Many of us check to see if our doors are locked before we go to bed. We might be pretty sure it’s already locked, but we know it’s worth double checking just in case. It’s common sense. That’s why it’s so surprising to see, according to a recent UK report, that only a third of businesses check their own cyber security locks by conducting a cyber risk assessment.
Throughout the report, there is a stark contrast between the amount of breaches companies are experiencing and the measures they are taking to prevent these breaches from happening. For example, the report found that nearly 40% of business surveyed reported at least one attack or breach within the past 12 months. What’s more, for many of these businesses, a breach is not a one and done experience. Half of the organizations that were attacked said they’ve experienced an attack once a month and a quarter of these businesses report attacks on a weekly basis.
If your home was being broken into on a weekly basis, you’d probably start double checking those locks. Yet, according to the report, businesses are not taking the necessary steps to protect themselves. In addition to the lack of cyber risk assessments, only 33% of businesses have a formal cyber security policy. And while phishing scams accounts for 83% of the attacks businesses reported, only 14% of businesses have conducted any sort of cyber awareness training within the past year.
In a blog post on the report, Phillip Virgo makes the important point that cybersecurity measures need to be considered within the context specific to a business’ size and industry. And he’s right, there is no one size fits all approach to cybersecurity. In order for any sort of protections to be useful, it’s vital those measures are not only suited to an organization’s size and industry, but also aligns with their specific business strategy.
At the same time, however, this doesn’t mean there aren’t steps every business should be taking to protect themselves and a risk assessment is a good way to start. Anything less isn’t just leaving your door unlocked, it’s leaving the door wide open with a welcome mat out front.
The prominence of ransomware within the already crowded cyber threat landscape has been in the headlines for the past few years. But what you won’t see in the headlines is the fact that small businesses are the ones bearing the brunt of the onslaught. Ransomware is a form of attack in which hackers encrypt or steal your data then demand a ransom before giving you back access. And, according to Coveware’s ransomware report for Q1 of 2021, 73%of all reported ransomware attacks this year targeted businesses with under 1,000 employees. Of course, there are plenty of large companies that have to deal with ransomware, but it’s high time we start looking for solutions to the very real threat that small businesses across the country are grappling with.
There are a number of reasons ransomware attackers focus their efforts on small businesses. For one, these attackers are opportunists. They’re not looking to crack the toughest systems, they’re looking for a quick buck. Since small businesses probably don’t have the sophisticated and expensive security tools in place that big corporations do, the bad guys see them as easy pickings.
Another big reason small businesses are targeted by ransomware is because the consequences of having their system’s shut down are far more costly for small businesses. According to Coveware, the average downtime following a ransomware attack is 23 days — up 10% from Q4 of 2020. Last year a small business in Kansas with only 8 computers was hit with ransomware and paid the hackers $150,000 for to regain control of their systems. Explaining why the company decided to pay the company’s CFO said, “If we don’t pay them, we don’t have a way out of this, and business just stops, so it’s quite a scary situation.” While cybersecurity experts tend to advice companies not to pay ransom, and new evidence shows 92% of companies never get their data back after paying, the stress, fear, and consequences of being down may be enough to give into the demands.
When it comes to ransomware and small businesses, it’s clear the stakes are high and only getting higher. It’s essential we start focusing our efforts on helping these businesses take reasonable and affordable steps that can help prevent attacks and protect their data.
To help, use the acronym R.A.N.S.O.M for 6 simple steps that can go a long way toward preventing and protecting your small business against ransomware:
Remote access protections and patching
Given the rise of remote work since the pandemic, hackers are increasingly using remote access to install malware. Having remote access protections in place is therefore essential for preventing an attack. Even simple steps like robust firewall settings and requiring the use of VPNs and adding Endpoint Detection and Response can go a long way to keeping attackers out.
In addition, hackers are constantly looking for vulnerabilities in the software we rely on to run our businesses. All those software updates may be annoying to deal with, but they often contain important security features that “patch up” known vulnerabilities. At the end of the day, if you’re using out of date software, you’re at an increased risk for attack.
Administrative privilege limits
Setting limits on administrative and access privileges is another important way to protect your data. Every employee should only have access to the systems and information they need to preform their work. Too many businesses give employees more access than they need. If a hacker gains access to one of your employee’s accounts and there aren’t access limits set, then the hackers can move freely through your systems, changing settings and accessing sensitive data
It’s important to keep different elements of your network separate from each other so you can control how information flows from one to the others. Similar to privilege limitations, this will help ensure that anyone who breaks into your systems can’t then use that access to move around your networks.
Security awareness training
Phishing and social engineering attacks are common ways attackers gain access to your systems and install ransomware. Unfortunately, phishing attacks are not something you can fix with a piece of software. Instead, its essential employees are provided with the training they need to spot and report any phish they come across. Sometimes it only takes one wrong click for the bad guys to worm their way in.
Offline backups and periodic testing
This is a big one. If you suffer a ransomware attack, having a backup of your systems may enable you to get you back up and running without having to pay or start over from scratch. However, when making backups it’s important to takes a few steps to ensure you can rely on them. For one, backups need to be stored offline in order to prevent hackers from gaining access to them as well. Second, it’s necessary to periodically test your backups to ensure they are working currently. You don’t want to be in the position of needing your backup only to find the whole thing is corrupted!
Finally, requiring multi-factor authentication can go a long way to prevent an attack. If an employee’s login credentials are stolen, MFA adds an additional layer of protection that may prevent the bad guys from getting into your systems.
In the wake of the recent SolarWinds hack, a vendor compromise that infected tightly protected government agencies, the Biden administration is reported to be planning a new cybersecurity executive order as early this week. While a National Security Council spokeswoman said no decision has been made on the final content of the executive order, among the measures being reported is a new requirement that any vendors working with federal government agencies must report any suspected breaches to those agencies.
While there have been multiple previous attempts to establish breach notification laws through congress, industry resistance has previously been successful in halting the bills from passing. But now, following the two, massive hacks of SolarWinds and Microsoft over the past few months, there may not be much vendors can do to stop it this time.
Along with the breach notification requirement, the planned cybersecurity executive order is reported to contain a series of additional security requirements for software and programs used by federal agencies. This may include requiring federal agencies to take small, but essential security measures such as the use multi-factor authentication and data encryption.
Overall, the executive order appears to create broader levels of transparency and communication between software vendors and government agencies regarding cybersecurity. For example, since many pieces of software now link directly to other programs and services, the order is reported to also require a “software bill of materials” that lays out what the software contains and what other services it connects to. According to Reuters, the order may also create a cybersecurity incident response board, encouraging communication between government agencies, vendors, and victims.
If Biden signs the executive order, this may be a the first step towards a more robust and efficient response to the increasing cyber threats government agencies are facing. According to Reuters, this may also open the door towards broader public disclosure legislation. By being transparent and openly sharing information, both government agencies and private organization will benefit by helping to identify and mitigate threats more quickly and effectively.
We’ve written before about how the disruption and confusion of the COVID-19 pandemic has caused an uptick in phishing and disinformation campaigns. Yet, there is another dimension to this that is just beginning to become clear: how the isolation of remote work helps to create the conditions necessary for disinformation to take root.
In a report on the impacts of remote and hybrid work on employees, Microsoft highlights how remote work has shrunk our networks. Despite the ability to use video services like Zoom and Microsoft Teams to collaborate with others across the globe, the data reveals that remote work has actually caused us to consolidate our interactions to just those we work closely with, and far less with our extend networks. The result is that employees and teams have become siloed, creating a sort of echo chamber in which new and diverse perspectives are lost. According to Dr. Nancy Baym, Senior Principal Researcher at Microsoft, when are networks shrink, “it’s harder for new ideas to get in and groupthink becomes a serious possibility.”
The gap between interactions with our close network and our distant network created by remote work doesn’t just stifle innovation, it’s also what creates the conditions necessary for disinformation to thrive. When we are only exposed to information and perspectives that are familiar to us, it becomes harder and harder to question what we are being presented. If, for example, we are in a network of people who all believe Elvis is still alive, without exposure to other people who think Elvis in fact isn’t alive we would probably just assume there isn’t any reason to question what those around us are telling us.
The point is, without actively immersing ourselves within networks with differing perspectives, it becomes difficult to exercise our critical thinking abilities and make informed decisions about the validity of the information we are seeing. Remote and hybrid work is likely going to stick around long after the pandemic is over, but that doesn’t mean there aren’t steps we can take to ensure we don’t remained siloed within our shrunken networks. In order to combat disinformation within these shrunken networks we can:
1. Play the Contrarian
When being presented with new information, one of the most important ways to ensure we don’t blindly accept something that may not be true is to play the contrarian and take up the opposite point of view. You may ultimately find that the opposite perspective doesn’t make sense, but will help you take a step back from what you are being shown and give you the chance to recognize there may be more to the story than what you are seeing.
2. Engage Others
It may seem obvious, but engaging with opinions and perspectives that are different than what we are accustomed to is essential to breaking free of the type of groupthink that disinformation thrives on. It can also be a lot harder than it sounds. The online media ecosystem isn’t designed to show you a wide range of perspectives. Instead, it’s up to us to take the time to research other points of view and actively seek out others who see things differently.
3. Do a Stress Test
Once you have a better sense of the diversity of perspectives on any given topic, you’re now in a position to use your own critical thinking skills to evaluate what you — and not those around you — think is true. Taking in all sides of an issue, you can then apply a stress test in which you try to disprove each point of view. Which ever perspective seems to hold up the best or is hardest to challenge will give you a good base to make an informed decision about what you think is most legitimate.
From our personal lives to the office, searching for opposite and conflicting perspectives will help build resilience against the effects of disinformation. It can also even help to be more effective at spotting phish and social media campaigns. By looking past the tactics designed to trick us into clicking on a link or giving away information, and taking a few seconds to take a breathe, examine what we are looking at, and stress test the information we are being shown, we can be a lot more confident in our ability to tell the difference between phish and phriend.
Breaches happen all the time, but every so often one of those breaches breaks through into national headlines, serving as a watershed moment about where we are and where we need to be with regards to cybersecurity.One of those watershed moments occurred last December when it was revealed that Russian state-sponsored hackers breached the software developer SolarWinds, and from there managed to access some pretty tightly-sealed networks and systems across public and private sectors. But what exactly happened? Who does it effect? What can we learn to better protect our organizations?
One of the most striking aspects of the SolarWinds hack is that it was years in the making, taking a huge amount of discipline and patience to pull off and stay undetected. Forensic evidence found that the hackers gained access to Orion, the SolarWinds product that was compromised, back in late 2019. Yet, at that time, the hackers didn’t actually make any changes or launch an attack. Instead, they sat and waited in order to monitor, learn, and test SolarWind’s system to ensure they wouldn’t be caught.
Then, months later in May 2020, the hackers made their move — but not in the way most would expect. Typically, when someone wants to infect a piece of software with malware, they will modify the code behind the software. However, because security experts know to look for code modifications, these hackers decided to instead install their malware directly onto the software product itself. So, when an update for Orion was released, government agencies, and companies big and small downloaded an update that contained a backdoor for the hackers.
Between May, when malware was initially launched, and December, when the hack was discovered, the attackers were able to move throughout the networks and systems of any company using SolarWinds’ software that they wanted. And they were targeted, going after the emails of specific, high-valued individuals within affected organizations. From there, the goal was to maintain access, move around infected system, and hold onto access of specific individuals’ communications.
Much has been made about the level of sophistication involved in the attack — and it was. However, at root, this is a story about 3rd party risk. We’ve written before about the importance of vendor management, and the SolarWinds hack is an extreme case in point. Because most organization’s today depend in large part on 3rd party providers for everything from cloud storage, to product platforms, to network security, an attack like this doesn’t have a definitive end. Instead, the SolarWinds attack has the potential ripple across a web of interconnected organizations across the supply chain. According to Steven Adair, a security expert who helped with the incident response for SolarWind, the attackers “had access to numerous networks and systems that would allow them to rise and repeat [the] SolarWinds [attack] probably on numerous different scales in numerous different ways.” It’s therefore possible — and perhaps likely — that the full effects of the hack are still to be revealed.
If that doesn’t serve as a wake up call, we don’t know what will. And as it turns out, there are a number of effective and achievable steps organizations can take to mitigate 3rd party risk.
1. The Basics
It may not seem like much, but simply maintaining basic digital hygiene plays a big role in protecting against attacks. Strong password management, using multi-factored authentication, and network segmentation should be a cybersecurity baseline for all organizations. These are simple steps that serve as an organization’s first line of defense against an attack.
2. The Rule of Least Privilege
The rule of least privilege essential means providing the least amount of access for the least amount of time to systems and networks. This involves setting limits on what access you give to products and software as well as actively monitoring access privileges for employees, contractors, and vendors. Essentially, if something or someone doesn’t need access to a piece of your system, they shouldn’t be able to access it. If someone need access to a part of your network for 2 days, then their privileges should expire after 2 days. This will limit the ability for malicious users to move around systems, potentially preventing them from spreading to other, more sensitive environments.
A lot of organizations these days maintain event logs, which essentially keep a record of all network activity. While logs might not directly prevent a breach, these records are vital to asses the potentially damage and scope of an attack, allowing organizations to act swiftly and forcefully to remove the threat. However, keeping logs isn’t enough, it’s essential to also retain these logs. SolarWinds policy was to remove these logs after 90 days. The problem, of course, was that the attack was discovered far more than three months after the hackers breached the system, effectively making it impossible to gain any detailed insight into what the hackers were doing prior to August of 2020.
Combining Business and Security
We’ve said it before and we’ll say it again: it’s easy to see security needs as at best a nuisance and at worst a barrier towards optimal business performance, but this simply isn’t the case. As Steven Adair points out, a small company doesn’t need to hit the ground running with the best security products and a million code audits right out the gate. However, if businesses incorporate security concerns within business strategies, these organization can start to ask themselves: “Where are we now, what can we do now, and what can we do along the way?” Asking those questions might just make the difference down the road when the next watershed moment strikes.