Research Hub > How Risk Assessments Help Small Organizations Thwart Ransomware
Article
3 min

How Risk Assessments Help Small Organizations Thwart Ransomware

Every piece of data represents a potential target for attackers, but security services can reduce the risk.

GettyImages-1185271032hero
Everyone who works in IT is familiar with the phone call that I received from a friend last year: “Hey, Paul, you work with computers, right?” I braced myself, knowing that I was once again about to don the “friends and family” technical support hat that all of us are asked to wear from time to time. It turned out that this case was rather interesting.

The next day, I found myself having lunch with my friend and his pastor. The church they run had fallen victim to a garden-variety ransomware attack, but the impact was outsized due to the nature of the church’s operations.

Learn how CDW’s security assessments can help you uncover security vulnerabilities and plan better cyberdefenses.

You see, this church had an extensive fundraising operation designed to support a local homeless program and several other charitable ventures. The ransomware infection impacted all of the data used to solicit donations — and ground those important efforts to a halt. Fundraisers weren’t able to complete pending transactions or identify which donors were next in the pipeline of gift requests.

The pastor found himself asking a question familiar to anyone who suffers a ransomware infection: Should the church pay the ransom or walk away from some critical data? After an attempt to shame the attackers into providing the decryption key, the pastor was able to obtain a “discount” on the initial ransom request, and he then took the matter to his parishioners. The community decision was that paying the ransom might be distasteful, but it was the most effective way to get the church back up and running. The impact on the church’s charitable work outweighed the ethical implications of paying a ransom.

Many small nonprofits like my friend’s church fall into a common trap: the fallacy of thinking that they don’t have any important data that would attract attackers. In fact, they do have sensitive personal information about their constituents that would be quite useful to an identity thief. In addition, the ransomware business model allows attackers to profit from virtually any data that is important to an organization, regardless of whether it has other criminal value. In this world, every organization is a potentially lucrative target.

Identify Vulnerabilities to Avoid Becoming a Victim

Implementing some basic cybersecurity hygiene can prevent an organization from becoming the next ransomware victim. In addition to using basic anti-virus software, organizations should educate employees about the acceptable use of computing systems and the importance of not clicking on suspicious links in email messages. These efforts make employees aware that the organization is a target and that one wayward click can have significant ramifications.

CDW also offers two free services to our customers — including nonprofit organizations — that can help mitigate security risks. Our Threat Check service gives your network a free health check. We’ll monitor activity on your network for a couple of weeks using state-of-the-art security tools and then help you interpret the results. CDW solution architects can then work with you to design a remediation plan.

Turn to Security Experts You Can Trust

The second service that nonprofits should consider is our incident response retainer service, where we assign organizations a point of contact ready to assist in the event of a ransomware attack or other security incident. We don’t charge anything until the organization actually uses the service, but nonprofit leaders will have peace of mind knowing that trained professionals stand ready to assist in the event of an emergency.

Cybersecurity is a complex world, and it can seem overwhelming to small organizations. At CDW, our experts are ready to help organizations of all sizes build effective cybersecurity strategies.