What do Target, Equifax, Marriott International, World Health Organization, Colonial Pipeline, JBS USA and Kaseya have in common? All are victims of cybersecurity attacks or breaches and prove that no one is completely protected.
Colonial Pipeline’s hack, which shut down the pipeline for several days and resulted in payment of a $4.4 million ransom (approximately $2.3 million of which was recovered by the FBI), was the result of just one compromised password. The lack of multifactor authentication made it even easier for the hackers to access the network. Kaseya’s attack came by way of a security vulnerability in its Virtual System Administrator (VSA) software product and halted operations for 10 days and put its entire supply chain of vendors and their clients at risk.
Experts say this is an epidemic that will only get worse unless bolder actions are taken. The Biden administration recently announced the development of an interagency task force to confront and disrupt cyber threats. Demand is skyrocketing for cybersecurity professionals too, including in the Department of Homeland Security, and closer to home in South Jersey, Rowan University’s Center for Cybersecurity Education and Research is fostering the education of these future experts.
“As these experts become more in demand, it opens up the job market and most universities are responding with cybersecurity majors,” says Alex Alborzfard, a cybersecurity professor at Rowan who has 30 years’ experience in the IT industry. “Technology is advancing so quickly and by the time you secure it, there is another advance that could potentially expose more flaws, so businesses need people who know about the latest tech and how to secure it.”
The Risks are Real
Despite the prevalence of attacks, a lack of concern exists. “Companies will say, ‘We’re not big enough. We have more important things to worry about,’ and meanwhile their whole operations rely on digital service. Hackers know this and can attack a company that may not be large or lucrative, but can be used as a jumping board to other things,” says Alborzfard.
One of the most notorious examples of a company downplaying its own risk came from Home Depot. Prior to its breach in 2014 that compromised more than 50 million credit cards, former Home Depot employees reportedly brought security concerns to managers’ attention and were told: “We sell hammers.”
Clearly, even a company selling hammers is at risk. “Cyberattacks are constantly occurring. Be it phishing emails that are stopped by your spam filter or the employee who wisely decides not to open it or deliberate attacks against your network infrastructure. These attacks don’t discriminate!” says Darren Crane, president of DLC Technology. “We see them across all our customers, luckily very, very few are successful. Of the companies I personally know of that fell victim to an attack, one was less than five employees and the other about 20. In one case our tools stopped and reversed the attack before real damage was done. (The other example was not a customer at the time.)”
Cyber criminals are more sophisticated now too. The stereotype of one person sitting in their basement is outdated, says Eric Williams, president and CEO of NorthStar Technology Services.
“[It] has now turned into a viable industry with sales teams, offices, managers, technology programmers, and so on. The tools that have been developed allow the ability to massively search across the internet for any vulnerability no matter how big or small. We explain to our clients there is likely not anyone personally sitting down and saying, ‘I’m going to target Mainstreet Coffee Shop in Anytown’ today. Rather they sit down with easily available software and start a scan of 10 million or so connected computers in the morning and then start hitting low-hanging fruit by lunch time,” he says. “If they infect you and you’re willing to pay $50 or $500 to get back in business then that simply adds to their quota requirement. If they get lucky and find a larger company with exposure, they likely hold that, don’t lock things up right away but do research to see how deep they can infiltrate and how much the ‘deal’ could be worth.”
Williams says one new client’s firewall blocked just over 1,500 attempts to gain access into the internal network desktops and server in less than two days.
Were an attack to be successful, the repercussions are far-reaching. “At minimum, you’re looking at three weeks of downtime,” says Bryan Hornung, CEO of Xact IT Group. “You need to bring in a forensics team, a breach coach—all of these things have to happen and will cost you above and beyond the ransom payment. Off the top of my head, you might be looking at $50-75,000 to rectify things.”
Your business’s reputation is also at stake. “You risk the trust of your customers and clients. Certain industries have to follow compliance with HIPAA and PCI and are under obligations to report the breach to the necessary authorities within 72 hours. Others who are smaller might restore their operations through backups and pay the ransom—which the FBI will tell you never to do—just because they don’t want that publicity,” says Art Leiby, president of the Lerepco IT Group.
What could become more common is requiring solid and current cybersecurity standards as a cost of doing business. “It is becoming incumbent with partners and vendors to have these measures in place in order to secure their business. There is too much data being shared and they want to know it’s secure in your hands,” he continues.
Vulnerabilities and Rectifying Them
Cybersecurity is like an onion, says Hornung. “Each layer of the onion needs to be protected. We typically look at six layers of concern and how to protect them. For instance, one layer is the perimeter, for which we recommend a firewall; another layer is the human/user layer, for which there needs to be education and awareness; and there is the endpoint, which requires antivirus, and so on,” he says.
Among the most common mistakes or vulnerabilities found by cybersecurity companies when conducting audits is the lack of multifactor authentication for email or primary systems. Tim Guim, CEO of PCH Technologies, says, “So many attacks occur because usernames and passwords are compromised on the Dark Web. Multifactor authentication is an additional security step that requires you to enter a passcode that was sent to your phone and it verifies that it’s you.”
Guim also says data backup is another element to shield against ransomware. “Businesses need to have strong backup and disaster recovery for continuity. We back up clients once per hour so if something did happen, we can move them back to the time just prior to the incident and they can get back to business quickly,” he says.
Old employee accounts can also lead to risks. “One of the biggest mistakes we see in companies is not having a proper off-boarding process,” Hornung says. “If they neglect to remove accounts of employees who no longer work there, hackers can use stale accounts to take advantage of security weaknesses in the network. … Companies need a defined process when an employee leaves, reaching out to IT to have the account removed.”
“Businesses should be budgeting an increase in IT spending each year due to the additional protections and complicated maintenance required to keep their systems safe,” advises Crane. “If a business is still trying to do IT on their own, or paying for IT help ‘only when there is a problem,’ they are living in the past. Everyone should have their IT managed on a regular basis by either in-house IT staff or a partner. In addition, there should be a separate third-party cybersecurity partner keeping a watchful eye over the environment and closely coordinating with the IT provider. Today, this is the bare minimum coverage required.”
While much of what needs to be implemented is technical, it’s actually human error that most often leads to a cyberattack.
“Imagine being in an employee’s shoes, maybe a new employee just trying to get work done, and they receive an email that looks like it’s from the CEO,” says Alborzfard. “They ask for a favor, to get gift cards for clients and to email the codes. So the employee does it. Cyber criminals play on a psychological level. If an employee is not educated or reminded, they’ve got a million things going on and aren’t thinking about what might be ransomware.”
Leiby says they do a great deal of end-user education. “You can have many solutions in place but the end user still remains the single weakest link in the whole mix,” he says. “We do a lot of training with clients on what emails not to open, links within emails, sites not to go to.” In a work-from-home environment, the risks could be even greater, he adds.
“Simply put, an educated employee or business owner is much more difficult to ‘hack’ than a non-educated employee or business owner,” says Williams. “In life we train for all kinds of things without question—sports, careers, personal interests. Cybersecurity training is a simple way to better protect yourself, your company and its digital assets against those who wish to maliciously extract money from you. It is important.”
No business owner can afford to overlook the risks of a cyberattack. “If you have had the same IT structure in place for more than two years, and haven’t upgraded or added additional cybersecurity-focused services or solutions, chances are you are at extreme risk of succumbing to a cyberattack,” says Crane. “Reach out to your provider or find a competent cybersecurity-aware partner to help navigate the protections appropriate for your company.”
Document and Equipment Destruction
Updating the hardware and software in your office and making it more secure is a good step in the right direction for security purposes, but old equipment may still have sensitive information that needs to be properly destroyed.
Simone Bryerman, president of Proshred Southern New Jersey, says a lot of companies leave old equipment sitting, potentially exposing sensitive information like social security numbers, tax records, emails, invoices, financial data and other confidential business information.
“These days it’s all memory chip-based, even in the office printer. All that information that was photocopied is sitting there in the hard drive, and most people don’t realize that,” she says. “Simply deleting files or putting a drill through a hard drive is not good enough.”
Hard drive data destruction can be done on-site, with a serial number and certificate of destruction provided, providing peace of mind to the business owner and customers.
“Errors and accidents happen, so make sure to put enough preventative measures in place while doing work, but also when finished. The most likely instances of fraud and identity theft occur by someone close,” Bryerman says. “Work with a compliance officer to have policies in place for disposing of sensitive information.”
Click here to subscribe to the free digital editions of South Jersey Biz.
To read the digital edition of South Jersey Biz, click here.
Published (and copyrighted) in South Jersey Biz, Volume 11, Issue 7 (July 2021).
For more info on South Jersey Biz, click here.
To subscribe to South Jersey Biz, click here.
To advertise in South Jersey Biz, click here.