The executive was a bit sheepish when she approached Mike Kelly, Commercial Banking’s Business Information Security Officer, after a meeting with clients about cybersecurity awareness. Her company had been targeted by cyber criminals in a ransomware scheme, and she wanted to know how to avoid another attack.
“For most clients, it begins with basic hygiene for their systems,” Kelly said. “Keep your infrastructure and software up to date, and educate employees to recognize questionable emails. If you take care of the basics, you make it much harder for criminals who use ransomware to succeed.”
Two global ransomware attacks in 2017—known as WannaCry and Petya—targeted firms using Windows XP or other outdated software that was vulnerable to attack. In many cases, firms had received a software patch in March, but had not applied it by the attacks in May and June. Other attacks have focused on firms that do not require multifactor authentication to access email or on “phishing” schemes where employees open malware attachments that give criminals access to systems and act as administrators. After the systems are compromised, criminals hold files hostage until companies pay a ransom—typically in cryptocurrency—before providing an encryption key that returns the files.
JPMorgan Chase & Co. advises clients who are victims of a ransomware attack to contact the FBI as soon as possible. In 2016, the FBI’s Internet Crime Complaint Center received 2,673 complaints identified as ransomware, with losses totaling more than $2.4 million. Law enforcement agencies acknowledge that some companies pay the demands out of convenience, but also note that companies that agree to pay often set themselves up for another attack.
Experts say criminals are increasing ransomware attacks on companies that hold large amounts of personal data, including hospitals, government agencies and financial institutions.
Education and prevention are the best protection, particularly when criminals “spray” malicious emails throughout a network knowing some employees will open them and inadvertently give criminals access to important files and systems.
“Most ransomware targets Windows users and all files on a system you would deem important,” said JF Legault, the firm’s Global Head of Cybersecurity Operations. “The way to protect those files is the same, whether it’s a big firm or a small one: Don’t click on suspicious links. Don’t open an attachment if you don’t know who it came from. Don’t open an Office document if it asks you to enable macros. Take the time to verify requests in person or by using a known telephone number. Don’t fall for the line, ‘This is urgent and needs to be done now.’”
Beyond education, it’s important to incorporate these threats into a firm’s broader business resiliency plan. “Companies should always have robust systems and procedures in place to back up files,” Legault said. “That way, in the event someone does click on a link and installs ransomware, the company will have the ability to restore files from backup and not be forced to pay the ransom.”
Don’t click on suspicious links. Don’t open an attachment if you don’t know who it came from. Don’t open an Office document if it asks you to enable macros. Take the time to verify requests in person or by using a known telephone number. Don’t fall for the line, ‘This is urgent and needs to be done now.’
- JF Legault, Global Head of Cybersecurity Operations, JPMorgan Chase & Co.
Often, smaller companies that cannot afford to hire full-time technology resources must rely on consultants to evaluate their vulnerabilities and help correct them by implementing software patches.
“Protection doesn’t always have to be expensive—it’s often just a question of attention to detail. Many smaller companies held hostage by ransomware don’t regularly update and patch their computers and devices,” said Anish Bhimani, Commercial Banking’s Chief Information Officer. “The likelihood of being successfully targeted is much lower for companies that routinely maintain their systems and keep security software up to date.”
As part of the firm’s cybersecurity strategy, layers of applications protect against ransomware attacks, software patches are applied promptly and multiple storage backup systems are used. The firm color-codes external emails to help employees identify possible phishing attempts, requires employees to create unique passwords and change them regularly, and uses multifactor authentication to access email from outside the firm’s firewalls.
“Every company or organization—big or small—needs to be aware that criminals are out there monitoring,” said Rohan Amin, the firm’s Global Chief Information Security Officer. “Software is developed by human beings. It will always be flawed, and we will always have criminals looking for vulnerabilities and ways to monetize them.”
Cyber criminals demand a “ransom” payment via cryptocurrency—a digital currency that isn't regulated by financial institutions and can be purchased anonymously on the Internet, making it almost impossible to track down the criminals—before providing a “key code” that unlocks the files.
Weekly insights on the economic issues that matter most to your business.