Here's how small- to medium-sized businesses can effectively protect their networks against the risk of ransomware without breaking their security budgets. Credit: Thinkstock What is the best way for a small- to medium-sized business (SMB) to protect itself from ransomware? Ransomware is impacting firms around the world. Mandiant has indicated that ransomware is on the rise and doesn’t appear to be slowing down one bit. These are the nine tasks that SMBs should focus on to mitigate risk from ransomware attacks.1. Have a backup plan and tested recovery processSome might argue that multi-factor authentication (MFA) is the best way to protect a firm, but I’d argue that having a tested backup and recovery process would be better. Too often businesses overlook having a backup and a tested recovery process. Especially for firms with on-premises servers and domain controllers, have a process where someone – in the firm or a consultant or managed service provider — perform a dry run of an actual recovery process. When I’ve done a dry run, I often find that I need to perform some step that I’ve forgotten to restore from a bare metal process. You may find that a HyperV parent needs additional steps or you need to take ownership of the restoration image to fully restore a Hyper V server or virtual machine to full working condition. Ensure that you have a recovery script or manual in place so that staff tasked to recover know the steps. The documented steps will help lower the stress of the event.2. No public-facing remote desktop connectionsDo not expose servers to public-facing remote desktop connections. Many ransomware attacks start with attackers either guessing the passwords or finding repositories of administrative passwords left behind in online databases and GitHub repositories. We are often our own worst enemies when it comes to credentials, so never use public-facing Remote Desktop Protocol (RDP) in production networks. 3. Limit administrator and domain administrator credentialsReview your network for the use of local administrator credentials as well as domain administrative credentials. I have SMBs too often take the easy road is taken and allow users to be local administrators with no restrictions. Even worse is when a network is set up giving users domain administrator rights. There is no reason for a network user to have domain administrator roles or rights while they are a user. For many years vendors often assigned domain administrative rights because it was an easy fix to get an application to work properly. Vendors have moved away from granting administrator rights to requiring installation in the user profile, but I still hear reports of consultants finding networks where the users are domain administrators. On your domain controller, run the command get-adgroupmember “Domain Admins”. No user in your organization should be a domain administrator.4. Have a policy for confirming financial transactionsTo ensure that your organization won’t be caught by business email compromise (BEC) attacks, ensure that you have an agreed-upon process to handle financial transactions, wires and transfers. Never rely upon an email to provide you with the account information for fund transfers. Attackers will often know that you have projects underway and send emails attempting to lure you to transfer funds to an account they own. Always confirm with the receiving organization that the account information is correct. If any changes to the process are made, there should be a documented approval process in place to ensure that the change is appropriate. 5. Isolate public-facing serversFor any server that is public facing, consider placing that server in an isolated position or even putting it in a hosted situation. Public-facing web servers should not be able to connect to internal systems if you are an SMB because the resources needed to properly secure and maintain them are often too high. Look for solutions that place limits and divisions between external web resources and internal domain needs.6. Retire out-of-date serversInvestigate whether you can retire out of date servers. Microsoft recently released a toolkit to allow customers to possibly get rid of the last Exchange Server problem. For years the only way to properly administer mailboxes in Exchange Online where the domain uses Active Directory (AD) for identity management was to have a running Exchange Server in the environment to perform recipient management activities.Exchange Management Tools were released with Exchange Server 2019 CU12 and includes an updated Exchange Management Tools role designed to address the scenario where an Exchange Server is run only because of recipient management requirements. The role eliminates the need to have a running Exchange Server for recipient management. In this scenario, you can install the updated tools on a domain-joined workstation, shut down your last Exchange Server, and manage recipients using Windows PowerShell. 7. Review consultant accessInvestigate the consultants and their access. Attackers look for the weak link and often that is an outside consultant. Always ensure that their remote access tools are patched and up to date. Ensure that they understand that they are often the entry point into a firm and that their actions and weaknesses are introduced into the firm as well. Discuss with your consultants what their processes are.8. Focus on known exploited vulnerabilitiesFocus on the known exploited vulnerabilities. While security consultants urge businesses large and small to turn on automatic updates, small firms often don’t have many resources to test patches. They often hold back to ensure there are no side effects with updates. Monitoring the list in the link allows you to focus on those items that are under active attack.9. Deploy or update endpoint detection and responseEndpoint detection and response (EDR) is becoming more affordable for SMBs. Microsoft 365 Business premium enabled EDR in the form of Microsoft Defender for Business. Related content news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices news Google Chrome gets a patch for actively exploited zero-day vulnerability Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. By Lucian Constantin May 10, 2024 3 mins Threat and Vulnerability Management Zero-day vulnerability Vulnerabilities news Dell data breach exposes data of 49 million customers The company says the breach compromised non-critical customer data and involved no sensitive personal or financial information. By Shweta Sharma May 10, 2024 3 mins Data Breach Hacking feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe