Salisbury likens it to an “arms race” and said attackers have an advantage. They need only find a limited number of places where an organization is vulnerable to intrusion, whereas business owners must focus on all aspects of running the company, including cybersecurity.
Experts are particularly concerned about the recent rise in hacks through third parties, like last year’s attack on Texas-based information technology company SolarWinds. Hackers, believed to be working for Russian intelligence, put malicious code in a software update distributed by SolarWinds to its customers, giving the hackers access to data across a broad range of government and business computer networks.
“The bad guys are going to be coming up with new tricks all the time,” Salisbury said. “The organizations that I think are at greatest risk are small to medium businesses and local governments. They live in the same threat area as larger firms or the federal or state governments but don’t have anything like the resources a large multinational bank might have.”
JPMorgan Chase bank spends $600 million a year on cybersecurity, according to its April 2019 letter to shareholders. While that is far more than smaller companies need to spend, cybersecurity experts warn that no company should assume all it needs is a firewall and anti-virus software.
“You do have vulnerabilities and you do have data and information that is valuable to these threat actors,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit that tracks publicly reported incidents of compromised personal information and consumer data in the U.S.
Ransomware attacks disproportionately affect small businesses, according to cybersecurity firm Coveware. Seventy-three percent of ransomware attacks in the first quarter of this year happened to organizations with 1,000 or fewer employees, according to the Connecticut-based company.
In addition to installing protective software on computer networks and using virtual private networks for remote work, the experts said companies should do regular backups of their data and store a copy off site. They should immediately update all computers, servers, and other equipment and software when security patches are issued by suppliers and manufacturers. It is also critical to have robust password protocols requiring 12-15 letters and special characters, limit data access only to employees who need it and require multifactor authentication.
“The No. 1 thing is training your employees,” Elder said. “We are trying to create a culture of cyber warriors, if you will. Security-aware employees.”
It is also crucial to have a business continuity plan with a pre-defined team assigned to respond to an attack. The plan should include an inventory of data and how it is stored and lay out exactly how to contain a breach, eradicate malware and recover from the incident, the experts said.
A business owner operating on a thin margin might be reluctant to spend money upgrading cybersecurity.
“It doesn’t cost as much money as paying a ransom, that’s for sure,” Velasquez said. “For smaller businesses it’s just recognizing that this is your responsibility, too.”
Expensive attacks proliferate
Last year, the FBI Internet Crime Complaint Center received 2,474 complaints of ransomware attacks that collectively cost the victims more than $29.1 million.
Ransomware is the term used when hackers use malicious software — or malware — to infect a computer network, locking out the owner by encrypting the data. The hacker demands money in exchange for a key to restore access and agreeing not to publicly release or destroy stolen data.
It’s impossible to know exactly how many businesses were hit by ransomware attacks, as owners often keep the attack secret and broad gaps exist in reporting requirements, which experts say hinders efforts to battle the problem.
But known ransomware attacks worldwide increased by nearly 60% in 2020 and more than 12 billion records were compromised, according to Canalys, a Singapore-based technology market analyst firm.
In the U.S., at least 2,354 governments, health care facilities and schools were victims of ransomware attacks in 2020, according to a new report by Emsisoft, a New Zealand-based cybersecurity firm.
“The attacks caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted,” according to the Emsisoft report.
The FBI and the Identity Theft Resource Center recommend against paying ransom, but Velasquez acknowledged that is a hard choice for a company facing disruption of its business, reputation damage, and loss of intellectual property and customer data.
“The system doesn’t work if you don’t pay the ransom. And if you have redundancies, you can weather the storm,” Velasquez said. “So encouraging the companies to not pay the ransom is because if we can destroy the business model, then this goes away.”
The highest ransom amount demanded in 2020 was $30 million and the highest paid was $10 million, according to Palo Alto Networks’ Ransomware Threat Report. That payment was eclipsed by the $11 million in cryptocurrency JBS paid after the May ransomware attack, believed to be by Russia-based cybercriminals, that led to the temporary shutdown or disruption of the company’s meat-packing plants.
Colonial paid $4.4 million in cryptocurrency after the ransomware attack by a different Russia-based gang led it to temporarily shut down its pipeline, prompting panic buying of gas and fuel shortages along the Eastern seaboard.
Cryptocurrency has a reputation for being difficult to trace, but the FBI recovered about $2.3 million of the Colonial ransom money.
“That’s been my principal concern: the cryptocurrency,” said Kyle Jones, associate professor and chairman of the computer science and information technology department at Sinclair Community College. “It has ramped this up big time. It’s on its way to becoming a billion dollar enterprise because of cryptocurrency.”
The cybercriminals, some of whom rent out their ransomware to other hackers, even offer help-desk services to companies who don’t know how to pay with cryptocurrency, Salisbury said.
The average ransom paid more than doubled last year to $312,493 and the average payment in 2021 as of May 14 — before the JBS attack — rose to about $850,000, according to retired Army Maj. Gen. John Davis, who is vice president of public sector for Palo Alto Networks, a California-based cybersecurity firm.
“They’re not just going after the big boys anymore,” said Eric Brown, a managing partner at D9 Technologies in Englewood. “And the ransoms that they are hitting them with are not small.”
Data breaches do not always come with a ransom demand. Often hackers working for criminal groups or as agents of foreign governments are after the data to use or sell: Social Security numbers, credit card numbers, logins and passwords or confidential business information.
In 2020 there were 1,108 data breaches or exposures of unsecured information, impacting nearly 301 million people, according to the Identity Theft Resource Center’s annual breach report. That’s a 41% increase in incidents from 2015, according to the center.
“Ransomware and phishing attacks directed at organizations are now the preferred method of data theft by cyberthieves,” according to the resource center’s report. “Ransomware and phishing require less effort, are largely automated, and generate payouts that are much higher than taking over the accounts of individuals.”
Phishing is a fraudulent email or web site where the fraudster pretends to be a legitimate business or person. An increasing number of thefts of company data come from criminals armed with personal information, like stolen logins and passwords, according to the center’s Q1 2021 Data Breach Analysis report.
“The exposure of user names and passwords is particularly harmful because of the gateway it opens up,” Velasquez said. “Why go to the trouble of infiltrating a system and going past all of their security protocols when through things like phishing emails I can just get your user name and password and log right in and walk right in the front door. The thieves they are a crafty lot but they also like easy.”
Companies can protect themselves
Vulnerabilities are everywhere. Effective cybersecurity involves layers of protection and recognition that employees are both the first line of attack and defense.
“Most attacks, they start at a user. They start with an employee,” Jones said.
A cybersecurity expert who responded to the Colonial Pipeline Co. ransomware attack told Bloomberg that the hacker used an employee’s compromised username and password to hack in through an account that did not require multi-factor authentication, according to a June 4 article in Bloomberg.
An email that looks legitimate may contain a document or link that downloads malware if the user clicks on it. Fake websites or social media accounts may also contain dangerous links.
In 2020 the FBI’s internet crime center received 19,369 business email compromise complaints, scams that involved transfers of funds and a loss of $1.8 billion.
Brown said D9 Technologies helped a company that had used a wire transfer to pay a six-figure fake invoice to someone posing as a supplier using an elaborate combination of a spoofed website and personal phone calls.
Other times the cyber attacker will employ what is called a “brute force” attack, submitting multiple logins and passwords, or look for unpatched vulnerabilities that allow the hacker to gain administrative privileges and run rampant inside the network.
Elder said his company monitors the dark web for compromised employee passwords. His company also runs constant scans on clients’ networks, looking for anomalies that might signal a breach or an attempt, with a goal of containing any breach to the target computer before it spreads.
Training employees and testing them with fake phishing attempts is also a common practice of cybersecurity companies. Employees who click on the fake email links receive additional training on identifying that an email is not legitimate.
“So if we continuously see Jane in accounting is clicking on these suspicious emails, we’re going to lock her down. She is a threat to the company and the organization,” Elder said. “She needs to have some extra layers of security placed between her and the company and the job she’s doing to ensure we are not at higher risk for cyberattack.”
Someone will always be looking to exploit technology to commit crimes, Velasquez said, so while the problem will likely not go away, it can be better managed to reduce the harm.
Elder said companies can have hope because there is much they can do to thwart attacks.
“At the end of the day, hackers are lazy. They are looking for low-hanging fruit. They’re looking for out-of-date machines, out-of-date applications. They’re looking for the easy passwords. They’re looking for vulnerable employees through email,” Elder said. “If you are exercising some of the basic cybersecurity best practices, you are significantly less at risk for a cyberincident.”
|Cybersecurity best practices|
|Employee cybersecurity awareness training|
|Install firewall and anti-virus software|
|Replace equipment and software that is out-of-date|
|Install security patches and updates immediately|
|Do frequent and duplicative backups|
|Have a written cyberattack response plan |
|Install virtual private network |
|Scan emails before they go to employees|
|Change passwords frequently|
|Use multi-factor authentication|
Here are links to the full Dayton Daily News cybersecurity series of stories:
Follow @LynnHulseyDDN on Twitter and Facebook