Chad Paalman has been on the same soapbox for several years now and it doesn’t look like he’s going to be climbing down off of it for a while.
Paalman, the founder and CEO of NuWave Technology Partners, a St. Joseph, Mich.-based technology consulting firm, has been pounding it into business leaders for years that they need to have a plan to deal with a cybersecurity event such as a ransomware attack or a hacking.
Paalman urges business leaders to work with their IT team ― whether it’s an internal team or outside the organization ― to “pick a framework and use it to put cybersecurity best practices” in place.
According to Paalman, they’re going to need it.
“This is the single biggest threat all organizations face today,” Paalman said. “If you know statistically it’s the most probable catastrophic thing that’s going to happen, why don’t you have … those plans in place and test those plans.
“Put all the cybersecurity best practices in place that your budget will allow and at the same time have a plan in place, so that if you have a cybersecurity event you can recover and continue to operate your business,” he added. “My biggest message is, be cyber resilient, have a plan in place, test your plan and continue to make investments in bettering your security at the same time.”
For the foreseeable future
Paalman said cybersecurity is definitely an issue and will “continue to be for the foreseeable future.” Data, he said, is the “new gold” information thieves he calls “threat actors” are willing to steal.
The presence of the data is akin to the attraction bank robbers feel knowing their target is flush.
“Banks get robbed because there’s money, there’s gold, there’s valuable material in those banks,” he said. “The data (businesses) possess is the equivalent of gold.
“Furthermore, the threat actors have realized they can monetize this information, either by encrypting it and holding it hostage or threatening to put it all on the open internet for anyone to have access to. All of this data has value.”
How much value? Consider the information compiled by Outwards.net, a web site that tracks such information.
In 2021, the largest single ransom demand was $50 million and ransomware that year cost businesses some $20 billion worldwide. Outwards.net estimates that, by 2031, ransomware demands could cost businesses around the world $265 billion.
Darrell Rodgers agrees that hacking, social engineering and ransomware still present a “massive problem,” because information is available “pretty much everywhere.”
Still a huge threat
Rodgers, the president of Atlanta-based Emerald Data Networks, which provides full-service, enterprise-wide technology solutions, said some incidents might be down “because people have been out of the office so much” during the pandemic.
But, he agreed, it’s still a huge threat.
“As long as information is available on the web, nobody is immune,” said Rodgers. “I have more protections than most, but we were a target. It happens to everybody.”
While hacking incidents overall are up, Bloomberg reported that Chainalysis compiled research that said U.S. companies paid $456.8 million in ransomware demands in 2022, down from $765.6 million in 2021.
“That doesn’t mean attacks are down, or at least not as much as the drastic drop-off in payments would suggest,” according to the Chainalysis report. “Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.”
Chainalysis also said the actual totals could be much higher, as there are cryptocurrency addresses controlled by ransomware attackers that its researchers haven’t yet identified.
NuWave’s Paalman said smaller companies shouldn’t think they can’t be targeted. It isn’t something that only impacts (large organizations) ― oil pipelines and big organizations, etc.
Size doesn’t always matter
Paalman said he knows of a small business ― six or seven employees ― in Grand Rapids that had “a nasty event” last year.
“It’s impacting businesses and organizations of all sizes,” he said. “Nobody is immune from this.”
And it’s not a phenomenon reserved for certain industries; everyone can get hit. Some are scarier prospects than others, though.
“Health care is a scary industry, when you think about them getting access to more than just data,” Paalman said. “Medical devices are connected to the network; if a threat actor takes control of a medical device ― it could be a pump, it could be a robot ― if someone had nefarious intentions, not to just monetize access, they could actually do physical harm to somebody.”
Emerald Data’s Rodgers said industries that are most susceptible are the ones with higher employee turnover and less cyber training.
There are other industries that are more susceptible because of the amounts of money they’re moving. The mortgage industry, he pointed out, is one of the most susceptible, because “you’re dealing with a large amount of money in a single transaction.”
“A lot of times mortgage information ― closing information, purchasing information, etc. ― is made public for one reason or another,” Rodgers said. “And mortgage companies are dealing with home inspectors, a lot of different professionals, a buying agent and a closing agent.
“You generally have a lot of people touching things,” he added. “If any of those people who are touching the transaction are sending emails in an unsecured way and it gets caught by someone looking to do this, then they can very easily figure out who’s buying and who’s selling and they can send emails telling them to make financial transfers.”
Not a new phenomenon
Hacking and ransomware certainly aren’t new problems; they go much farther back than the pandemic, for instance.
But it’s getting worse because of the advent of the Internet and our dependence on it.
“It’s getting worse because, as a society, we’re all becoming more dependent on the Internet,” he said. “Everything we use in our daily lives is connected to the Internet. If you think back 10-plus years ago, that wasn’t the case. And it’s only going to become more connected.”
So what should people be doing about it? Paalman said businesses should practice “cyber resiliency,” much the way residents in Florida are resilient in the face of the annual hurricane season.
Florida residents know that, statistically speaking, they’re probably going to get hit by a hurricane. People aren’t naive enough, he said, to think they’ll never get hit, so they think about how to build a structure that is hurricane resistant, but “they know there’s nothing they can do to completely protect themselves.”
“I coach business leaders to have that same mindset when it comes to cybersecurity,” he said. “There’s no amount of money, no number of tools you can put in place to protect yourself completely from a cybersecurity event.”
No amount of money
For instance, he pointed out, the federal government has been compromised and they “have budgets bigger than most small businesses combined.”
“They are spending an exorbitant amount of money on cybersecurity and protection, and they still get hit,” Paalman said. “There’s no amount of money you can spend to completely protect yourself.
Paalman said companies can practice against the advent of a cybersecurity event, do “tabletop exercises” designed to prepare employees.
How do businesses do that? Paalman offers these suggestions:
• Run a simulation. These things don’t happen Monday-Friday from 8-to-5, the threat actors do them in the evenings, on weekends, and holidays, so practice them when you’re likely to have the event.
• Have conversations with your attorney, with your insurance provider.
• Crisis communication. Coach your employees that, if this happens, here’s how we react.
“Those are things you need to get coached up on,” he said. “Practice those things before you have a real event.”
Cybersecurity attacks often catch companies off-guard when employees aren’t sure what to look for. One of Rodgers’ customers had an employee who got an email purportedly from her boss, the executive vice president of a major corporation, advising her to take financial steps, which she did.
Because she did it, that money was gone, Rodgers said.
He said companies need better controls and better training. Emerald Data writes policies and procedures and security manuals designed to help companies do a better job.
Bringing in the experts
The problem is Emerald Data isn’t usually called in until some regulations change or, more frequently, some kind of a sudden failure has taken place.
“Those are the two biggest things that get people talking to us right away,” Rodgers said. “Any time someone’s in a regulated industry, we start to get more information. Anytime someone is in a situation where they’ve had some issue come up, we start to hear from them.
“It really just takes one employee not doing what they’re supposed to do, one employee who’s password is ‘password,’” he added. “Once people get in … there are advanced ways people can hack your password, which happens all the time.”
And it doesn’t take the bad actors long.
“Most passwords can be broken within a day,” Rodgers said. “If I find out you’re the office administrator of a mortgage company, it’s worth my time to break your password, because one transaction can net me $30,00, $40,000, $150,000 of earnest money put in my account.”
The FBI advises companies against paying ransomware payments. According to the Chainalysis report, companies take the legal risks into account before paying.
“One of the biggest factors companies are taking into account when determining whether they should pay a ransom is how risky it would be legally ― particularly given that there’s the danger they could be paying a sanctioned entity, which would have severe legal ramifications,” Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, told Bloomberg.
In addition, she said, “insurance companies are being much more strict about how and when their insurance payouts can be used ― oftentimes eliminating the ability to use them to make ransomware payments altogether.”
Say a company does decide to pay the ransom? What’s to stop these “threat actors” from just striking again?
Honor among thieves?
Believe it or not, Paalman said, most of them have reputations to protect.
“If I know that I pay this threat actor group and a month later they’re just going to do it again, I’m not going to pay it,” he said. “It’s all about reputation. The customer service departments of these threat actor groups are better than any you’ve ever called.
“They’re running businesses … A lot of these groups have credibility,” Paalman said. “The good guys who are doing the incident response can tell you that if you have ransom from one particular group or another, ‘hey, that group is going to give you the keys.’ Or, I had an incident a couple of years ago where they said, ‘don’t pay the ransom, because they still won’t give you the key.”
Rodgers said Emerald Data can certainly supply the kind of training that might minimize the effects of a cybersecurity event. The level of training, he said, depends on the type of business.
A business woman once asked him if her business should be taking cyber training. His answer might have surprised her.
“I told her, ‘You guys are tiny … nobody’s going to target you, because there isn’t any money in it for them,” Rodgers said. “It’s not worth anyone’s time. If it was, it’d be important for you to get training.
“I also have three different closing attorneys, and I tell all of them they need to be leveraged to the hilt,” he added.
Of course, companies need to be insured against cyber attacks; the government mandates it.
In the aftermath of Covid, Rodgers said, with everyone going remote as much as they have, cyber insurance requirements “have doubled or tripled.”
Companies used to, he said, get their cyber insurance renewed with a wave of a hand.
“Now it’s a teeth-gnashing, grinding, month-long process to get an insurance company to agree to cover them for cyber security,” he said. “It is getting more expensive because companies are actually using it.
“In the early days you had to have it, but it was mostly a check-box thing,” he added.
Matter of common sense
Self-protection, he said, is really a matter of what he called “having cyber common sense.
“If you’re getting an email for the first time from your boss asking you to transfer money, that should be a red flag,” he said. “If someone sends you a message and says ‘you’re in jeopardy of your home being foreclosed on, we need you to send us your social security number and your birthday,’ that should be a red flag.
“People a lot of times react to the content of the message, instead of taking a minute to consider the context,” Rodgers said. “That’s really the biggest issue that causes individuals and companies major problems.”
When the discussion about building a border wall on the southern border was raging, an analogy was made that if someone built a 10-foot wall, someone else would build an 11-foot ladder.
The same kind of analogy can be made in terms of computer hacking and the technology that makes it possible. Isn’t there technology that can keep it from happening?
Paalman said there is, but there’s also a problem.
“It’s a continuous cat-and-mouse game,” he said. “Technology is actually advancing quite nicely to give us those (protection) tools. The problem is ― the bad guys have those tools, too.”
