The Petya and WannaCry attacks have given companies a not-so-subtle reminder to back up data and gird their networks. Conscientious CEOs might also want to prepare for the worst in case they actually have to pay online extortionists.
One of the first tips that Fox Rothschild LLP cyber security lawyer Scott Vernick gives clients is to set up a Bitcoin account.
"It's just a tool in the arsenal," he said.
The idea is not to pay any ransom, of course, because your Chief Information Security Officer updated software security fixes, backed up data and put the information where a virus could not reach it.
But circumstances may require companies to bend their principles and pay up.
"While discouraged and not particularly a place you want to go immediately, sometimes you have to go there," Vernick said, regarding paying ransoms. "You want to be ready to do that as opposed to run around and scramble to do it because obviously these people don't take cash and they don't take credit cards."
Bitcoins have grown pricier during the recent spate of attacks. The value of the digital currency has jumped from about $1,180 per Bitcoin in mid-April, prior to the WannaCry attacks, to nearly $2,600 on Thursday.
Given that the attackers behind Petya and WannaCry asked for just $300 per machine, the reserve does not have to be large. Companies might set aside $2,500 to $5,000, Vernick suggested.
Since the Petya and WannaCry attackers used vulnerabilities in Microsoft Corp.'s (MSFT) Windows, updating software and security patches is a starting point.
Backing up data is also crucial, Vernick added, but isn't enough. Companies need to segment the backed-up data and the credentials needed to access it away from the rest of the network. "There is no point in having a backup if it's on the same network that gets attacked," he said.
Likewise, companies should make sure they can restore data on the fly. "Depending on the complexity of the data and how it's organized and stored, and needs to be restored, it can be quite complicated," he said. "You won't know whether it works until you [conduct] a drill."
Editors' pick: Originally published June 30.
Staffers are a line of defense, but also a point of vulnerability. Hackers use social engineering--a sophisticated way of saying tricking people--to tempt workers into clicking on links that can launch malware into companies' network. "Employee training is critically important and relatively cheap," Vernick said.
For all of the hype, Petya has not been a huge moneymaker for its authors. Victims have paid out about $10,400 according to a bot set up to track payments.
WannaCry victims have paid less than $135,000, Bitcoin-tracking group Elliptic Enterprise Ltd. reports.
The ransom and lost business may not be the only costs. Vernick noted that ransomware victims could face fines from the Federal Trade Commission and the Securities and Exchange Commission if they do not have appropriate protections in place. If patient information is compromised, the Department of Health and Human Services and the Office for Civil Rights can impose penalties under the Health Insurance Portability and Accountability Act.
Adding insult to injury, U.S. victims can stew over the fact that the cyber thieves in recent attacks have used tools for hacking Windows that the National Security Administration had stockpiled. A group called the Shadow Brokers hacked the NSA and made the exploits available online in April.
"It's pretty frustrating when people reach the conclusion, rather reasonably, that at least some of these tools are NSA tools," Vernick said.
Visit here for the latest business headlines.