Oh, the things we’ve seen … that can happen to anyone!
April 17, 2018
by Chad Paalman, CEO, NuWave Technology Partners
Editor’s Note: Join SBAM & NuWave Technology Partners for an upcoming webinar to learn more about protecting your small business.
My entire career and business has been dedicated to the communications and information technology industry, designing and implementing IT solutions. In working closely to support the people and their organizations with IT I’ve learned a lot and I’ve seen a lot. I credit all the highly skilled staff of professionals with whom I work every day for our success in supporting our clients to get them out of binds, but mostly preventing incidents that would have otherwise gotten them into those binds. I also credit the entire NuWave staff for what I share with you in this article about today’s state of cybersecurity.
Bad things can (and do) happen to good organizations.
To understand how we can prepare and guard ourselves, let’s start by considering the source. Our greatest threats and vulnerabilities come from inside the organization. When it comes to cybersecurity, humans are the weakest link.
In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders with three-quarters involving malicious intent, and one-quarter involving inadvertent actors (hackers). At the time of the report in 2016 the top reporting industries were manufacturing, financial services, and healthcare. But beware, every organization has one common denominator – people!
Additionally, the cybersecurity landscape is ever changing. The increased use of technology and the internet as tools to run more and more connected parts of our organizations, growing access to software and apps for hacking, and the increased sophistication of email phishing and artificial intelligence all can stack up against protecting our digital and financial assets.
There is building evidence of this changing landscape with the increase in attacks and breaches on small and medium businesses. In the Ponemon Institute’s 2017 State of Small & Medium-sized Business Security, 61% had experienced a cyber-attack and 54% experienced a data breach. Those numbers are up from 55% and 50% respectively in 2016. Especially striking is the growth in ransomware attacks. In 2016 2% of reporting businesses categorized their cyberattacks as ransomware, and in 2017 that jumped to 52%.
The things we’ve seen
Stating that we are only human may not be the best line of defense. We are busy building and running our businesses. Our eye is focused on what it takes to serve our customers, bringing money in the door to make payroll, to manage operations and reduce costs. Security is often an afterthought or not thought of at all. Taking measures to implement security solutions and practices takes time, time away the business. It often comes down to convenience over security lack of budget for necessary improvements, or just maybe apathy and laziness.
Or maybe we feel we are not targets. As reported in The Ponemon Institute’s study referenced above, 51% of 1,000 companies surveyed felt they were too small to fall victim to a ransomware attack. Our industry experience certainly discredits that thinking.
We polled our organization to identify and share just two incidents which demonstrates bad things do happen to good organizations.
Bad thing #1
A medical practice we consulted with in the past refused to take recommendations focused on network security. These recommendations included; their network security policies, tightening down who had network access, along with investments in ‘basic’ network security infrastructure.
This refusal was due in part to frugality and complacency. There had not been a breach, so everything must be fine was the thinking of the owners. Everything changed one day when our support desk received a phone call from their office manager indicating that “something funny was going on.” We immediately discovered that they had been infected with Cryptolocker.
The post breach review confirmed the threat actor had gained access to the medical practice via their multifunction copy machine. The medical practice had provided their copy machine company with a network account to connect the multifunction copy machine to the network. They used a very weak password and it was via this network account the thread actor (hacker) gained full access to their network. A forensics report determined the threat actor had full access to the medical practice’s electronic health record system housing patient information, their financial system and other sensitive data on the network. Despite this level of access, the actor ‘only’ put ransomware on the network.
Unfortunately, this is a story where the risks and threats were known prior to a security incident and could have been avoided. However, investments were not made due to frugality and complacency.
Bad thing #2
We were continually challenged with a small business which would not follow recommendations and prescription for implementing acceptable use policies, including password guidelines. The CEO opted to choose convenience over security. Consequently, one of the employee’s company email and password were compromised while working on a public WiFi. The public WiFi was comprised by an actor performing a man-in-the-middle attack. What came next was the result of a great deal of work and research on the part of the actor to launch a highly effective email spear-phishing attack. This actor had studied the organization and the individuals so well they were able to email an administrative support person an email appearing to come from the CEO. The email between the CEO and CFO consisted of a request to set up an urgent wire transfer of $150,000 to Hong Kong. It was the most authentic looking email we have seen. Thank goodness the admin went to the CFO to gain assistance with the wire transfer. The CFO, of course, immediately identified the bogus request. Bad thing #2 averted.
The things we can do
Stay tuned for more blog posts to help with ways to prepare, prevent, detect, and respond. In the meantime, I will leave you with one good piece of news. Password procedures just became a whole lot easier. The new password guidelines from the National Institute of Standards and Technology (NIST) now states passwords no longer require special characters, minimum use of case, numbers, or letter. They also do not need to be changed nearly as often as previously recommended. The longer the password the harder it is for a human or robot to crack. A secret phrase as a password makes it easier to remember and at the same time can make it less vulnerable to being hacked.
For example: WhensmallbusinessesbandtogetherthroughtheSmallBusinessAssociationofMichigantheyachievemorethantheycouldontheirown
Be secure, my friends!