DENVER – Cyberattacks have been part of the news cycle for the past several weeks, with JBS USA – the largest meat processing company in the world – being the latest target to these criminals.
These types of attacks don’t just happen to big companies – those are the ones that just make headlines, according to Scott Warner, president of Connecting Point, an outsourced managed IT services company which provides services for small and medium-sized businesses in Colorado and Wyoming.
Denver7 talked with Warner about the recent wave of cyberattacks and what companies and individuals can do to better protect themselves from cyber criminals. Note: This interview has been edited for brevity and clarity.
Q: What’s going on with these cyberattacks on fuel pipelines and meat processing facilities?
A: Well, I think what people are seeing is just a proliferation – on a large scale – of what's happening on a small scale. The notoriety and press focuses on the larger tax, but Small Business USA is actually a much larger tax service. So, people should know that cybercrime is a $3 trillion top line revenue industry on an annual basis and so there's lots of dollars and so therefore lots of activity across all verticals and all shapes and sizes
Q: So you don't hear about small guys a lot, but they're being attacked just as much.
A: If you really think about it, the work that a large organization or an enterprise puts into IT security and the dollars that get put there is far more than a small business would have to address cybersecurity. So, there are more entities to attack with less focus and protection around cybersecurity. So, if you think about it, a large organization can still be compromised; how much more easily does a small organization get compromised as attacks get more elegant and complex? … And dollars are part of the solution, but education, awareness and training is over half the battle, right? You have to have – at the end of the day – the least common denominator is the individual, and so if the individual doesn't understand their part to play, then that's the weakest point of attack.
Q: For most companies – I'm guessing, small and large – it's not a matter of if, but when.
A: There's a great term out there that I think most leaders and business owners should adopt which is “assumed breach,” which is the kind of lens to view of, it's not if, but when. Cybercrime is constant and evolving, and so I think if we view our responsibility of mitigating risk and understanding how to temper the carnage, you know – when it happens – and to come out in a as good situation as possible, then you've done your job to mitigate that that risk of breach.
There are a handful of just commonplace things that need to be more widely adopted and implemented, but things like: Enforcing good password hygiene, making sure that networks are updated and protected on a continual basis, endpoints are secured, making sure two-factor authentication is enabled across remote access and logins and critical logins, email being protected and making sure that when people are sending and receiving emails – which that's really where most of the damage happens with this with email – and then once again, training your people in your team to understand that they're the weakest link and how to identify the issues.
We can forget how much username and password leakage we've already had with large platforms like, you know, Facebook and LinkedIn and some of those large, large platforms where credentials have already been compromised, they're out there, which is why password hygiene is important. But it is… it's a multitude of organizations and people who are actually executing these efforts of credential acquisition. And so, it's a large money industry and therefore, we have to be prepared to enforce that same kind of effort. Otherwise, you're always going to be chasing.
Q: Describe ransomware for us. Should companies ever pay? I've heard that companies do.
A: So, organizations get into trouble when the back-end data protection policies and procedures aren’t adhered to in a way that protects data and the inability to restore data. Once the data is lost, they have control but the practice and procedure around protecting data is one of the most important things that a business can do.
If done right, an organization should not have to pay a ransom for getting their data back; we should be able to recover those records without paying ransom. You don't want to have to get into paying ransom. If you have to get into paying a ransom, you are going to be negotiating with someone with very little long-term understanding of what's going to happen with your data.
Believing it or not, there is some trust issues in the cybercrime world. They actually are fairly well trusted because if they lose their trust that… ‘Okay. I'm gonna, you know, someone's gonna pay my ransom’ and I don't get their data back,’… There's this very weird code of ethics that they kind of have to perform, but you don't want to get there and there's lots of ways to prevent yourself from getting there.
Usually when a company has to pay a ransom, it's because somewhere in their process, they were not able to protect their back-end data, to the extent that they should have, or could have, and therefore their data was compromised beyond recovery, which once again, you shouldn't have to get there. But sometimes the worst-case scenario happens when an organization has to learn the lesson the hard way and ransom payment is the only way out of it. The hardest part for users is to navigate down a path of increased resistance, right? So the easiest – and this is what cybercrime is kind of hinged around – is the path of least resistance for a user is the path of least resistance for someone implementing a cybercrime act. And so password hygiene is really important and it really is part of the building block of a kind of healthy cybersecurity practices, password hygiene.
Q: I've seen something recently that says all those Facebook quizzes that are shared out there, those are actually just trying to get your password questions answered.
A: Absolutely, yeah. So, there's a lot of interesting tricks that are used out there to capture information and credentials to be sold and used to attack. Another interesting thing is a lot of businesses will have their email addresses on their websites. That's an easy way for someone to say, ‘I know the CEO, I know his email address, and I know how I can kind of spoof his or her email.’ And that's an easy in for someone, so being aware of that kind of stuff is important as well.
(But not all Facebook quizzes are trying to get your information), but there's definitely some spoofed quizzes out there that you have to be aware of. Don't ever fill those quizzes out.
One of the things that has become more and more important for small businesses is acquiring cybersecurity insurance. One thing to note is that, as organizations are trying to acquire cyber policies, they are … underwriters are getting more and more aggressive requiring cybersecurity services and best practices in place to get a cyber policy, which is going to be a trend for small businesses – they're going to have to beef up their cyber practices to even be insured with cyber insurance.
And if you look at some large organizations, if they want to engage in business with a larger organization or an entity or bid on a job, they have to prove they have cyber insurance. But that's something that is not as easily acquired anymore.
RELATED HEADLINES --