Ransomware is no longer a threat just to individuals and companies, it can now be considered a threat to the national economy, infrastructure, and security of the US.
What steps can you take to protect your company’s customer data, financial information, trade secrets, and reputation?
To find out more, we spoke with Bryan Fuller, CEO of Contigo Technology, an IT support firm based in Austin, Texas. The company supports nearly one hundred businesses in the central Texas region and has been recognized by Expertise.com as a top-rated MSP; the firm has also ranked in the INC 5000 list for three years in a row.
We began our interview with Bryan by asking how Ransomware has changed in recent years.
Q: Reading the news, it feels like Ransomware has not only become more dangerous but also more “professional” (meaning it’s operating more like a business). How would you characterize what we are seeing?
“The idea that Ransomware has become more professional is spot on,” says Bryan. “I can give you a very good example to illustrate this. These criminal organizations want to have good customer service – even to the point of setting up ‘customer service’ desks to facilitate taking ransom payments. In other words, if you have technical difficulties making ransom payments, there is literally a number you can call to speak with a customer service representative. That’s a huge change from earlier ‘script kiddies’ that hacked into accounts years ago. Ransomware has become a big business, albeit a criminal one, and it turns out it’s critical for these organizations that your stolen files are restored after you make a ransom payment. They need to maintain a good reputation, meaning if you pay, you get all your files back. Otherwise, their ‘reputation’ will be tarnished, people won’t bother paying ransoms, and their whole criminal ‘business model’ will run aground.”
Bryan went on to explain other ways that Ransomware (and the closely related crime of fraudulent wire transfer requests) have changed.
First, it’s become ‘nastier.’ It’s no longer limited to locking your computer files on your hard drive and asking for bitcoin payments to unlock them. Ransomware perpetrators are now trying to monetize everything they can steal from a corporate network, including emails, trade secrets, passwords, etc. that can be sold on the dark web.
Secondly, Bryan points to information from the annual report from Crowdstrike (which he recommends reading), which says that new criminal organizations running Ransomware attacks are popping up in South America, whereas formerly most of them were located in Eastern Europe and Russia.
The third thing that has changed, according to Bryan, is that hacking activity has finally gotten the attention of C-suite executives.
Q: When it comes to Ransomware attacks, is there a pattern for who gets attacked? Are all businesses equally vulnerable?
There is some misconception here that needs clarification, Bryan explains.
The news tends to cover cases where high-profile famous name companies or organizations are targeted, such as Solar Winds, Colonial Pipeline, and most recently, the FBI.
These are known as “Big Game Hunting” attacks, where criminals deliberately seek out a specific company or organization, such as a government agency, critical national infrastructure, or, in the Solar Winds example, plants a Trojan Horse in their middleware software to gain access to the corporate networks of Solar Wind customers.
However, according to the Crowdstrike report mentioned earlier, Big Game Hunting only comprises about 15% of Ransomware and other hacking attacks.
That leaves a balance of 85%.
Just going by the numbers, most companies are going to fall into this 85% category, in which the criminal activity is impersonal and fully automated.
They are not paying attention to who your company is or what products and services you offer. Instead, these bad actors are simply scanning every possible network connection they can find, as well as sending out phishing emails to millions of email accounts, in an attempt to find the “low hanging fruit.” – where a network doesn’t have the latest security patches or a distracted worker walking into a conference room with a box of donuts in one hand clicks on a malformed malicious email on their smartphone with the other hand and accidentally compromises the whole company network.
“I compare it to those small-time criminals who walk down the street, checking to see if any car door handles are unlocked. If they are locked, they move on to the next car. It’s the same with most hacking attacks – criminals will move on to the easier prey if you have your security in order,” Bryan explains.
Q: For companies that fall into the 85% group, what are the most common vulnerabilities that criminals exploit?
According to Bryan, email phishing attacks are one of the main risks in a corporate IT environment. Clicking on a bad link or opening up a compromised document or zip file can allow criminals to gain entry into corporate networks, which is their main goal.
That’s why it’s so important to train employees to recognize and avoid entering their usernames and passwords on phishing emails and to never click on unexpected links or files.
Email is also a major factor in wire transfer fraud, which is closely related to Ransomware and can be just as financially ruinous. To prevent this, it’s critical to make sure there are rigorous policy controls in place in Accounts Payable departments to prevent transferring funds to fraudulent accounts.
Q: You mentioned earlier that Ransomware now has the attention of C-suite executives. – What’s your impression of what business leaders are thinking, and how are they reacting?
Company executives are definitely getting the message now, Bryan explains.
They are seeing what is happening at other companies and realize they need to act.
For example, they recognize the need to get insurance coverage, e.g. cyber insurance, to protect against catastrophic losses due to ransomware demands or fraudulent wire transfers.
But beyond the financial and business interruption risk, execs are also worried about the effect a computer hacking attack could have on their company’s reputation. As a result, many hope to keep any breaches quiet.
Q: We’ve seen in the news this week that some in Congress and the FBI are proposing new disclosure laws to make hacking attacks public. But wasn’t there already a disclosure requirement in place already?
No, there is not yet a universal disclosure requirement, but rather a patchwork of rules at present, explains Bryan. It depends on which regulatory environment or framework you fall under.
For example, if you are engaged in any DOD activity (and this generally includes subcontracting work), you will need to comply with requirements issued by the DOD’s Cybersecurity Maturity Model Certification (CMMC) requirements, which do spell out obligations to notify officials of a security breach.
Another case is anything healthcare-related, particularly where PHI (private healthcare information) is involved, as this triggers a federal HIPAA violation, which is very serious and can result in large fines.
There are also relatively recent laws issued by the European Union, specifically the General Data Protection Regulation (GDPR), which bills itself as “the toughest privacy and security law in the world,” as well a new consumer protection laws in California that require disclosure (and mandate fines) when consumer data breaches occur.
Q What’s the short “elevator speech” explanation for what companies need to do to protect themselves?
The first thing is that you have to assume you are going to get a Ransomware attack (eventually) and plan accordingly, explains Bryan.
Cyber Insurance is now a must, and in the event of a Ransomware attack, the Cyber Insurance team will step in to manage the situation and, as a last resort, negotiate payments to get your files back.
Importantly, there is a rigorous process of qualifying (and maintaining) insurance coverage, and the process of complying with these strenuous requirements will go a long way to help prevent attacks – or help you recover from them should they occur.
Q: Let’s talk more about Cyber Insurance. This will be new for many of our readers. What do you need to do to qualify for it?
That’s a very good question. The requirements are changing and becoming more extensive, says Bryan. Many carriers now have a very “tight” questionnaire with very specific, rigorous requirements to maintain good security practices based on the NIST Cyber Security Framework issued by the federal National Institute of Standards and Technology (part of the US Dept. of Commerce).
Importantly, Bryan points out that if you misrepresent your answers on the Cyber Insurance application, that’s considered fraud, and they won’t issue a claims payout if you experience a ransomware attack.
Most companies (outside of tech firms and those with extensive in-house IT security expertise) will need the assistance of an outside IT support vendor (such as Contigo Technology) to ensure they are following the NIST Cyber Security Framework and abiding by their agreements outlined in the Cyber Insurance policy terms.
This means training your staff to
- Practice good security hygiene (such recognize email phishing frauds and not clicking on unexpected email links or attachments)
- Perform necessary computer backups
- Follow strict policies to avoid wire transfer fraud schemes
- Use a VPN to connect to the corporate network when away from the office network, whether at home, the coffee shop, hotel, or airport/airplane.
- Keep company data within corporate software suites (such as Google G-Suite or Microsoft Office 365) which have good security features, such as 2FA (two-factor authentication)
Q: If heaven forbid there is a Ransomware attack, what is the best-case scenario, and what is the worst?
According to Bryan, the best-case scenario is you determine post-attack that you are in possession of a clean, valid, working backup of your corporate data files made within the last two days. If that’s the case, you can restore your corporate data (in coordination with your Cyber Insurance team), and no ransom payment is needed.
On the other hand, the worst-case scenario is you can’t successfully restore a backup of your recent files, and the Cyber Insurance team has to take over and negotiate the payment – often asking for getting a discount using the excellent professional customer service we talked about at the beginning of the interview.
Q: With so many workers working from home (or in hybrid work environments), how does this impact in-house IT departments or IT consultancies, such as Contigo Technology? For example, managing BYOD equipment comes to mind.
Sure, BYOD is a definite issue, Bryan explains. In an ideal world, we’d all like to provision each computer centrally, lock them down security-wise, and send them to employees working from home or on the road.
But that’s not realistic in today’s environment where employees want to bring their own devices (BYOD) and connect them to the corporate network.
So we need to make sure these devices are loaded with current software (especially any software updates), that employees use a VPN to connect to the corporate network, and scrupulously follow all the NIST guidelines we talked about before.
Bryan also advises that staying within the Google and Microsoft office suite ecosystems is important because they offer good security, such as SSO (single sign-on) access and/or requiring 2FA (two-factor authentication). Importantly, employees should avoid using file-sharing services that aren’t approved and never reuse passwords between apps!
Another consideration is planning for hardware and software retirement. Even if everything seems to be working ok, Bryan recommends that companies budget for retiring the computers, tablets, or smartphones used by employees at the five-year mark. After five years, most devices aren’t getting the same level of security upgrades found in the newer devices and software packages and operating systems.
Thank You, Bryan Fuller, CEO of Contigo Technology, for taking the time to meet with us today.
We’d like to offer our thanks to Bryan Fuller for sharing his insight with us today.
And if you are in the market for ways to improve your IT department, office environment, or home office, may we suggest you take a look at the custom furniture solutions from Formaspace.
If you can imagine it, we can build it, here at our factory headquarters in Austin, Texas.
Talk to your Formaspace Design Consultant today, and find out why leading names, including Apple, Capital One, Dell, Google, Oculus, Twitter, and SpaceX, choose Formaspace for their custom furniture projects.