How to avoid million dollar ransoms
Welcome back to our monthly newsletter. We hope you had a happy and restful 4th of July holiday. This month’s post is an introduction to cybersecurity. This month’s Q&A is with our friend Phil Mauritz who shares his thoughts and insights on this important topic.
Intro
In the past few weeks, we have seen numerous reports of “ransomware” attacks. The most notable is probably the Colonial Pipeline. Attackers got a hold of one password for one system and were able to then get into many other systems. So much so that they not only shut down the operation, but attempted to collect $5 million in ransom to return control to the business operators. Many Americans across the country felt the impact of that shut down and it started with an operational breach.
More recently Scripps in San Diego suffered a similar fate. Details are still in short supply, but attackers again got access to one system and were able to gain control of many other systems. In this case they were able to gain access to hundreds of thousands of patient’s identifying and medical information. Both of these companies are now facing multi-million dollar, class-action lawsuits.
These attacks were not very sophisticated and took down very large organizations. While there is no way to guarantee protection from these types of attacks there are some best practices you should introduce into your course of business right away. We’d like to share a few ideas to get started on your cybersecurity check up.
Keep All of Your Software Up to Date
This list starts with an obvious one, but it’s arguably one of the most important. Any time there is a software update - especially on something core like Windows or MacOS, find some time to ensure you make the update.
Software is complex. That means it is always going to be imperfect. Researchers and security experts are constantly finding new “holes” in software and software companies are constantly patching those holes. All the while, hackers are looking for people using out of date software since they know there are vulnerabilities. Ignoring software updates is like leaving your house with the lights on, windows and doors open, and nobody home.
If you’re using licensed, on-premise software, like an ERP from SAP, that requires a service contract or has other monetary costs to upgrade - this is a great time to consider moving to cloud based software. Cloud based software that is sold on a recurring, subscription basis has many benefits over its on-premise competitors. We will save the full list for a later blog post, but the most relevant to this post is that you’ll always be on the most up-to-date and secure version of the software. By moving to the cloud, you are effectively outsourcing most of the security burden to the software provider.
Be Careful What You Share on the Internet
There are many charmingly fun viral quizzes such as “What Transformer are you?” or “What superhero are you based on your birthday” or the ever popular:
These are only designed to collect personally identifying information. These seem innocent, cheeky, and friendly, but if you’re answering this on Facebook consider this: anyone reading your comment, even if the original poster is someone you trust, can probably reset one or two of your passwords.
Even scarier are social quiz apps that you download or install designed to do the same thing. These memes are designed to be engaging and give you the hope of going viral. The reality is that you’re showing the public your ATM PIN code without even knowing it.
Training
Security - both physical and digital, is every employee’s responsibility. It’s important to work this into your everyday work culture. Usually this takes form by way of training. When new hires start and ideally on an ongoing basis. While it may be hard to make sure that all staff go through some form of security training, it will always be cheaper than dealing with a loss of business.
Training will make your staff feel more empowered and qualified to surface any concerns to management. As more employees go through training you can build a culture where every employee is thinking about security. Security is one of those rare scenarios where more people working on the project can make a big difference. No list on the internet, no highly paid consultant, indeed no piece of software can beat a highly trained and coordinated workforce. When every employee is on the lookout for issues or breaches, your business will be far less susceptible to cyberattacks.
The training is to help staff identify what most people refer to as “hacking” and possibly more importantly, what industry insiders call “social engineering” attempts, and, crucially, train staff on the correct response to each situation.
“Social engineering” refers to the practice of people creating awkward or tense social situations designed to trick employees into divulging sensitive information. This could be anything from phishing emails to very targeted, so called “spear phishing” phone calls or emails. Making your employees aware of how these attempts work, having a process around responses to them, and more should all be covered in new employee onboarding, as well as recurring training.
Some industry best practices include:
Not opening or downloading attachments from people you don’t know
Calling anyone who is asking for money or sensitive information back
Double and triple checking websites before submitting any information online
Encouraging staff to check back in with their managers to ensure a request is legitimate
For staff with even more access to sensitive information, systems, etc. you may consider further training and possibly even access to software tools that enable managing and sharing passwords securely.
The reality is that most hacks are not very sophisticated. They usually start by identifying anyone using out of date software, social engineering, or some physical security breach. Having a properly trained and prepared staff is the most commonly misunderstood and undervalued aspect of digital security.
Stop Managing Passwords
A significant majority of cyberattacks start with a compromised password. In 2020, on average, it took companies 197 days to discover a breach and up to 69 days to contain it. Passwords are the easiest start because most can be guessed, reset, or even stolen and then used without your knowledge.
Passwords are also hard to remember and if you have a tendency to use the same password over and over again, you are particularly vulnerable. Considering using Single Sign On where available. Single Sign On (SSO) helps you manage fewer passwords. If you are using Microsoft, Google, or Apple cloud services - chances are you can continue to use that service as an SSO provider for other popular services.
In cases where SSO is not an option, or you haven’t migrated to cloud based services yet, fear not. There are other options. Okta is a business focused “identity management” platform. Okta gives management one place to manage users for almost all of your cloud enabled applications and you can create and manage user accounts and passwords for all of those services in one place.
Moving to password managers also improves security. These tools help with generating and sharing passwords with employees more securely. These services shouldn’t require any changes to your workflows since they are available with browser plugins, desktop applications, and mobile applications. Similar to SSO services, you will create and manage one password for the “vault” and the services will offer to generate secure passwords for all of your applications.
Going one step further, you can add 2 Factor Authentication (2FA for short.) 2FA is considered the industry standard for securing your web based accounts. 2FA requires your username, password, and then a second form of verification. Typically this will be via a randomly generated, time sensitive extra authentication code. This code might be sent to the verified email address, texted to a phone number, called to a phone number, or you might use another application or device to generate the code. Okta offers an app for this. Authy from Twilio and Google Authenticator are popular, free options as well.
In Conclusion
In our modern, always connected world - cybersecurity is a constantly looming threat. Reading the news makes it sound like everyone will get hacked one day. The reality for “hackers” is that it’s a pure numbers game. Similar to those spam calls we all get about our expired car warranties, hackers cast a wide net.
A hacker might not call or email you, but they will visit your website, and try to find any open doors. They will attempt to login to services your employees use. They will try to reset passwords. It’s almost guaranteed that they will find logins for these services, since most of them use employee email addresses. Once they see, however, that they can’t reset the password or get it quickly, they are more likely to move on to the next target.
So far we’ve outlined some of the first ways to protect yourself, your employees, and your business from these threats. The more you can do to protect your business, and make it harder for bad actors to get in, the less likely they are to keep trying. To that end, you should also consider having a response plan by scheduling frequent, offline backups of critical systems and data. Being able to respond to any cyberattack quickly, could be a key differentiator for your business.
Obviously if a hacker shuts down your day to day operations, that will directly impact your bottom line, but this could impact your bottom line in another way as well. Business liability insurance policies are beginning to take notice and asking to see what tools, training, and policies business owners have in place to protect against cyber crime. You don’t need to have a Chief Security Officer or Chief Technology Officer to have a good cyber security policy and response.
Noteworthy Bits
Bonus cybersecurity reading this month!
Russian Hackers are Trying to Brute-Force Hundreds of Networks via Wired
“The hacking campaign has targeted a broad swath of organizations, including government and military agencies, defense contractors, political parties and consultancies, logistics companies, energy firms, universities, law firms, and media companies. In other words, practically every sector of interest on the internet.”
Q1 2021 Cybersecurity Market Review via Momentum Cyber
Investment in the Cybersecurity space continues to new heights with Momentum reporting that Q1 of 2021 had a total of $24.5 Billion dollars of deal activity.
Cybercrime is projected to cost the world $10.5 Trillion annually by 2025
Japan to Bulk Up Cybersecurity Units for Nation’s Defense via Nikkei
Cybersecurity is a global concern. Japanese government’s very bold goal is to more than double staff in their own organizations as well as tap more private sector companies as well.
Q&A with Phil Mauritz, Director at Okta
[Editor's note: For this month’s Q&A we have our friend Phil Mauritz talking through why security is important, the risk factors, and real world steps you can take to protect yourself. Phil has built his career thinking strategically and long term both as an investor and as an operator. Phil is currently a Director of Global Business Value and Strategy at Okta]
Who is a target for hacking?
Everyone; if you own, borrow, or use a mobile device, computer, or any connected device in any capacity you are prone to hacking. In fact, you can safely assume that at some point in your life you or someone you know will experience a breach of data or misuse of credentials. An interesting website, haveibeenpwned.com, will actually very quickly let you know if your email address has ever been compromised. With over 11.4 Billion compromised credentials on record I would imagine you could be one of them.
Why should business owners worry about hacking? They don’t have billions of dollars nor do they have large tech infrastructure
No matter the size of your organization, the security of your digital assets as well as your customers and employees personally identifiable information (PII) should be top of mind. Take a small healthcare focused technology organization or a “Mom and Pop” pharmacy down the street. Security should be paramount for not only reputational and lost business costs in the event of a breach, but also for the variety of downstream legal, regulatory (HIPAA in this case), and other post breach response costs; consulting and legal services, restitution to victims, technology recovery, and ransomware/extortion. Other potential costs include possible fines if in breach of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) to name a few; there are many more. According to a widely benchmarked industry study by the Ponemon Institute the average cost of breach for an organization was $3.86 Million in 2020. For companies with less than 500 employees those costs were on average $2.35 Million.
What’s the most common way people get hacked?
Data on this varies by industry and source particularly since hacking itself is a fairly broad term. When speaking of malicious data breaches: compromised credentials (user name, password, etc), misconfigured IT solutions, vulnerable third-party software (malware), and phishing rank among the top methods by which individuals and corporations are hacked. And yes, there are certainly more.
As SMB’s start moving more to cloud services, how does that change how they should think about security?
Security begins with awareness. This applies to cloud, on-prem, or hybrid environments. Every member of an organization should play a role on the security team. They should participate actively in ensuring the security of their customers’ and fellow employees' data and credentials. There are a variety of resources on how to educate and enable your workforce to protect themselves and your organization; I highly recommend adopting and reinforcing those best practices early and often. After awareness comes technology. Your IT and Security experts should be adopting best of breed technologies to protect against the variety of methods used to hack that we discussed earlier.
From a purely technological standpoint, companies should be thinking about how to best layer and enforce authentication factors and policies for the resources that their workforce and customers access. The most basic factors for multi-factor authentication (MFA) include passwords, security questions, and SMS/Voice/Email OTP (one time password). As we know, traditional passwords can be compromised, security questions can be socially engineered, and even SMS/Voice/Email OTP can be intercepted. Layering more sophisticated factors like Mobile/Desktop OTP and Physical OTP tokens ensure higher levels of protection. Beyond that we move to Biometric-enabled push notifications, FIDO 2.0, BYO SAML, and OIDC Authenticators among others. Some of that may seem a bit technical but the key takeaway here is that passwords were the first and oftentimes weakest link. The future is passwordless altogether but we can leave that for another chat.
Securing your identity is critical, personally and professionally. What are the most important steps for people to take to protect their identity?
On a personal level think carefully about what you share about yourself online, on the phone, or in public. Professionally, do the same. Don’t click on links in emails from people or companies you don't recognize. Don’t accept unexpected push notifications. Check to make sure email addresses and embedded urls are correctly spelled and actually make sense. Educate yourself, your employees, and the people around you on how to be safe in a digital world. We lock our doors at night, look for cars before crossing the street, and put our Social Security cards in a safe place; behave accordingly with your digital identity.
What are you reading or watching?
Wait, is this a hack?