“Ransomware attacks have become so commonplace among the general population and critical infrastructure organizations that it’s difficult to go a week without hearing about a new variant or victim who has fallen prey to this rapidly evolving mechanism of attack.” So begins the new, 27-page report from the Institute for Critical Infrastructure Technology (ICIT), which acts as a conduit between the private sector, federal agencies, and the legislative community in the U.S. But make no mistake, cyberattacks know no geographical boundary. “It’s a huge area of concern and it’s just becoming bigger,” says Rebekah Mohr, a cybersecurity expert with Shell. “The smaller oil and gas companies are realizing it’s a big issue and we can’t get enough trained people.” She advocates for general processes and standards to be shared to improve the entire community. And there’s lots of work for you to do in-house, too. Here, a primer.

How to protect your company from a cyberattack

Google says ransomware “is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.” So the bad guys don’t actually want to do anything with your information, they just don’t want you to be able to do anything with it either. Until you pay the ransom, that is, usually in Bitcoins. So what should you do? 1. First, make sure you back up your data regularly and keep that backup in a secure and digitally isolated location. 2. Then, imagine your network as a house. Every door and window is a potential pathway through which information (noise, light), objects (dust particles, baseballs), or people can enter. Similarly, any system or access point in which data is stored or through which information can enter or leave your network is known as an endpoint. Vulnerable endpoints include users, personal computers, servers, mobile devices and SCADA systems. Just like you might want locks, an alarm system and perhaps a guard dog to protect your home, your IT will similarly have different needs. 3. Next, do a risk assessment. The solutions depend on your size and budget, and how much risk you’re willing to assume. Every system is a potential ransomware risk, but not every organization is a likely target of some more sophisticated attacks. And every small and medium-sized business does not need the same solutions as a Venture 250 company. Might be best to bring in an outside analyst for the risk assessment, with the plan to carry out recommendations in-house. 4. Execute on those recommendations, and understand that you’re never done with cybersecurity. “Organizations often fail to realize that information security is not a static field. It is a process,” wrote the authors of the ICIT report. “The threat landscape surrounding every organization that processes, transfers, or stores data, is a constantly shifting and evolving nebulous mist that conceals cyber predators who might be small, large, foreign, domestic, simple, or sophisticated. Do not make the mistake of believing that endpoint security is unnecessary because either you are not worth targeting or because the adversaries are not capable of bypassing your defenses.”