The Federal Trade Commission (FTC) has just put businesses - including yours - on notice that everyone needs to do their part to combat ransomware…and that failure to manage your ransonware risks could result in fines and government actions.
In some cases, in fact, it already has pursued action. FTC Chairwoman Edith Ramirez revealed recently that the government agency has pursued more than 60 enforcement actions against companies that were hit by ransomware because in their view, they had failed to adopt “reasonable security protections.”
This may seem like punishing the victims, but it underscores the seriousness of this type of attack, and signals a reduced tolerance for careless handling of data by any company. And the punishment – government fines - for such crimes far exceed the ransoms that the hackers are demanding.
To that end, the FTC has provided guidance around the National Institute for Standards and Technology's (NIST) cybersecurity framewrok aligns to their data security expectations. You can read that post here.
The Ransomware Threat is Only Going to Increase
This growing issue was front and center at a recent FTC forum that focused on the spread of ransomware and what can be done to combat this crime. And there is no denying that the risk has escalated at an alarming rate.
Ransomware incidents now total about 4,000 per day – a 300% increase over last year.
Because this is a profitable venture for hackers, these attacks are here to stay. And everyone – individuals, businesses of all sizes, government agencies – is a potential target. Which is why the FTC is demanding that businesses do more.
"One component of reasonable security is that companies have procedures in place to address vulnerabilities as they arise, including from malicious software," said Ramirez. "A company's unreasonable failure to patch vulnerabilities known to be exploited by ransomware might very well violate the FTC Act."
As we’ve reported previously, ransomware has become a core component of phishing campaigns. Experts estimate that more than 90% of all phishing emails now contain a strain of ransomware encryption. Using very sophisticated social engineering tactics, phishing is becoming more difficult to spot as well, particularly spear-phishing attacks.
But they don’t even have to be that polished, because for an end-user without proper education on spotting phishing attacks, every email that hits his or her inbox could spell disaster.
It's of course not just phishing and not just ransomware that are cause for concern. They are the focus today, but the threat landscape is constantly evolving. The point is that IT risk management needs to be a critical business component, and business today must do its part to provide reasonable defenses against all threats.
FTC Warns that Businesses Must Stay Vigilant
As a consumer-protection agency, the FTC’s interest in this issue stems of course from the impact to consumers when a company fails to take reasonable steps to protect their personal and private information (PII). Which explains this strong warning to the business community that failure to provide reasonable security – patching vulnerabilities, firewalls, anti-virus, etc. – is unacceptable and potentially subject to regulatory scrutiny. To learn more about the top 5 cybersecurity measures that every business needs, check out this post.
All too often businesses know that data management and strong cybersecurity, but they still aren't making them a priority. That is what the FTC is seeking to change. (Ready to learn more? Click below to access a comprehensive free business guide to cybersecurity.)
The FTC is concurrently looking at how they can raise the awareness level of the ransomware threat and combat malware.
But the agency’s message is pretty clear that it’s not okay for any business to ignore these known risks. Adopting a "that won't ever happen to me" attitude or just ignoring the risks can and will cost you.
Business leaders must face the fact that resources MUST be allocated to data protection, because should it fall out of your control, the alternative is being subject to heavy government scrutiny and fines. And that's in addition to the chaos, loss and downtime created by the attack itself.
The Time to Manage Your Ransomware Risks is Now
Whether a business that gets hit with ransomware is viewed as a victim or someone that knowingly engaged in careless or reckless behavior will come down to how that organization chose to handle data security.
And there is no better signal that your business takes IT risk management seriously and is taking responsibility for the management and protection of data against ransomware than in hiring a professional IT service firm to do it for you.
Corsica Technologies can help. As a premier IT services firm, our clients enjoy fully modern network security services, including patch management, firewalls, anti-virus and 24/7 monitoring, management and maintenance across the entire network.
To talk to a Corsica Tech Specialist about your data and network security needs, request a call today!