Glaziers and glazing manufacturers have large amounts of electronic personnel and project data ranging from information about financials, employees, and sensitive project files. Access to, and use of, this information is essential. Ransomware—malicious computer programs that lock data—can hold that data hostage. Attacks were once only common among large companies and financial institutions. However, today, anyone who uses a computer and stores business critical information electronically can be a target.
This lesson was made clear in May of 2017. A program, WannaCry, which had been dormant on millions of Windows PCs worldwide, activated and locked access to data stored on the computer unless payment was made. The demands themselves were relatively modest—typically less than $1,000. If payment was made, a code might be given that allowed a user access to some of the electronic information. If payment was not made, the data remained locked or was deleted.
The risk from a lack of access to data can seem remote—the internet is a big place after all. But, consider for example the risk to a glazing company if a project goes behind schedule because the glazier’s work has been delayed by a ransomware attack, or the BIM submittal includes a file that compromised an architect’s entire library. Equally, small batches of personally identifiable information typically held by employers of all sizes can be targeted by organized cybercrime syndicates, individual “hackers” and even state-sponsored cyber armies.
Is there a way to completely protect against such an invasive, global threat? No. But there are some risk management steps to take before an attack that might help.
The seemingly straightforward answer is to ensure that data has been backed up. Most companies, however, have backup systems designed to prevent data loss, not preserve data access. Backups are networked together with primary servers for speed and comprehensive data retention. However, a ransomware attack can limit data access across an entire network and compromise tied-in backups. A regular, secure, off-network backup can be good practical insurance.
2. Secure network permission
An individual user’s ability to access data can impact the invasiveness of a malicious program. The ability to load or edit files directly on a primary server, or access critical system files, can affect the spread of any computer virus, ransomware included. A network audit, with a reputable IT security professional, can review systems, set limits, and gauge critical access points for a company’s unique IT infrastructure.
3. Review vendors
Many companies today use cloud-based network solutions to avoid the hardware and administrative costs of hosting an internal IT network. There are many positives to that process, but if a user’s individual workstation becomes infected, it will be critical to ensure that data and information remains secure. Equally, cloud-based data backups are gaining prominence, but there is a need to ensure that historic versions of files and data remain accessible in the event of an attack.
Insurers do offer coverage for various data-related claims, including ransomware attacks. These policies are not necessarily reasonable for every company—premiums can approach $20,000 and have high per-occurrence deductibles. Regardless, these policies not only protect against potential claims relating to failure of IT systems or exposure of sensitive data, but also offer response teams who can be called on in the event of an attack to manage the IT issues and develop public response plans.
5. Update IT policies
Risk from a ransomware attack is something to be considered in any IT policy. The potential for attack should impact policies relating to system and hardware updates; keeping both current is key. Equally, social media access from company machines should be addressed. For example, a recent ransomware attack at the Department of Defense began when an employee clicked a link embedded in a Twitter post, and another similar event occurred when a link found in a Facebook ad was accessed. Finally, response plans in the event of an attack can also be incorporated into IT policies. For example, points regarding the terminating of internet access, contacting relevant authorities, notice to potentially affected parties, and destruction or formatting of previously attacked systems are worth considering.
The weakest point in data and IT security is the user. Employee training regarding network safety and proper IT security protocols can help sensitize individuals to the risk presented by social media, including the Twitter link or Facebook ad. Consistent and safe use of data transfer services and access to third-party networks and systems are also points worth addressing with employees. And because no system is “foolproof,” training regarding when and who to notify in the event of an IT security issue is critical because delay or other self-help steps by employees can cause real problems.
7. Be alert
IT systems are so ubiquitous now that they almost seem more like plumbing fixtures than the complicated modern wonders they are. Staying current with IT systems and risk may not seem relevant to overall business growth, but being able to safely and securely participate in the most current data protocols can make for valuable marketing and lead to meaningful business relationships.