In the wake of the FTC’s September workshop on the same topic, the FTC recently published a blog article and short video to help businesses respond to the increasingly common digital threat of Ransomware. Ransomware, malicious software that invades and holds hostage a victim’s system, effectively holds the recipient’s data hostage until the recipient pays a ransom to the attacker to regain access. In addition to the obvious financial impact a business faces when it cannot access its computer systems, the FTC indicated that it in some circumstances a company’s failure to update its systems and patch vulnerabilities known to be exploited by Ransomware could violate Section 5 of the FTC Act. For example, if failing to maintain day-to-day systems denied “people critical access to services like health care in the event of an emergency.”
According to the participants in the FTC’s workshop, a company’s best defense is training so employees don’t fall victim to a phishing attack. The FTC further stressed regular malware scanning and maintaining up-to-date security patches, plus administration of security protocols like endpoint checks, email authentication, intrusion prevention software, and web browser protection. The FTC also encouraged backing up business-critical data disconnected from a company’s network.
TIP: This information from the FTC is helpful for companies looking for a roadmap of expectations from a regulator in how to prepare for possible Ransomeware situations.