Business leaders who don’t believe phishing and ransomware attacks aren’t still “a thing” because they don’t see stories on the front pages of newspapers or at the top of newscasts do so at their own peril.
That’s the opinion of Ron Warsaski, the owner of Illinois-based World Wide Network Solutions, which specializes in a wide range of cyber services, including tailored IT services and solutions for small- and medium-sized businesses.
Warsaski warns business owners that kind of cybersecurity threat is still prevalent.
“When it really hit, maybe 10 years ago, it was new,” Warsaski said of cyberattacks. “These attacks were crazy, (companies like) Sony and Target, and they made the news. Now they’re at 20 minutes after the news hour. It’s not a breaking story so I think people don’t realize it’s still a major issue.”
Getting companies to understand that realization – and convincing them they do have data that hackers will hack – is the big challenge in preventing cyber-attacks, according to Warsaski.
“A lot of small businesses figure, ‘I don’t have anything worth it, so they’re not going to hit me,’” said Warsaski, who’s been in the IT business since 1996. “They don’t understand the concept of ‘low-hanging fruit.’ They’re an easy target.
“It’s not just that they want your data,” he added. “It has evolved into not just ransomware, but blackmail. It’s that ‘hey, we just encrypted all your stuff and now we want money.’ That’s what it was, and it still is. But now it’s also, ‘You don’t want your stuff back? OK, we’ll decrypt it, and we’ll sell it to your competitor.’ Now it’s about blackmail.”
Neelam Sandhu agrees cyber-attacks are on the rise, and says there are a couple of reasons for that: The number of connected touchpoints – devices – is increasing dramatically, and cyber-attacks, especially with the advent of Artificial Intelligence, are becoming more sophisticated.
“If you get an email, you can usually tell if it’s an email you shouldn’t click on because there’s a spelling error, and it looks like a little bit of an amateur email,” said Sandhu, Chief Elite Customer Success and Chief Marketing Officer at Blackberry, the California-based cybersecurity and crisis management consultant. “With the advent of Gen AI, it’s going to become very, very difficult, almost impossible, to identify those emails that way. They’re going to look very polished, and very genuine. It’s only going to get harder.”
Protecting against that kind of hacking can be a tough job for any Chief Information Security Officer – “There are memes that show a CISO after one day on the job looking like they’ve aged 50 years,” Sandhu said with a chuckle – and, she says, no company can ever be protected 100%.
“The CISO’s job is probably one of the hardest jobs out there today,” she said. “Can a company ever be completely secure? No. Blackberry wouldn’t claim that, and I think no one should claim that. There’s a lot to react to every single day. Can a company ever be completely secure? The answer is no.
And the bigger the company, the more areas of risk, Sandhu pointed out. Companies have to take the security posture to the next level because the job is “ever evolving.”
Chad Paalman, the founder and CEO of NuWave Technology Partners, a St. Joseph, Mich.-based technology consulting firm, has been pounding it into business leaders for years that they need to have a plan to deal with a cybersecurity event such as a ransomware attack or a hacking.
Like Warsaski, Paalman urges business leaders to work with their IT team — whether it’s an internal team or outside the organization — to “pick a framework and use it to put cybersecurity best practices” in place.
According to Paalman, they’re going to need it.
“This is the single biggest threat all organizations face today,” Paalman told Corp! Magazine. “If you know statistically it’s the most probable catastrophic thing that’s going to happen, why don’t you have … those plans in place and test those plans.
“Put all the cybersecurity best practices in place that your budget will allow and at the same time have a plan in place, so that if you have a cybersecurity event you can recover and continue to operate your business,” he added. “My biggest message is, be cyber resilient, have a plan in place, test your plan and continue to make investments in bettering your security at the same time.”
Paalman said cybersecurity is an issue and will “continue to be for the foreseeable future.” Data, he said, is the “new gold” information thieves he calls “threat actors” are willing to steal.
The presence of the data is akin to the attraction bank robbers feel knowing their target is flush.
“Banks get robbed because there’s money, there’s gold, there’s valuable material in those banks,” he said. “The data (businesses) possess is the equivalent of gold.
“Furthermore, the threat actors have realized they can monetize this information, either by encrypting it and holding it hostage or threatening to put it all on the open internet for anyone to have access to. All this data has value.”
How much value? Consider the information compiled by Outwards.net, a web site that tracks such information.
In 2021, the largest single ransom demand was $50 million and ransomware that year cost businesses some $20 billion worldwide. Outwards.net estimates that, by 2031, ransomware demands could cost businesses around the world $265 billion.
Warsaski said that’s all these cyber-attacks are about: The money.
“It has evolved into not just ransomware, but blackmail,” he said. “It’s that ‘hey, we just encrypted all your stuff and now we want money.’ That’s what it was, and it still is. But now it’s also, ‘You don’t want your stuff back? OK, we’ll decrypt it and we’ll sell it to your competitor.’ Now it’s blackmail.
“They don’t care about your data, they just want money from you, and they’re going to do what they have to, and find the pressure point that will get money out of you. How much? That number changes all the time.”
The problem of protecting data, Sandhu said, is that companies don’t always know exactly what they’re protecting themselves against. There’s also a human element that can’t be completely avoided, no matter what safeguards are put in place.
If one employee clicks on an email they shouldn’t, or leaves a thumb drive somewhere, the precautions taken won’t matter a whole lot. Company data is still at risk.
“The landscape is changing every single day, and not just once a day,” Sandhu said. “Literally, in real time, the landscape is evolving. The ever-evolving landscape and … the human factor is a hard one to plan for or to map a technology infrastructure against.”
Darrell Rodgers agrees that hacking, social engineering, and ransomware still present a “massive problem” because information is available “pretty much everywhere.”
Rodgers, the president of Atlanta-based Emerald Data Networks, which provides full-service, enterprise-wide technology solutions, said the number of some incidents might have dropped “because people (were) out of the office so much” during the pandemic.
But, he agreed, it’s still a huge threat.
“As long as information is available on the web, nobody is immune,” said Rodgers. “I have more protections than most, but we were a target. It happens to everybody.”
While hacking incidents overall are up, Bloomberg reported that Chainalysis compiled research that said U.S. companies paid $456.8 million in ransomware demands in 2022, down from $765.6 million in 2021.
“That doesn’t mean attacks are down, or at least not as much as the drastic drop-off in payments would suggest,” according to the Chainalysis report. “Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.”
Chainalysis also said the actual totals could be much higher, as there are cryptocurrency addresses controlled by ransomware attackers that its researchers haven’t yet identified.
It’s not just big businesses who have to worry, according to Warsaski, although the health care and other large businesses have been targeted. But because such a large percentage of American businesses qualify as small- to medium-sized, they’re obvious targets.
“Small and medium businesses are still popular because they’re the low-hanging fruit,” he said.
Sandhu said there are certain industries or businesses that are a little more susceptible. Like Warsaski, she notes that health care organizations have been popular targets. But hackers, she said, will target businesses which can’t afford to have their operations interrupted.
A hospital, for instance, can’t afford to go offline because patient information is at risk.
“A hospital, for example, may want to do the right thing and not give in to the ransom, but it’s literally people’s lives on the line if they don’t,” Sandhu said. “Those types of areas are more susceptible, not because of their security posture but because attackers know they will pay the ransom.”
“Health care is a scary industry, when you think about them getting access to more than just data,” NuWave’s Paalman said. “Medical devices are connected to the network; if a threat actor takes control of a medical device — it could be a pump, it could be a robot — if someone had nefarious intentions, not to just monetize access, they could actually do physical harm to somebody.”Paalman said that doesn’t leave smaller companies off the hook. They can still be targeted.
Paalman said he knows of a small business — six or seven employees — in Grand Rapids that had “a nasty event” last year.
“It’s impacting businesses and organizations of all sizes,” he said. “Nobody is immune from this.”
One of the issues in surviving a ransomware attack is that companies don’t usually see it coming. Cybersecurity attacks often catch companies off-guard when employees aren’t sure what to look for. One of Rodgers’ customers had an employee who got an email purportedly from her boss, the executive vice president of a major corporation, advising her to take financial steps, which she did.
Because she did it, that money was gone, Rodgers said.
He said companies need better controls and better training. Emerald Data writes policies and procedures and security manuals designed to help companies do a better job.
The problem is Emerald Data isn’t usually called in until some regulations change or, more frequently, a sudden failure has taken place.
“Those are the two biggest things that get people talking to us right away,” Rodgers said. “Any time someone’s in a regulated industry, we start to get more information. Anytime someone is in a situation where they’ve had some issue come up, we start to hear from them.
“It really just takes one employee not doing what they’re supposed to do, one employee whose password is ‘password,’” he added. “Once people get in … there are advanced ways people can hack your password, which happens all the time.”
And it doesn’t take the bad actors long.
“Most passwords can be broken within a day,” Rodgers said. “If I find out you’re the office administrator of a mortgage company, it’s worth my time to break your password, because one transaction can net me $30,000, $40,000, $150,000 of earnest money put in my account.”
The FBI advises companies against paying ransomware payments. According to the Chainalysis report, companies take the legal risks into account before paying.
“One of the biggest factors companies are taking into account when determining whether they should pay a ransom is how risky it would be legally — particularly given that there’s the danger they could be paying a sanctioned entity, which would have severe legal ramifications,” Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, told Bloomberg.
In addition, she said, “insurance companies are being much stricter about how and when their insurance payouts can be used — oftentimes eliminating the ability to use them to make ransomware payments altogether.”
But say a company does decide to pay the ransom? What’s to stop these “threat actors” from just striking again?
Honor among thieves?
Believe it or not, Paalman said, most of them have reputations to protect.
“If I know that I pay this threat actor group and a month later they’re just going to do it again, I’m not going to pay it,” he said. “It’s all about reputation. The customer service departments of these threat actor groups are better than any you’ve ever called.
“They’re running businesses … A lot of these groups have credibility,” Paalman said. “The good guys who are doing the incident response can tell you that if you have ransom from one group or another, ‘hey, that group is going to give you the keys.’ Or, I had an incident a couple of years ago where they said, ‘don’t pay the ransom, because they still won’t give you the key.”
And it’s a worldwide problem. Geography plays no role in what companies can be attacked. Sandhu started out working in Blackberry’s United Kingdom office. And she was recently in Africa having this same conversation.
“The world is more connected, just as people and things are more connected, so one entry point for a cyber attacker could mean a company or product is impacted that could infect our corporate data as well,” she said. “Everywhere has the same risks. To solve the problem, it takes everyone to come together and think about the problem seriously and attack it seriously.”
