The chair of the Federal Trade Commission (FTC) is warning businesses that the FTC may consider holding them accountable for not fixing common vulnerabilities exploited by ransomware attacks.
FTC Chairwoman Edith Ramirez says the actual ransom demand is usually $500 to $1,000 but can be as high as $30,000. Based on data from the FBI, the U.S. government estimates there are now 4,000 ransomware attacks being launched per day, representing a 300 percent increase over the 1,000 ransomware attacks per day in 2015.
Even more concerning for the average organization, Ramirez also revealed that thus far the FTC has pursued more than 60 enforcement actions against companies that have been hit by ransomware. That may seem like a government effort to punish the victim of a crime, but the FTC is starting to make it clear that the careless handling of data is indeed a potential crime punishable by fines that far exceed the ransom being demanded by hackers.
The rising threats of Ransomware
While that effort may not do much in terms of getting more companies to voluntarily admit they have been a victim of ransomware, it should go a long way in getting more organizations to modernize their approaches to in protecting their data. The sad fact of the matter is that in addition to not investing enough in Data Security, most organizations today rely on approaches to data security that make their ability to recover their data a more difficult task then it should be.
Unfortunately, things may be about to get worse before hopefully getting better. Ramirez notes that ransomware has become a core component of phishing campaigns, with an estimated 93 percent of all phishing attacks sent by emails containing some form of encryption meant to be used to demand a ransom for corporate information.
Things are apparently no better in the cloud. Netskope, a provider of cloud security software, this week reported that nearly half (44 percent) of the cloud applications it investigated contained some type of malware associated with ransomware attacks.
Small business Data Security Risk Management
As a small business owner one thing you must know is that managing risk is a fundamental element of managing a business. Data security issues such as ransomware are just one in a long line of these risks. Framed from that perspective, it then becomes apparent that the organization needs to focus on protecting its most critical data assets. In most cases that’s customer data containing credit card numbers and other forms of personal identifiable information (PII) such as a healthcare records. I must add that most businesses are unaware of what unprotected data resides on vulnerable endpoints (Computers) resulting in an easy entry point for attackers. The first thing they need to do is have an audit or assessment performed to reveal these vulnerabilities so they can be fixed.
Business leaders may not like the fact that they have to allocate more money to protecting that data. But should that data fall out of their control, they will like being the subject of government scrutiny even less. More often than not, the difference between being viewed as a true victim or as someone engaging in reckless behavior will come down to how responsibly an organization handles their data in the first place.
Obviously, there is no better indication of responsibly handling sensitive data than hiring a professional Data Security firm to do it. Currently government agencies such as the FTC are making it abundantly clear their patience with organizations that don’t employ reasonable measures to protect data has already run thin.
[contentblock id=74 img=gcb.png]