How to avoid million dollar ransoms
Updated: Jul 19, 2021
In the past few weeks, we have seen numerous reports of “ransomware” attacks. The most notable is probably the Colonial Pipeline. Attackers got a hold of one password for one system and were able to then get into many other systems. So much so that they not only shut down the operation, but attempted to collect $5 million in ransom to return control to the business operators. Many Americans across the country felt the impact of that shut down and it started with an operational breach.
More recently Scripps in San Diego suffered a similar fate. Details are still in short supply, but attackers again got access to one system and were able to gain control of many other systems. In this case they were able to gain access to hundreds of thousands of patient’s identifying and medical information. Both of these companies are now facing multi-million dollar, class-action lawsuits.
These attacks were not very sophisticated and took down very large organizations. While there is no way to guarantee protection from these types of attacks there are some best practices you should introduce into your course of business right away. We’d like to share a few ideas to get started on your cybersecurity check up.
Keep All of Your Software Up to Date
This list starts with an obvious one, but it’s arguably one of the most important. Any time there is a software update - especially on something core like Windows or MacOS, find some time to ensure you make the update.
Software is complex. That means it is always going to be imperfect. Researchers and security experts are constantly finding new “holes” in software and software companies are constantly patching those holes. All the while, hackers are looking for people using out of date software since they know there are vulnerabilities. Ignoring software updates is like leaving your house with the lights on, windows and doors open, and nobody home.
If you’re using licensed, on-premise software, like an ERP from SAP, that requires a service contract or has other monetary costs to upgrade - this is a great time to consider moving to cloud based software. Cloud based software that is sold on a recurring, subscription basis has many benefits over its on-premise competitors. We will save the full list for a later blog post, but the most relevant to this post is that you’ll always be on the most up-to-date and secure version of the software. By moving to the cloud, you are effectively outsourcing most of the security burden to the software provider.
Be Careful What You Share on the Internet
There are many charmingly fun viral quizzes such as “What Transformer are you?” or “What superhero are you based on your birthday” or the ever popular:
These are only designed to collect personally identifying information. These seem innocent, cheeky, and friendly, but if you’re answering this on Facebook consider this: anyone reading your comment, even if the original poster is someone you trust, can probably reset one or two of your passwords.
Even scarier are social quiz apps that you download or install designed to do the same thing. These memes are designed to be engaging and give you the hope of going viral. The reality is that you’re showing the public your ATM PIN code without even knowing it.
Security - both physical and digital, is every employee’s responsibility. It’s important to work this into your everyday work culture. Usually this takes form by way of training. When new hires start and ideally on an ongoing basis. While it may be hard to make sure that all staff go through some form of security training, it will always be cheaper than dealing with a loss of business.
Training will make your staff feel more empowered and qualified to surface any concerns to management. As more employees go through training you can build a culture where every employee is thinking about security. Security is one of those rare scenarios where more people working on the project can make a big difference. No list on the internet, no highly paid consultant, indeed no piece of software can beat a highly trained and coordinated workforce. When every employee is on the lookout for issues or breaches, your business will be far less susceptible to cyberattacks.
The training is to help staff identify what most people refer to as “hacking” and possibly more importantly, what industry insiders call “social engineering” attempts, and, crucially, train staff on the correct response to each situation.
“Social engineering” refers to the practice of people creating awkward or tense social situations designed to trick employees into divulging sensitive information. This could be anything from phishing emails to very targeted, so called “spear phishing” phone calls or emails. Making your employees aware of how these attempts work, having a process around responses to them, and more should all be covered in new employee onboarding, as well as recurring training.
Some industry best practices include:
Not opening or downloading attachments from people you don’t know
Calling anyone who is asking for money or sensitive information back
Double and triple checking websites before submitting any information online
Encouraging staff to check back in with their managers to ensure a request is legitimate
For staff with even more access to sensitive information, systems, etc. you may consider further training and possibly even access to software tools that enable managing and sharing passwords securely.
The reality is that most hacks are not very sophisticated. They usually start by identifying anyone using out of date software, social engineering, or some physical security breach. Having a properly trained and prepared staff is the most commonly misunderstood and undervalued aspect of digital security.
Stop Managing Passwords
A significant majority of cyberattacks start with a compromised password. In 2020, on average, it took companies 197 days to discover a breach and up to 69 days to contain it. Passwords are the easiest start because most can be guessed, reset, or even stolen and then used without your knowledge.
Passwords are also hard to remember and if you have a tendency to use the same password over and over again, you are particularly vulnerable. Considering using Single Sign On where available. Single Sign On (SSO) helps you manage fewer passwords. If you are using Microsoft, Google, or Apple cloud services - chances are you can continue to use that service as an SSO provider for other popular services.
In cases where SSO is not an option, or you haven’t migrated to cloud based services yet, fear not. There are other options. Okta is a business focused “identity management” platform. Okta gives management one place to manage users for almost all of your cloud enabled applications and you can create and manage user accounts and passwords for all of those services in one place.
Moving to password managers also improves security. These tools help with generating and sharing passwords with employees more securely. These services shouldn’t require any changes to your workflows since they are available with browser plugins, desktop applications, and mobile applications. Similar to SSO services, you will create and manage one password for the “vault” and the services will offer to generate secure passwords for all of your applications.
Going one step further, you can add 2 Factor Authentication (2FA for short.) 2FA is considered the industry standard for securing your web based accounts. 2FA requires your username, password, and then a second form of verification. Typically this will be via a randomly generated, time sensitive extra authentication code. This code might be sent to the verified email address, texted to a phone number, called to a phone number, or you might use another application or device to generate the code. Okta offers an app for this. Authy from Twilio and Google Authenticator are popular, free options as well.
In our modern, always connected world - cybersecurity is a constantly looming threat. Reading the news makes it sound like everyone will get hacked one day. The reality for “hackers” is that it’s a pure numbers game. Similar to those spam calls we all get about our expired car warranties, hackers cast a wide net.
A hacker might not call or email you, but they will visit your website, and try to find any open doors. They will attempt to login to services your employees use. They will try to reset passwords. It’s almost guaranteed that they will find logins for these services, since most of them use employee email addresses. Once they see, however, that they can’t reset the password or get it quickly, they are more likely to move on to the next target.
So far we’ve outlined some of the first ways to protect yourself, your employees, and your business from these threats. The more you can do to protect your business, and make it harder for bad actors to get in, the less likely they are to keep trying. To that end, you should also consider having a response plan by scheduling frequent, offline backups of critical systems and data. Being able to respond to any cyberattack quickly, could be a key differentiator for your business.
Obviously if a hacker shuts down your day to day operations, that will directly impact your bottom line, but this could impact your bottom line in another way as well. Business liability insurance policies are beginning to take notice and asking to see what tools, training, and policies business owners have in place to protect against cyber crime. You don’t need to have a Chief Security Officer or Chief Technology Officer to have a good cyber security policy and response.