In a recent TEPAN (Technology Executives Peer Advisory Network) meeting, our tech leader members were on the receiving end of a sobering presentation regarding ransomware and other cyber threats from Brian Dykstra, President and CEO of Atlantic Data Forensics.
Brian and his team spend their days – and nights and weekends – on the front lines of the cybersecurity wars, working with organizations to mitigate damage from ransomware, data breaches and other cyberattacks, providing forensic services and even expert witness testimony. In short, they are very much up to date on the current cyber threat landscape, and the dangers are probably greater than you think.
Part of what you already knew is correct: over roughly the past year the increase in cyber incidents, fueled by the pandemic and remote working environment, has been staggering: ransomware attacks alone are up some 311%.
Much of the other current tribal wisdom about cybercrime and protecting your organization from it, however, is incorrect or incomplete. Here’s a summary:
The cost: Published statistics show an average cost of $33,000 to recover from a ransomware attack. Brian reports that in reality, a typical ‘small’ attack carries a cost of roughly $100,000, and Atlantic has encountered incidents with a seven-figure price tag.
There are costs beyond the dollar figures as well. Conventional wisdom says that it takes about a week to recover from a ransomware incident. Brian says that a month is more typical. And even more worrisome, some 60% of small businesses fail to survive the first year after an attack. And that’s with “small business” defined as 5,000 employees or fewer.
Your backups will protect you. Thieves are holding your data for ransom? No problem if you have current backups to restore, right? Wrong. The disturbing and underreported trend here is the morphing from ransomware to extortionware. These bad actors no longer play ‘keep-away’ with your vital data, they threaten to publish it if ransom demands aren’t met. Your contracts, your financial data, your employees’ personal information … all up for grabs on the dark web if you fail to comply.
Also on the dark web, the bad guys are teaming up, with Ransomware as a Service (RaaS) now in play. In other words, the hacker who penetrates your defenses doesn’t need to create ransomware … he can buy it from others.
Ransomware usually stems from a phishing attack. You’ve probably been led to believe that most attacks happen when an unsuspecting employee clicks a link in a legitimate-looking email. More often, outdated infrastructure is the point of entry: unpatched VPNs or (especially in the pandemic environment) hastily-deployed remote working solutions. Microsoft’s Remote Desktop Protocol is a frequent culprit here.
It’s also interesting – and chilling – to note that most attacks are not immediate. Hackers will typically spend two to three weeks exploring your systems, understanding your network architecture and figuring out where the important data lives before launching the actual attack. And that launch typically happens somewhere between late on a Friday night and early on a Saturday morning.
Ransomware is the only game in town. There’s more to worry about than ransomware. Small businesses especially – due to little or no email security – are especially vulnerable to ACH fraud phishing, which requires very little skill on the part of the hacker, and no malware. It’s typically a business email compromise (BEC) and works like this:
The criminal breaks into a mailbox, typically at upper management level, and explores the user’s contacts and procedures. The company’s clients then receive an email from that manager stating that they organization has changed financial institutions and that they should direct payments to a new bank.
This creates two major issues: billing cycles being as they are, the theft often goes undiscovered for 60 to 90 days, while any hope of recovered misdirected funds vanishes after roughly 72 hours. Worse, the victim is in a position where they generally can’t go back to the client, who has already paid the bill in good faith.
Cybercrime is an IT issue. Brian emphatically notes that a ransomware attack or other incident is not a failure of IT, but an overall management failure at multiple points and on multiple levels. These failures range from not providing adequate budgets to clinging to outmoded technology in an effort to appease employees or clients. The organizations that get it right are those who avoid the silo mentality and foster good relationships between CIO/CISO and the other C-level leadership.
What to do? How can an organization best protect itself and send the bad actors off in search of a softer target? The answers lie in three main areas:
Perimeter control: Firewalls and VPNs should be regularly updated, and set up to block inappropriate access and provide complete logging. If you do business only within the U.S., turn on Geo-IP filtering to block overseas access. And chances are that your server needs to connect only to a limited number of sites. Whitelist those sites and block all others.
2FA/MFA: The time for worrying about inconveniencing your employees with 2-factor or multi-factor authorization has passed … there’s too much at stake. Require 2FA/MFA, and that includes your system admins … and your Linux systems. This combined effort will stop many BEC exposures.
Patches: All operating systems and applications need to be patched regularly, as does your core infrastructure including VPNs and firewalls. Don’t forget IoT items like cameras and phone systems. They’re often more of a hassle to patch and update, but are also frequent points of entry.
