Troy, Mich.-based Flagstar Bank suffered a series of cybersecurity attacks over a roughly 18-month period between February 2021 and June 2022 that cost the bank at least $1 million in ransom.
The first attack occurred in February 2021, the second one – for which court records show the bank paid the $1 million ransom – took place in November 2021 and the third was in June 2022.
The point that Orion Czarnecki makes is this: Cybersecurity attacks aren’t going anywhere any time soon. For the foreseeable future, they’re not only here to stay, but their perpetrators are getting better at it.
“Ransomware is not only evolving, you have to look at how they’re going to be using AI to spam and try over and over on different people,” said Czarnecki, recently hired as the head of cybersecurity for North America/Asia-Pacific at Stefanini Group, a $1 billion global technology company specializing in digital solutions. “When we hear about ransomware, we also want to think about spear phishing and phishing attacks. Spear-phishing being the targeted, I know who this person is, I think I know how to manipulate them, and I think I know how to get a return on my hacking investment.
“So, there are going to be volumes … more than we’ve seen to date,” he added. “Some of these companies are paying and that’s just worsening the problem.”
Czarnecki, who had been working with business owners earlier in his career, switched to threat intelligence, “discovered the world of cybersecurity,” and pivoted to building cyber threat intelligence tools.
He said he got involved in investigations into incidents such as attacks on Target and Home Depot, and into a group of hackers called LulzSec which claimed responsibility for a series of hacks, including the compromise of accounts in Playstation Network back in 2011.
Since 2014, he said, he’s “been building out cyber programs and … supporting CISOs.”
According to Czarnecki, companies should be working with law enforcement agencies – the FBI offers a public-private partnership to do so, he said – to make decisions on how best to handle ransomware attacks.
He said navigating such attacks on a per-situation basis with law enforcement would be the most helpful path in dealing with the problem.
“Think of it like this: They’re going to give you advice that you rely on,” Czarnecki said. “And as you work with your insurance company, as you work through the event, as you work through the actual incident response of it, having (law enforcement) embedded might lead to more information on the attackers because they have the overall view. It’s really critical for organizations to work in joint progression with law enforcement.”
While the perpetrators’ methods might be getting more sophisticated, the targets often remain the same types of businesses, those with money or critical-life information they can’t afford to have stolen or blocked.
Since the goal of attackers, Czarnecki pointed out, is to pressure organizations, there’s no better example of a potential victim than hospitals.
“There isn’t a better example than healthcare,” he said. “If you’re locking up machines and you’re pursuing these ransomware attacks, it’s almost a foregone conclusion that you would be steered into paying to get your network back up and running. And that’s why they’ve been targeted.”
Chad Paalman, the founder and CEO of NuWave Technology Partners, a St. Joseph, Mich.-based technology consulting firm, agrees hospitals are not only attractive targets, but an attack there could be more dangerous than others.
“Health care is a scary industry, when you think about them getting access to more than just data,” Paalman said. “Medical devices are connected to the network; if a threat actor takes control of a medical device ― it could be a pump, it could be a robot ― if someone had nefarious intentions, not to just monetize access, they could actually do physical harm to somebody.”
Companies dealing with energy – there was the attack on the U.S. pipeline operated by Colonial Pipeline in 2021 – are also prime examples.
Attacks – and potential future hits – on industries which are providing critical services and critical infrastructure prompted the federal government to create a law protecting them.
In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marked an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.
“They made it into law because it applies to critical infrastructure organizations,” Czarnecki said. “And I would say outside of hospitals, the energy sector is among one of the top targets.”
It isn’t just companies, either, according to Czarnecki. In a job market that’s hot right now, job sites like LinkedIn provide prime information for attackers.
The challenge for organizations is the phishing that happens on people’s LinkedIn profiles. If someone is looking for a job, it might be because they’re disenchanted with their current employer. They might have access to information an attacker might want.
“I think we’re going to see more and more illicit job postings on LinkedIn targeting people that are maybe a bit jaded with their companies that they be moving on,” Czarnecki said. “That’s the perfect attack vector for these cyber criminals.”
Attackers also look at individuals trying to determine whether they have access to critical information. If the employee does have access to privileged tools or data, and they’re putting themselves out there looking for a job, for instance, they could be targeted.
“If you’re putting yourself out there, you’re making it all too easy to be targeted,” Czarnecki said.
It’s not just private-sector organizations that are at risk. According to experts at Rehmann, a business consulting and professional advisory firm in Troy, Mich., public sector groups are also potential targets.
In an article posted to Rehmann’s website, Paul Kennedy and Erinn Trask write that, while private-sector organizations might be more vulnerable, public-sector groups are more visible because their reporting requirements are different. They are, therefore, Trask and Kennedy write, “more drastically impacted” by cyberattacks.
Trask, a CPA, is Rehmann’s Senior Manager, Public Sector Finance and Accounting Solutions. Kennedy, a Certified Information Systems Security Professional, is Rehmann’s Senior Manager, Technology Solutions.
“This impact is measured not only in terms of recovery costs or ransom but also through fallout from system downtime, damage to reputation and credibility, and legal consequences,” the pair writes. “Those cumulative losses make recovering from an attack especially difficult.”
Ways to ward off cyberattacks, according to the article:
• Make Cybersecurity a Priority – Don’t let the flurry of tech terminology overwhelm you – or fool you into thinking cybersecurity is an IT issue or a one-and-done task. It is a whole-organization issue, one best addressed through proactive investment in resources; a cohesive strategy to protect, defend, and respond; and continuous vigilance.
• Prioritize What You Protect – To improve overall cybersecurity, have IT and each operational department work together to identify and prioritize your organization’s most important technology and data assets. Use this question as a measuring stick to stack them from the top down: “How critical is this asset to our operations?” By jointly identifying your organization’s “crown jewels,” you can bridge the gap between the operational departments’ understanding of the assets most critical to operate and the IT team’s knowledge and ability to determine and deploy the protections needed to secure them.
• Implement Security Measures Customized for Your Organization – It can be easy to chase after security tools, especially with so many off-the-shelf solutions available. We recommend a more strategic approach. The National Institute of Standards and Technology (NIST) Cybersecurity Framework comprises a set of more than 100 security control recommendations across five common IT functions. Rehmann customizes this framework for your organization’s specific risks and environment, systematically reducing cybersecurity risk through tailored-to-you policy, operations, and technology controls.
Paul Kennedy, senior manager for technology solutions for Rehmann, pointed out that organizations definitely benefit from what he called “thoughtful, comprehensive policies.”
In an article posted to Rehmann’s website (Make Cybersecurity a Priority in Your Organization), Kennedy wrote “well-defined human resources policies contribute greatly to organizational culture.
“Likewise, airtight legal policies offer guidance, compliance, and protection,” he wrote.
One problem, he said, is that navigating the complexities, defining compliance requirements, and then writing strong organizational policies takes a lot of time and can prove daunting. Still, it’s worth the effort, particularly when it comes to cybersecurity.”
To put a dollar figure on it, Kennedy pointed out that a recent industry study found the average total cost gap between breaches where an incident response plan and team were in place ($3.25 million average cost) versus a breach where neither were in place ($5.71 million average cost) was $2.46 million, making a “well-designed incident response policy” worth almost $2.5 million, on average.
“It all starts with people,” Kennedy wrote. “The single most effective tool in creating, implementing, and sustaining strong policies is educating your people. With cybersecurity policies in place, you’re providing a common language that can be understood and transferred to others, which is crucial for business continuity and disaster recovery.”
It’s important, Czarnecki said, for companies and their Chief Information Security Officers (CISO) to train employees how to protect the company from cyberattacks.
“If you think of a network in terms of a house, right, with different rooms, they all have different surfaces,” he said. “You can get in through the windows, you can get in through the doors. It depends on the individual room that you’re working with your network.
“If CISOs and their teams aren’t actively thinking about those attack surfaces, they may not be thinking about how they are attacked, how they’re compromised.”
Czarnecki said companies that aren’t ready for attacks often are reacting without their employees having had proper training. It’s a “challenge” for CISOs.
Companies are tempted, he said, to “react to the next email or respond to the next training requirement.” Adequate training is important, he said, but so is having an incident response at hand to deal with potential attacks.
Security teams need to be performing group training sessions on the tools and surfaces they know on the security platforms.
One of the practices Czarnecki pushes with clients is a “tabletop” exercise with separate teams playing the roles on each side of the incident.
“This is a key challenge … you need to make sure that they are performing group training,” he said. “In the end, you want to be able to elevate your teams, not just to be doing the training modules that we all have in our businesses, but you want them to be able to do tabletop gates.
“What that really does is it helps you to train out your team on how to think, how to respond,” he added. “So, when an event comes up, your team knows how to assemble, who the incident commander is, how to work with legal heads of state in the company. Being able to do the training as part one of a bigger strategy is a way to have better threat awareness. We have to be vigilant. Training is critical, but what’s even more critical as uniting the people, the response and the data.”
Hacking doesn’t just happen to stateside companies; it’s a worldwide problem. Geography plays no role in what companies can be attacked.
Neelam Sandhu, Chief Elite Customer Success and Chief Marketing Officer at Blackberry, the California-based cybersecurity and crisis management consultant, started out working in Blackberry’s United Kingdom office. And she was recently in Africa having this same conversation.
“The world is more connected, just as people and things are more connected, so one entry point for a cyber attacker could mean a company or product is impacted that could infect our corporate data as well,” she said. “Everywhere has the same risks. To solve the problem, it takes everyone to come together and think about the problem seriously and attack it seriously.”
