HR Must Prepare for Increase in Ransomware Demands

Backing up files, training employees are paramount, experts say

Aliah D. Wright By Aliah D. Wright March 14, 2016

It's 9 a.m.

You sit down at your computer and log on.

Instead of the usual screen, a note pops up.

It reads:

Your Files are Encrypted
To get the key to decrypt files, you have to pay $500. If payment is not made before 24 hours, the cost of decrypting files will double to $1,000.

It gets worse. You're the person handling payroll—and payday is tomorrow.

Your IT staff says there's nothing they can do. Now, because you or someone in your organization clicked on something they shouldn't have, your company has to pay a fee to get your files back.

You've just been victimized by the cyber version of kidnapping. Ransomware, a type of malware, has infected your computer.

Hackers have used ransomware since the 1980s. Today, however, the chances of being involved in a ransomware security breach—and the ransom amounts—are increasing.

Last month, hackers demanded $17,000 from Hollywood Presbyterian Medical Center in Los Angeles to restore access to the hospital's e-mail and electronic health records—after infecting them with malware.

The attack seriously disrupted the business. For a week, patients were moved to nearby facilities and faxes were used to communicate.

Typical ransom amounts have ranged from $100 to $500 within the last six years. Experts interviewed by SHRM Online believe, and studies show, that ransom payments are likely to rise.

"I've heard of cases where they asked for ransoms as high as thousands of dollars," said Dodi Glenn, vice president of Cyber Security at PC Pitstop, a security software company based in Sioux City, Iowa.

"The sheer amount of costs to unlock your files has drastically increased" recently, he told SHRM Online.

Ransom costs started soaring since the FBI last year recommended that companies hit with the malware infections just pay the ransoms. The money is paid through an untraceable type of online currency called bitcoin. The ransom amount often rises if timely payment is not made.

In the case of the hospital attack, which was reportedly carried out by Turkish hackers who have threatened to continue to sabotage U.S. businesses, the hospital's files were held captive for a week.

More to Come

According to Spiceworks, a social networking site for IT professionals, 53 percent of IT professionals surveyed recently said they were concerned about ransomware breaches increasing in 2016. 

They should be.

According to a report released by the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C., cybersecurity think tank, "2016 will be the year ransomware holds America hostage."

In some cases, IT departments have been able to isolate the malware and retrieve files without having to pay. In other cases, they haven't.

ICIT reports that victims of the Cryptowall ransom attack reportedly paid more than $18 million between 2014 and 2015. Hundreds of thousands of users have been affected by CryptoWall. It has resulted in more than $325 million in damages worldwide. It was developed by Russian hacker Evgeniy Bogachev. He also created Cryptolocker, its predecessor.

The types of ransomware vary, as do delivery methods, which may involve social engineering schemes such as phishing e-mails or tricks to get people to click on fraudulent links.

"Ransomware is less about technological sophistication and more about exploitation of the human element," the ICIT report's authors state. "Simply, it is a digital spin on a centuries old criminal tactic."

Experts say businesses need to ensure that employees are mindful of their online behaviors and that computer files are backed up.

According to a press release, the Online Trust Alliance (OTA), a Bellevue, Wash.-based nonprofit group, "found that 91 percent of data breaches that occurred from January to August of 2015 could have easily been prevented by, for example, patching a server, encrypting data or ensuring employees do not lose their laptops."

Laptops present the greatest security risk. According to Spiceworks' aforementioned study, Battling the Big Hack, 81 percent of IT professionals said laptops—both company-owned and personal ones employees use for work—are most vulnerable to a breach. That's followed by desktops (73 percent), smartphones (70 percent) and tablets (62 percent).

In that same study, IT professionals said they were most concerned about vulnerabilities created when employees don't understand what constitutes, or aren't invested in avoiding, risky behavior when handling company data. IT professionals particularly struggle with limited end-user (or employee) knowledge about security precautions (69 percent) and resistance to using safeguards (57 percent).

"As companies amass larger quantities of diversified data and increase their reliance on third- party service providers, every business must have safeguards in place and be prepared to react strategically in the event of a breach," Neil Daswani, chief information security officer for LifeLock in Tempe, Arizona, told OTA. "Cybercriminals aren't just targeting companies that collect consumer data, they are going after confidential high-value data from legal, accounting, architecture and engineering firms."

Don't Forget to Back Up Data

Companies can mitigate some risks by backing up their data—saving files to a different hard drive in a secure location. It "should be normal best practice," Glenn said.

How often you need to back up your data "depends on what your environment is," he noted. "Backups can be done incrementally—once an hour or once a day" at least. "It makes no sense not to have a frequent backup because hard drives are relatively inexpensive." Using a third-party cloud provider to back up data is ideal.

What else can HR and IT do to defend company data?

"That always boils down to making sure all of the organization's hardware and software is properly updated with the latest software to mitigate these threats," said ID Theft Security CEO Robert Siciliano, whose security firm is based in Boston.

"Update the browsers, update the operating systems, update the critical security patches, and update anti-virus software," he told SHRM Online. "Make sure you have anti-virus, anti-phishing, anti-spyware and a firewall."

"Encryption is especially important since, without an encryption key, hackers cannot access encrypted data, and having your data encrypted may also mean, under most state laws, that your company will not have to notify consumers of a breach," added Laura Jehl, a partner and co-leader of the Privacy and Data Security practice in the Washington, D.C., office of global law firm Sheppard, Mullin, Richter & Hampton.

"Have a data breach plan in place that contemplates the possibility of a ransomware attack and addresses business continuity, communications and restoration from backups. Know who you would call first, and store that contact information somewhere outside your company's systems," she said.

Aliah D. Wright is an online editor/manager for SHRM. Reach her on Twitter @1SHRMScribe or on Facebook at aliahwrites.


Job Finder

Find an HR Job Near You
Search Jobs


The PMQ teaches managers to lead effectively, giving HR more time to meet the demands of the workplace.

The PMQ teaches managers to lead effectively, giving HR more time to meet the demands of the workplace.

Discover PMQ


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.