Recently, cybercriminals got away with close to $5 million in ransom and, in the process, shut down 45% of the consumer gas availability across the US. That incident not only cascaded through the marketplace affecting transportation, product delivery, healthcare, and more, it also exposed many data security and operational vulnerabilities in the country’s fuel and goods distribution system.
For business leaders, The Colonial Pipeline Co. hack demonstrated how a targeted ransomware attack on an operation with a few information security gaps can bring a business to a grinding halt. While this situation took place at a large company with more than $500M in annual revenue, the lessons learned in the process apply to almost any business.
Recently, ORRIOS CRO Steve Henn sat down with Datalink Networks CEO Don Wisdom to discuss the Colonial incident. They explored a variety of insights from the event that small and mid-sized business leaders should leverage when protecting the confidential data their organizations create and manage.
- How did this ransomware attack happen, and why was it successful?
- Should small to midsized business leaders worry, and where do their organizations fall in the range of cybercrime targets?
- What lessons should they take away from the Colonial incident?
Simple Vulnerabilities Create Big Risks
Investigators are still examining details about the cyberattack on the Colonial Pipeline. Early indications suggest that Darkside, the hacker group that implanted the ransomware, may have used one of two strategies to access Colonial’s systems: exploit a known system vulnerability or use a phishing scheme.
One highly accepted theory is that Darkside took advantage of a known software vulnerability that Colonial did not patch with updated software. An alternate theory is that the hackers used a phishing attack, where a nefarious yet realistic-looking email is sent to targets within the organization. When a recipient clicks a link in the email, it enables the hacker to collect information needed to infiltrate a system and access various applications.
Ultimately, Darkside was able to deploy ransomware in Colonial’s system and shut down pipeline operation.
While Colonial is the cyberattack poster child of the month, the struggle to understand information security risks, determine which tactics to use to protect against them, and decide how much to invest in security and compliance is a common business problem.
When managing security and compliance, one is faced with the same sorts of decisions you have with every other business system. What’s the cost of investment? How do I determine the return on investment? What could happen to the company if I don’t implement protections? For larger companies, the investment may be relatively small to the size of their operation. The cost of a good program is part of the tradeoff. And like some forms of insurance, executive teams hope that an investment in improving infosec posture pays off by hopefully never have these sorts of incidents.
SMBs are in the Hackers’ Crosshairs
“Hackers are not interested in me.”
“We don’t operate a big business.”
“A system intrusion is a one in a million chance.”
That’s what small and mid-sized business leaders often think to themselves.
Yet, trends show that hackers are now expanding their attacks with a specific focus on small and medium-sized business markets. The 2020 State of SMB Cybersecurity report from ConnectWise reports that 55% of SMBs have experienced a cyberattack. Companies with $20M to $1B in revenue often miscalculate their infosec investment and strategy. Why? They do not understand that:
- The risk of a breach is far higher than they expect.
- Groups like Darkside are heavily targeting their industry with ransomware.
- Organizations with fewer than 500 employees spend an average of $7.68 Million per incident.*
Colonial got a lot of play in the news because it’s a big company and resulted in a big payoff to the hackers. However, ransomware is often seen in smaller amounts of $5,000 or $10,000 for smaller businesses. Even more concerning and a real problem for companies with few financial and security resources: 30% to 40% of the time cybercriminals don’t decrypt the systems after companies pay the ransom.
Lessons Learned: Taking Cybersecurity Seriously
Remember the 80s when information technology emerged as a critical part of your back-office systems? Information security is the new IT. It has become essential to have a team, internal or outsourced, responsible for managing your information security program and reducing cybersecurity risk throughout your organization and your vendors.
Hackers are expanding their focus, capabilities, and targets. Generating good outcomes, such as payments for removing ransomware from systems, is becoming a bit of a numbers game for them. They are looking for easy targets.
There are many soft targets out there — companies that lack holistic cybersecurity programs or the skilled talent to manage them often have weak security postures. Making yourself a hardened target is your first step to avoiding a successful attack. Doing so requires an initial investment. It is no longer optional.
If you do not comply with a recognized standard or framework, you are vulnerable. If you are not using an infosec compliance platform to manage your program and analyze risks, you begin to really expose yourselves to vulnerability. You wouldn’t manage your finance department without an accounting platform. The information your company stores is just as valuable as the dollars you manage.
What to do now: Preventing a cyberattack
Putting your head in the sand won’t eliminate the problem. Take away these essential lessons from the Colonial Pipeline incident.
- Understand your current exposure: Complete a gap/risk assessment to understand your assets and likely risks.
- Determine your cybersecurity risk goals: Identify the scale/scope of your program and the risks to be mitigated.
- Choose the right security framework for you: This can vary by industry, but standards like ISO and NIST are internationally recognized.
- Take care of the proverbial low-hanging fruit: Simple tasks like security patches can close gaps efficiently and cost-effectively.
- Train your staff: Build a culture of cybersecurity by ensuring your team understands how to spot and avoid risks.
- Understand vendor risk: Evaluate the information security practices of your vendors and only work with those who meet your security standards.
Questions about information security? Orrios can help.
Contact us for expert advice and guidance.
Breach Costs vs. Cybersecurity Program Costs
Companies face a host of challenges with few good choices regarding managing the costs of an intrusion or a data breach. There are only tradeoffs. In terms of cost management, the first thing to do is take stock of your systems, know where you’re vulnerable, and identify the cost to make an accurate and reasonable assessment of those tradeoffs.
Protecting your company against risk often involves purchasing a variety of business insurance policies. Like automobile insurance for consumers, cyber risk insurance is now becoming quite mainstream for corporate America. Yet, there is one big caveat to consider: Ransomware is often not covered in cybersecurity insurance policies. That’s right. The fastest-growing cyberattack method probably isn’t covered in your policy (if you have one). Instead, policies typically cover other types of costs associated with an actual data breach. As a policy requirement, cyber insurance carriers demand that companies implement security management programs that meet requirements in frameworks and standards.
There’s often a perception that a solid information security program is a very, very expensive proposition. The fact of the matter is, it isn’t as expensive as you think. Many companies can help you create effective programs and offer software and services that are very reasonably priced. A discovery risk assessment is a low-cost way to gain visibility into your current posture and determine the program costs based on your security goals and risk appetite.
The ultimate cost-comparison question business leaders must ask themselves: What it’s going to cost to recover from a hack or data breach event? A recent Inc. Magazine article stated that 60% of small businesses will fold after a successful cyber attack. What is it worth to successfully maintain operations?
Exploring Cyber Risk & Communicating With Leadership
Managing cybersecurity is often foreign to senior leadership, and it can be easy to downplay risk in favor of focusing on other competing business challenges. That’s where a risk assessment, complete with risk scoring based on the confidentiality, integrity, and availability of the data held in various assets, comes into play.
Risk Assessments begin with asking some basic questions. Which standard or framework do you use to manage infosec? Do you perform these types of compliance reviews? Do you have these controls in place? Which systems or information is mission-critical? Which information or systems can you quickly and easily replace? Do you have an agreement on exactly what you need to protect? Insights from these assessments not only help create a plan to improve your security posture, but they also enable helpful communication with Boards and Executive teams about threats and risk management plans.
What to do now: Preparing to Manage a Security Incident
- Determine who will lead your incident response effort: If you do not have a Chief Information Security Officer (CISO), designate one or choose an outsourced service to provide a resource for that role.
- Develop an incident response plan: Establish well-tested disaster recovery plans and a support plan in place to respond to the attack.
- Create an organized communication plan: Understand notification requirements, draft content, and document how you will communicate to various audiences.
- Leverage State Safe Harbor Provisions: Utah and Connecticut recently announced provisions that limit exposure to businesses. Other states will follow.
- Choose a managed security services provider: Experienced guidance, forensic work, and consulting capabilities are invaluable when managing an incident and preventing future incidents.
Protecting your organization requires you to understand the risk to your business and make conscious decisions about the right security strategy and posture. Creating a plan to move from your current state to your ideal state will help define the path, the cost, and the timing to make your organization a hardened target for hackers.
Orrios’ OnTrack platform helps businesses create, manage, analyze, and monitor their information security. From assets and vendors to a library of policies and controls to risk assessment and mitigation, your entire security program is accessible in one easy-to-use platform.
Reach out to Steve Henn for our guide on using OnTrack to help your clients efficiently and cost-effectively manage their information security program.
* Based on research from IBM and the Ponemon Institute’s The Cost of Insider Threats Global Report 2020