How we use SF in our company

I work for a company where we are trying to implement SF methods. Here is our story.

We are a small company with around fifty office workers. Several months ago our computer systems were breached by an advanced ransom Trojan like Osiris. It encrypted our client’s database and many other important documents. That was a big blow for us. We had to pause most of our business processes to deal with that ransomware attack. We started to disinfect our computers and restore data from backups. IT guys did their best, but due to some technical glitches, our backups got spoiled. We were not able to restore our files. That could ruin our business. Top managers decided to pay the ransom. Eventually, hackers sent the decryption key, and we could decrypt 95% of files.

This was an eye opening experience. That case showed how quickly our business could be destroyed. Although we had up-to-date antivirus software and other infosec precautions, the virus still managed to penetrate our systems.

Some of our managers visited SF seminars and suggested to apply new methods to prevent future cyber-attacks.

So, we started to ask ourselves questions like - what do we want. We found that we want to be safe from all computer viruses and ransomware in particular. Our computer networks should be better protected by technical means, and our employees should become an additional cyber-defense line.

Evaluating our position on the success scale, we found some positive indicators. Our computers and systems were protected relatively well. All software programs were regularly updated. Antivirus flagged rare viruses. Workers did not spend time surfing the dark sides of the Internet, even social networks were forbidden.

To choose an optimal solution, we knew that we should consider and evaluate all possible measures and ways. We saw that to achieve our goals we should start moving in two main directions.

First – to enhance the security of our computers by adopting more complex and sophisticated virus detection mechanisms. Second – run a security training program for our users. We decided to break both approaches into smaller parts.

One of the best and widely used methods to strengthen your cyber security is to buy, set up and tune complex endpoint security solutions that should include intrusion prevention modules and many other additional systems. This is a great approach, but it is not cheap, it requires time and human resources to set up and tune it.

We wanted to find something that we already have, something that can be done quickly by taking small steps. We set this task to our IT team. Studying the matter, they begin to come up with simple solutions. It is not necessary to enumerate them all here, but you should know that Microsoft systems offer plenty of ways that allow you enhance your virus protection. You can:

Turn off Macros and ActiveX

Disable Volume Shadow Copy Service

Disable Windows Script Host

Disable Windows PowerShell

Define Software Restriction Policies

Again, It is just a small example of what can be done to Windows systems that you already have. You should start to evaluate which of these controls you do not need in your daily business routine work, turn them off one by one and gradually increase your protection. It is simple, it is cheap, and it proved to be working. Many virus authors rely on default Windows settings, so tweaking some of them may substantially increase your security posture. 

Another vector of our efforts had to do with our users, workers who click on links and surf the web. We wanted them to be prepared for virus attacks and know what to do in case online breaches happen. We probed theoretical courses of security awareness. We could not measure the success of those training sessions. We wanted something more practical, hands-on type.

And we came up with one simple and great technique. We wanted our users to quickly identify and stay away from viruses. We decided to deliberately put them into the risky environment. We informed our users that we are going to send fake phishing emails and instant messages to all workers and they should identify and report those malicious messages. Every week three workers would receive monetary prizes for being the most effective in identifying viruses.

It turned into a game which quickly paid off. During the first week, several threats reported by our employees were real-world viruses and not the fake ones sent by our IT staff. We constantly measured this phishing click-through rate. It was 35% in the beginning. Now it is 75% and growing.  

For now, we are making our first tiny steps implementing solution focused approaches in our company. We want to rebuild all our business processes to better serve our clients. We started applying SF in cyber security. We identified several ways to achieve our goal, broke them in small but effective steps which started to move things forward. Now we see that it is working and bringing positive changes. We want to move on and extrapolate SF to other spheres of our business.