has been grabbing headlines in recent months, with attacks starting in
countries such as the UK or Ukraine and then sweeping across the globe.
High-profile industries, such as healthcare,
have been targeted as victimized organizations vary from care providers
to equipment suppliers. But instead of piquing the interest of leaders
of small to mid-size businesses (SMBs), the attention devoted to
ransomware could be distorting perceptions of the overall malware threat.
proliferation of new malware strains is increasing year after year,”
Bitcoin blogger Matthew Tompkins recently posted. “Yet ransomware such
as WannaCry and Petya make up only a small percentage of the total types
of malware on the loose.”
As evidence of his assertion, Tompkins
offers statistics from a study by G DATA Security Labs. Per G DATA’s
findings, more than 6.8 million new digital malware strains were
detected in 2016, which was an increase of nearly 33 percent over 2015.
In the first quarter of this year alone, G DATA researchers detected
more than 1.8 million malware strains for a creation rate of one every
4.2 seconds. And as a proportion of this epidemic, instances of ransomware are relatively small.
Other forms of malware, such as Trojan viruses and adware, are much
more common and also inflict considerable damage to an organization’s
By sharing these findings, are we suggesting our
readers ignore ransomware as a cybersecurity issue? No. Instead, we’re
encouraging SMB leaders to see beyond one type of malware and consider
their exposure to the whole category. For example, can you answer these
- How many assaults from Trojans and/or adware has our firm weathered this year?
- How vulnerable is your IT infrastructure to a distributed denial of service (DDoS) attack?
- How much does your staff know about recognizing phishing techniques – and the consequences of being hooked by one?
For a thorough, structured approach to recognizing cybersecurity risks, we advocate applying the Cybersecurity Framework
developed by the National Institute of Standards and Technology (NIST).
The NIST framework promotes five tenets for holistically managing
first, “Identify,” concentrates on assessing your situation to
determine your level of jeopardy and ability to improve your posture:
- Asset management
– What cybersecurity resources – hardware, software, people – do we
have in place? Which do we need to acquire? How many should be upgraded
- Business environment – How are cyber crooks attacking our industry? Our type of organization?
- Governance – Are we compliant with regulations such as data breach notification (DBN) protocols?
- Risk assessment – Do you practice “risky IT management methods” that cyber criminals target?
- Risk management strategy
– Have you developed a cybersecurity policy? If your answer here is
“no,” then be sure to read the next installment in our Malware Manual
series “Building Your Cybersecurity Policy.”
Keep in mind as
our “Malware Manual” series continues that aligning the NIST framework
alone does not guarantee a cybersecure organization. Implementing
specific services, user education and best practices around
cybersecurity make the difference.