Stay Protected Against Ransomware – Best practices to apply immediately

The following recommended measures should always be taken into account:

Backup regularly and keep a recent backup copy off-site.

There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.

Don’t enable marcos in document attachments received via email.

Microsoft deliberately turned off auto-execution of marcos by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn marcos back on, so don’t do it!

Be cautious about unsolicited attachments.

The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s the one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.

Don’t give yourself more login power than you need.

Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.

Consider installing the Microsoft Office viewers.

These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support marcos at all, so you can’t enable marcos by mistake!

Patch early, patch often.

Malware that doesn’t come in via document marcos often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.

Keep informed about new security features added to your school applications.

For example, Office 2016 now includes a control called “Block macros from running in Office files from the internet” which helps protect you from external malicious content without stopping you using macros internally.

Open .JS files with Notepad by default.

This helps protect against JavaScript borne malware by enabling you to identify the file type and spot suspicious files.

Show files with their extensions.

Malware authors increasingly try to disguise the actual file extension to trick you into opening them. Avoid this by displaying files with their extensions at all times.

Join us for an informative webinar to learn about ransomware threats and how schools such as yours can stay secure against them. The webinar ‘How to Protect Against Locky and Friends’ is taking place on Thursday 23rd June 2016 – 12:00pm – 1:00pm BST. Register here: https://attendee.gotowebinar.com/register/4345127391462205699

Ask yourself these four questions before launching your data protection strategy

We’ve recently talked about some of the main reasons why you need to encrypt your data. And we showed you the potential consequences when your data isn’t encrypted.

So now that you’re ready to look more closely at encryption in your establishment, where should you begin?

Every educational institution is different, so there is no one-size-fits-all data protection strategy. Before you can put your strategy into an actionable plan, you need to answer the following four questions.

1. How does data flow into and out of your establishment?

Do you receive emails with file attachments, or send them out? Do you receive data on USB sticks or other removable media? How does your school store and share large amounts of data internally and externally? Do you use cloud based storage services like Dropbox, Box, OneDrive, etc.?

What about mobile devices and tablets? According to a Sophos survey, the average technology user carries three devices.  How do you rein in the wide range of devices that have access to data?

You should look for an encryption solution that is built to adapt to the way you use data and how data flows within an establishment.

2. How does your educational institution and your individuals make use of data?

What are your employees’ workflows, and how do they go about making their day-to-day jobs more productive? What tools, devices or apps do your students use and do any of those present a possible vector for data loss?

You need to understand how employees and students use third-party apps, and whether you should prohibit what is often called “shadow IT,” if you can trust the security of those systems, or bring development of these tools in house.

3. Who has access to your data?

This topic can be both an ethical and regulatory discussion. In some situations, users should not ethically have access to certain data.

Worldwide, there are some data protection laws that stipulate only those who need data to perform their tasks should have access to it; everyone else should be denied. Do your employees have access to just the data they need to do their job, or do they have access to data they do not need?

4. Where is your data?

Centralized and mostly contained in a data center? Completely hosted in the cloud? Sitting on employee laptops and mobile devices?

According to a Tech Pro Research survey, 74% of organizations are either allowing or planning to allow their employees to bring their devices to their office for business use (BYOD). Employees are carrying sensitive corporate data on their devices when they work from home and on the road, increasing the risk of data leaks or compliance breaches. Think how easy it would be to access confidential information about your school if an employee’s smartphone gets stolen or misplaced.

Challenges and solutions

According to the 2015 Global Encryption & Key Management Trends Study by the Ponemon Institute, IT managers identify the following as the biggest challenges to planning and executing a data encryption strategy:

• 56% – discovering where sensitive data resides in the organization
• 34% – classifying which data to encrypt
• 15% – training users on how to use encryption

Unfortunately, there is no one-size-fits-all solution to these challenges. Your data protection plan must be based on your school: the type of data your school works with and generates, local regulations, and the size of your school.

Your school needs to understand how to comply with a clearly defined data protection plan and how to use encryption. They must be clearly told which data they have access to, how this data needs to be accessed and how they can protect this data.

Most importantly, you need to ensure that you can both offer and manage encryption in such a way that it doesn’t impact the school’s workflows.