If the recent ransomware attack on the Colonial pipeline showed us anything, it exposed how vulnerable every business is. So how do you fight back against an unseen enemy?
On April 30,, an article on the BBC News website was titled “The ransomware surge ruining lives.” Few articles could have been more prescient, as evidenced by the attack on the Colonial pipeline and the ensuing panic about gas shortages.
According to the FBI, “nearly 2,400 US companies, local governments, healthcare facilities, and schools were victims of ransomware in the last year.” Rather than a terrorist organization’s attempt to bring a country to its knees, the ransomware attacks are run by criminal gangs and are all about making money. What makes them so insidious is how easy they are to occur. Criminals don’t have to have to worry about breaking into control systems that likely have considerable firewalls and other protections. They just have to find the right back door…and that back door could be one of your employees who became an unwitting target of the group.
In the case we’re all talking about, according to the NY Times, federal officials and private investigators noted the ransomware occurred within the back-office operations of Colonial Pipeline. In this case, according to the Times article, “a criminal actor who, in trying to extort money from a company, ended up bringing down the system.” It certainly didn’t help that Colonial’s cybersecurity efforts were sorely lacking.
At this point, it is not exactly certain how DarkSide, the hacking group, got into the system, but many ransomware attacks succeed through methods that trick employees into opening attachments or providing information that gives the hackers the entry they need.
COVID-19 has made a bad situation much worse.
With so many people working from home, often on their own devices, utilizing their own internet connection, sophisticated protection is much less than it might be at the office. People may be using the same device to access their Facebook page as they do the latest financial statement or company email. This opens up wide possibilities for criminals whose understanding of human behavior may be even more sophisticated than their knowledge of computer systems.
That is why it is essential for companies to educate their employees on the threats posed by these groups. Obviously, each business should also be upgrading their own cybersecurity efforts but without the cooperation of informed employees, even the most advanced system can be breached.
So, what can a company do?
There is no way you can stop a hacker from trying to infect your system, whether that be with ransomware or another form of malware. But you can make it as difficult as possible for them to use your employees as foils:
Educate your employees – Teach them how “phishing,” “spearphishing,” and social engineering attacks occur and what to look for. Inform them to NEVER open an image or click on a link until they verify the email address is legitimate. Hackers will often pretend to be someone in authority…possibly even a supervisor requesting private information. Or a vendor…or a charitable organization. These attempts are increasing considerably. Check the sender email address to ensure it’s legitimate. Or better yet, tell employees if they’re not sure…call the sender. If something feels wrong, it probably is.
Institute ongoing training – Hackers keep changing their attack modes, so what employees had to look out for last year may no longer be the biggest concern. It’s important to be aware of the trends taking place and how to recognize them. There are providers that just focus on this, so if you feel your company does not have the resources to handle this internally, investigate utilizing a third party.
Provide company devices – If your employees are working remotely, and if the business can afford it, you should ensure that the employees are working on company devices connected through VPNs, not through the individual employee’s internet connection.
Change passwords frequently and use two-factor authentication – Set reminders for your employees to change their password at least monthly. Require at least eight characters and make sure there is an alpha-numeric combination, with symbols and upper and lowercase letters. For remote workers especially, a two-factor authentication will help with cybersecurity. In this case, the employee is asked for a mobile number of email address when logging in and a verification code or link is sent.
Conduct your own “fire drill” attacks – Whether you are utilizing your own in-house resources or a third-party provider, you should test whether your employees have been paying attention. In a simulated phishing or social engineering attempt, you will see how employees react when they are in the middle of a busy workday. Word of caution, if employees fall for these attempts, make sure to use it as a teaching moment, not a “gotcha” moment. Even the most knowledgeable IT people can fall for a clever phishing scheme.
As I stated earlier, you won’t stop the efforts at getting access to your data and symptoms, but there’s no reason to make it easy for the bad guys.
Read my earlier blog on the importance of cybersecurity.