By Rich Kenney
Remember Chinese finger cuffs? Every time my kids put that silly thing on my two index fingers, I struggle to get it off. I pull, and it gets tighter. So then I push, and my fingers become trapped even further and the finger cuffs get tighter. It’s a catch 22. No matter what I do, it gets worse.
Recently, it was announced that the federal government has implemented a similar catch 22 for small businesses that are faced with the cybersecurity issue known as ransomware.
As you should know by now, ransomware is malicious software that blocks access to data files on a computer system by encrypting them so that they are not readable. Once the data is encrypted, the ransomware operator demands that the victim pay a ransom in exchange for access to the decryption key.
Most large businesses and corporations have sophisticated cybersecurity solutions to help protect against the damage that ransomware can cause. That said, when ransomware strikes certain small to mid-sized companies, havoc is wreaked. Many of those companies are less protected from a cybersecurity perspective and often are forced to pay the ransom to regain access to their data and propriety company information. However, things have changed, and it gets even more complicated for businesses that end up having to pay the ransom.
On October 1, 2020, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to companies that pay a ransom in the wake of a cyberattack. The advisory warned that ransomware attack victims and third parties who assist these victims could violate federal law if they pay or facilitate the payment of a ransom to a sanctioned individual or entity — intentionally or otherwise. So, in other words, if you get caught paying a ransom to certain crime organizations, you are breaking a new federal law and can face enormous fines.
Punishing ransom victims seems odd and a bit cold, but the FBI believes that not paying ransoms at all may be one of the best ways to protect the public from these extortionists.
So what you do you if you are a victim of a ransomware attack?
If you pay and get your data back, you are potentially violating federal law. If you do not pay the ransom, your business grinds to a halt … but the FBI is not breathing down your neck for breaking the law.
This sounds eerily similar to the Chinese finger cuffs. Do you remember the easiest way to avoid getting stuck in the Chinese finger cuffs? You do not put them on in the first place. You become wiser and you don’t let your kids put them on your fingers at all.
We have had social media posts and updates throughout the month of October since it was Cybersecurity Month. But the same message still applies even heading into November. If you are a small to mid-sized business in Delaware, you need to take the necessary steps to prevent ransomware from entering your environment. Your goal should be to never put yourself in a position requiring you to make that awful choice between paying the ransom or breaking the law.
It’s really not too difficult for smaller companies to implement enterprise-class solutions at a reasonable price. You just have to understand that increased protections are now a requirement for protecting your company from the bad guys.
So, don’t put your fingers in the finger cuffs. Take steps to prevent becoming a victim of ransomware.