I'm the sole IT person at my small company, handling everything from help desk tasks to programming. Recently, we faced a ransomware attack because our previous consultant failed to renew our antivirus for several months. Since then, we've implemented Cylance AV and set strict policies on our servers and user endpoints, but it still didn't stop the attack. I'm really frustrated and want to prevent this from happening again. We've got solid backup strategies, so we can restore our data, but I need suggestions on what additional security measures to implement. What steps can I take to ensure this doesn't happen again, and what should I be looking for to identify any potentially infected computers?
5 Answers
Sometimes, you have to assume everything is compromised. With stable backups in place, consider doing a clean reinstall of your systems. This approach eliminates the risk of lingering threats and helps you rebuild securely from scratch.
It sounds a bit harsh, but you might benefit from bringing in a professional cybersecurity firm to help secure your environment. It’s difficult for one person to cover all bases, and a team with experience handling incidents like this could significantly enhance your defenses.
Cylance AV might not be enough on its own, so consider integrating an Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) solution like Crowdstrike or Sentinel One for better protection against encryption attempts. It's also crucial to find out how the breach occurred—was it through VPN access or user phishing? Make sure to enforce MFA where possible and tighten up your security policies to avoid any more holes in your defenses.
They could still be inside your systems, so be thorough with your investigations.
Also, try adding a budget-friendly option like Huntress for smaller company needs.
Understand that antivirus is just one layer of security. A multi-layered strategy is ideal, which includes user education to prevent attacks like phishing. Make sure your users don’t have unnecessary privileges and consider employing a Security Information and Event Management (SIEM) solution for better monitoring and response capabilities.
Good point! User behavior is key in cybersecurity.
After an incident, it’s crucial to perform a detailed post-op analysis. Determine the source of the breach, whether users have admin access, and if your VPN is secure. Was Cylance running on the infected systems, and how did the virus bypass it? You might need to reconsider your security tools if they aren’t doing their job effectively.
However, it's essential to have proper policy and logging in place to investigate this after the fact.
This is the right mindset, especially if you're dealing with repeated breaches!