an account with privileged access rights unless I’m actively doing system administration at that moment. The network is segmented to keep something that gets in from spreading. Remove or disable a lot of ports and high-risk network services, especially remote desktop protocol and telnet. Use a utility that only lets applications on an “allow-list” to run.
Anyone making failed login attempts are locked out after three tries. We use multi-factor authentication for all remote access.
We don’t allow personal PCs on our admin network. We don’t allow personal email accounts on company computers.
Q5: Say they get in. Then what happens?
With a little more budget, we could employ active defense technology that gives us the ability to identify an intruder snooping around the network. If we catch them at that point, before they trigger the encryption, we can contain the attack.
Q6: What happens if they do get in and encrypt our files?
That’s when our incident response plan comes into play. It outlines who does what in most scenarios. It also identifies who to reach out to: the insurer, our legal team, law enforcement, forensic support, key vendors, etc. It‘s important that we have those relationships in place before we have a problem, not when we’re scrambling to recover.
And recovery is the immediate objective. Our cloud hosted systems shouldn’t be compromised. No one here has access privileges that would allow malware to encrypt files like our PMS, which is hosted on Amazon Web Services. Even if we lose the network here, we should be able to go to Best Buy, get some clean computers and keep running our cloud-based PMS. Operationally we would be intact, at least for our most critical system, while we try to recover the rest.
There are two keys to rapid recovery: One is rock-solid backups, and the other is the ability to quickly reimage a corrupted machine. Our backups are immutable – they can’t be changed or deleted. We copy backups to the cloud, where they can’t be accessed through our network. Then a vendor scans the backup to ensure that it doesn’t have the malware on it. That way, if we do a restore, we won’t be restoring the malware. I also take weekly copies to removable media and take it off the network. We do test restores every quarter, so everyone in IT knows how to do it properly.
On the reimaging front, we have copies of our images on removable media on a shelf ready to go. We use a utility program that quickly erases a corrupted machine and reimages it to like-new status. Then we can restore from backups.
Q7: What happens if the backups fail?
Our insurance company will send a retained partner of theirs our way to work out details like negotiations. But even if we pay, we might not get the decryption keys. If we do get the keys, they may not work or may not decrypt everything.
Q8: What else do I need to know?
The concept of “prevent as much as possible and prepare to recover even more” is definitely the best practice. We’ve invested an appropriate amount in software and services to train our people, protect our perimeter and endpoints and to be ready to recover as quickly as possible in the worst case scenario. We think we have the right relationships in place now, not when we are desperate.
Could we do more? Sure! Like investing in active defense honeypots, for example. But at some point, we need to make a cost-benefit reality check and determine that we have enough defenses and preparation in place.