In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Roy Zur.
Roy Zur is a cyber intelligence expert and founder and CEO of ThriveDX Enterprise (formerly known as Cybint Solutions), the software as a service arm of ThriveDX. ThriveDX is a global education company committed to transforming lives through digital skills training and solutions.
Zur has more than 15 years of experience in cybersecurity and intelligence operations within the Israeli Defense Forces. As a former Cyber Intelligence Major, Zur was responsible for developing learning methodologies and cybersecurity training for people and organizations.
Since then, he’s developed cyber education and training programs and technological solutions for companies, educational institutions, and government agencies around the world. Zur also serves as an adjunct professor of risk management in cybersecurity for the MBA-AI program at Reichman University and is the founder and chairman of The Israeli Institute for Policy and Legislation non-profit.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Israel, where my passion for all things cybersecurity was instilled in me early as I joined the Israel Defense Forces (IDF) after high school. I was placed in Unit 8200 which focuses on Cyber Intelligence and one of my main roles was to train incoming cadets to become cyber experts in the matter of months. Israel has been the world’s leader in cybersecurity and being on the ground floor of disruptive advancements in cybersecurity fueled my passion and interest and prepared me for future success. During my time in the IDF, I leveraged my passion for cyber to create innovative learning methodologies that taught cadets how to become advanced Cyber and Intelligence Specialists. Prior to founding and leading ThriveDX SaaS (formerly Cybint), I received law and business degrees, and served as a legal adviser in the Israeli Supreme court.
Is there a particular story that inspired you to pursue a career in cybersecurity?
During my service, I was exposed to a specific cyber attack that targeted critical infrastructure of one of our international allies. This attack aimed to shut down the power system of a big region in Europe during a cold winter, and risked thousands of lives. From this attack I’ve learned how cybersecurity can be a matter of life and death, and how countries are weaponizing cyber tools to develop cyber warfare capabilities. This inspired me to develop a career in this field.
Can you share the most interesting story that happened to you since you began this fascinating career?
There are hundreds of interesting stories that happened during the two decades of my career in cyber intelligence and security. I can’t choose one story that represents it all, because the most exciting part is the journey itself. So, the story keeps writing itself every day.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
I often encourage those that I work with to challenge me and be outspoken about their opinions and ideas even if that means disagreeing with me or my opinions. I also strive to have humility and be self-aware because I know that those qualities, combined with encouraging my team to challenge me, create the best products and ideas — products and ideas that combine the minds of several experts to produce something greater than I could have come up with alone.
In addition, I encourage my team members to think out of the box, to tackle challenges in creative ways, and even when we fail we should “fail forward.” In that case, we learn from our mistakes and keep trying until we succeed. So, the most important character traits to me are:
Independent thinking and creativity; (2) Self awareness and humility; (3) Perseverance.
Are you working on any exciting new projects now? How do you think that will help people?
Yes, I’m excited to say there are several exciting projects in the works that are being developed to help companies and their employees. Our company, ThriveDX, offers Security Awareness Training which includes on-prem deployment and full customization. This training prepares employees to recognize malicious intent and phishing attacks in order to effectively avoid cyber threats and keep their organizations safe.
Additionally, we offer an accelerated Cybersecurity Bootcamp that reskills individuals from other fields and prepares them for an entry-level role in cybersecurity. Cybersecurity is the fastest-growing field in tech and the industry has had 0% unemployment for decades. Anyone heading down this career path will have ample opportunities that could be life-changing with how competitive employers are getting to bring on cyber professionals.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
Before becoming CEO at ThriveDX Enterprise, I was a Major in the Israel Defense Forces Cyber Intelligence Unit, known as the global hub for cybersecurity expertise and talent. One of my responsibilities as a Major was to train all of the incoming recruits, most of which were just out of highschool, to become masters of cybersecurity in only a few months of training. Part of the training includes Ransomware, and strategies behind recovering your data, reputation, and more.
Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
There are many types of Ransomware attack methods, all still surrounding the basic definition of the attack itself — malicious software that infects the computer, network, or software and blocks access to important information until the victim delivers payment. Here are the most popular type of Ransomware:
Cryptoransomware, which may be obvious in the name, encrypts the data being held hostage and cannot be freed without a decryption key. This is the most common attack method with popular cases including Petya, CryptoLocker, and GoldenEye.
Ransomware as a Service (RaaS) where the perpetrator becomes a customer of the cyber criminal by paying for access to ransomware like they would a subscription. Even prices are adjusted by the complexity of the software itself.
Locker Ransomware is similar to Crypto where the information is blocked out, however it’s usually the system and not specific data. Often it’s accompanied with a countdown clock to increase urgency.
Who should be most concerned about a ransomware attack? Is it primarily businesses or private individuals?
Cybercriminals have always focused on big targets (namely enterprises), but in recent years, they’ve increased the frequency in which they’ve gone after individual users too. While no business is safe from ransomware, the lion’s share of ransomware attacks hit the governmental, manufacturing and industrial, and medical sectors most. The science and education sector, as well as the retail industry, continue to remain targets for ransomware attacks too.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
The first thing companies or individuals should do once they’re aware they’ve fallen victim to a ransomware attack is alert their local FBI office or police department. By reporting the incident, victims will have a better shot of retrieving their files without paying ransom. Plus, reporting ransomware attacks to law enforcement is good practice anyway, since the more accurately cyberattacks incidents are reported, the better able law enforcement and cybersecurity providers can know what they’re up against.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
First and foremost, any company that’s fallen victim to a ransomware attack should immediately turn off and disconnect all infected company devices from the network to contain the breach, and then from there alert all necessary parties. Additionally, they should shut down any shared drives temporarily as they continue to monitor the breach to see if it spreads. From here, companies can look for the source of the ransomware by surveying users and employees, finding out-of-date software, or anything blatantly unusual. Companies should also reimage their servers and applications, as well as deploy their cloud recovery plan, should they have one in place. By completely wiping every storage device, companies can ensure that there aren’t any lingering traces of ransomware before they begin to restore their data.
Should a victim pay the ransom? Please explain what you mean with an example or story.
As a rule of thumb, you should never pay a ransom, since there’s no guarantee the cybercriminal or criminals will actually release your data back to you once they’ve secured the payment. In fact, most of the time the majority of companies who pay ransom don’t ever receive their data back in return. Even then, when adversaries do restore data, they typically only restore an average of two thirds of it.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
For starters, as obvious as it seems, most companies don’t invest enough upfront in improved cybersecurity because they didn’t first make a business case that accounts for risk and impact. In other words, instead of weighing the cost of a security breach, they only weighed the cost of cybersecurity investment. Another thing companies tend to miss the mark on when it comes to ransomware is deploying active, around-the-clock anti-ransomware protection; traditional daily backups and standby systems aren’t enough to restore lost data in ransomware attacks. Instead, companies should invest in robust backup and DR defense strategies that generate immutable backups, leverage a myriad of storage media, and include multiple restore points. Some companies also don’t readily test their cybersecurity defenses, so they can account and plan for a number of worst-case scenarios should it happen in real life. Lastly, a company’s cybersecurity strategy is only strong as its weakest link. If employees aren’t up-to-date on cybersecurity detective and preventive basics, all it takes is one malicious email opened by an unsuspecting employee for cyber criminals to get their hands on sensitive data.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
To limit the impact a ransomware attack has on an organization, companies, governmental agencies, and tech leaders alike should solidify an incident response plan that accounts for a multitude of “what if” scenarios. In the plan, organizations need to clearly define each person’s role and flow of communication, including alerting necessary third-party contacts and employees. As part of this plan, companies should also provide security awareness training to its employees as well as create a logging system wherein employees can report suspicious activity. In addition to that, cloud services can help mitigate attacks, since they store unencrypted versions of data. If companies don’t invest in cloud services, they should store their data out-of-band or offline. Unused RDP ports also pose significant risk to organizations. Another way companies can prevent malware attacks is by closely monitoring and limiting connections to only trust hosts in Server Message Block port 445 and Remote Desktop Protocol port 3389. Intrusion Detection Systems (IDS) are also useful in preventing ransomware attacks, since they provide daily updates and routine potentially malicious activity alerts.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why?
Between deploying data backups and recovery plans to maintaining up-to-date antivirus software, there are a number of things companies and individuals should do to protect themselves from ransomware attacks.
The majority of cybercrime is caused by unsuspecting employees or individuals that aren’t well-versed in cybersecurity enough to know when to spot cyber threats in their tracks. With that, the best way people can protect themselves from ransomware attacks is by investing in reputable, routine security awareness training. Investing in training human capital is the best way to stave off ransomware attacks, since ransomware gangs are keenly aware that employees aren’t up-to-date on new and improving ransomware tactics. Ideally, the more hands-on training, cyber attack simulations, and pre- and post-training assessments the security training provides, the better equipped people will be when it comes to spotting ransomware in its tracks and the better informed companies are about their ransomware risk level.
Everyone should invest in anti-malware and antivirus software. Just as it’s important to invest in Cybersecurity awareness training, fortifying one’s network — ideally using a centrally managed solution — will both alert people of malicious activity, inform them of unresolved issues, and stop unauthorized forwards from executing.
Companies and individuals alike should store and maintain encrypted backups of data offline. Since ransomware attacks target backup data too, everyone should also maintain gold images of critical systems so that they’ll be prepared if they have to deploy software applications to rebuild a system.
In order to best prepare for a breach, individuals and companies need to establish a cyber incident response plan that outlines what to do in the instance of a ransomware incident. This plan should include everything from notification procedures to chain of command in the event of a crisis. In addition to establishing this plan, it’s important that people exercise and practice this plan, so that they’ll be better prepared for a real-life crisis should one ever arise.
Companies and individuals that routinely conduct vulnerability scans on their internet-facing devices are more protected against ransomware than those that don’t scan and address vulnerabilities within their systems. By updating software and OSs and ensuring that security features are enabled on all devices on a regular basis, people can limit their attack surface and proactively protect themself from threat actors.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be?
If I could inspire any movement, I’d want to help fix the skills gap within cybersecurity. Year after year, the cybersecurity skills gap continues to widen as the demand for cybersecurity skills exceeds the number of trained and qualified cyber professionals available. As cybercrime increases in frequency, organizations around the world aren’t doing enough to address and solve the dramatic talent and skills shortage within cybersecurity. In addition to the talent shortage in cyber, there’s also a problematic disconnect between cyber sectors and business sectors within an organization — which only worsens the cyber skills shortage. Lastly, companies don’t take cybersecurity seriously enough as-is, and I’d want my company’s efforts to help organizations globally understand why it’s not only crucial but urgent that they invest in cybersecurity today.
How can our readers further follow your work online?
Readers can follow my work online by following me on twitter (@zur_roy), following me on LinkedIn, where I post about upcoming conferences I’m speaking in, publications I’m featured in,, and more, or by following me on Forbes, where I post industry-relevant articles. In addition to that, I routinely write content for ThriveDX.