One password. That’s all it took for hackers to breach the Colonial Pipeline system, effectively shut down the company’s pipeline supplying fuel to the East Coast and keep it shut down until a ransom of nearly $5 million was paid. With as many as 65,000 ransomware attacks projected to hit U.S. entities in 2021, some experts say it’s not a matter of if, but when, a business will be targeted.
“Ransomware is a form of malware,” says Brad Rowe, CEO and chairman of the board of Fort Myers-based cybersecurity company Cigent. “It can be a bot that will go and do reconnaissance on the network, oftentimes for weeks or even months, to find out where the important assets are. And then it launches its attack at the appropriate time. A classic malware or ransomware attack would … encrypt your sensitive data. Now, they’ve encrypted this data and then you’ll get a message [that says] ‘We want 40 Bitcoin to send you the encryption keys so that you can get your data back.’ In most cases, when people do pay the ransom, they do get the keys back, but you’re still never assured that that malware isn’t continuing to sit on your network somewhere undiscovered.”
In the crosshairs
While many regulated industries may be less at risk of cyberattack due to mandated security controls, virtually any other business with its own network could be a target for cybercriminals. For companies that aren’t actively taking precautions, the risk can be even higher.
“The ones that are more at risk are companies that really kind of have that ostrich effect; they bury their heads in the sand. They don’t think it’s a problem,” says John Schlager, CEO and co-founder of Inceptus, a Cyber as a Service (CaaS) company in Cape Coral. “You’ve got to put in these controls to really layer those defenses for your organization. Endpoint protection, email phishing protection, monitoring. Making sure you’re watching the security controls. Making sure you’re configuring a property. Making sure you’re patching your machines. General cyber hygiene. The people that are doing that, and see that as a need for their organization, are going to be less at risk.”
Though many companies have traditionally relied on their IT departments to enforce network security, the rapidly evolving nature of today’s malware and ransomware most often requires one or several employees dedicated strictly to cybersecurity. However, until businesses pay more attention to cybersecurity, and pay higher salaries to cybersecurity professionals, those positions may be difficult to fill.
“IT departments are almost universally overworked and understaffed,” Rowe says. “And they’re having to deal with so many fundamental problems like, ‘I can’t print’ or ‘My internet connection is down,’ so sometimes the cyber stuff gets pushed down the stack. It’s very hard for the IT departments to get and retain seasoned, dedicated security professionals. Those people typically want to work at cybersecurity companies; the cybersecurity companies tend to pay more. The cyber business is going so quickly, where would you rather work? At a company making steel pipes, in their cybersecurity group, or … at Crowdstrike and get stock options?”
On the home front
Even with proper defense protocols and cybersecurity personnel in place, both Rowe and Schlager agree that a company’s risk for cyberattack extends well beyond the office walls. The increase in work-from-anywhere business models has essentially added what Schlager calls “a completely new frontier to the security risk paradigm of an organization.” And the best way for a business to reduce that risk, he says, is to secure its network, at the office and anywhere else employees may access it.
“Do basic cyber hygiene. Follow a framework to reduce risk over time,” Schlager says. “To stay vigilant, organizations and their employees should microsegment their home networks and separate their assets. Add to this normal best practices from security controls, such as patching, next-gen antivirus, firewalls and data backups to make sure there is defense-in-depth on home networks and their assets. Protection is king, you have to do it. [Those are] the only things that are going to help us defend against ransomware and other malicious software.”