SPECIAL ADVERTISING SECTION
Cybersecurity
Roundtable Ransomware: “There is no end in sight.”
Cyber attacks are not going away. In fact, they are rising. A recent study found that they’re not only happening more often, but also increasingly sophisticated—and targeted even more at small businesses, which are unprepared. As part of those attacks, ransomware is a growing danger. Columbus CEO discussed cybersecurity related to ransomware with Tom Skoog of Blue & Co. during a virtual call on Feb. 9. Here is an edited and condensed version of that conversation. Transcript provided by PRI Court Reporting. Moderated by Ray Paprocki, publisher/general manager, Columbus CEO Participant: Tom Skoog, principal, cybersecurity and data management practice leader, Blue & Co. March 2022 l ColumbusCEO
43
SPECIAL ADVERTISING SECTION
Tom Skoog: There is no end in sight
of this threat. The number of attacks is up, the requested ransom amount is up, the cost of recovery or restoration is up, and as long as companies or individuals continue to make ransom payments, the attacks will simply continue. Secondly, and it’s still ransomware, but rather than being targeted at the company, now it’s your key vendors that are being targeted. We’re starting to see Cloud vendors get infected and shut down. Just recently Kronos, which is the timekeeping and payroll service, was impacted by ransomware, which in turn impacted all sorts of companies’ ability to run payroll. We had several hospital clients that asked us how are we supposed to run our payroll when our payroll processor is down? And they were going to be down for weeks, not for a couple days. I think third is the internet of things. As more and more machines on the shop floor become enabled, or in hospitals or in construction companies or in retailers, it’s opening more and more doors and windows for the bad guys to come in.
coupled with employees still doing things they shouldn’t do: clicking on links, clicking on attachments.
CEO: Are those real numbers, the $60 million and $80 million?
Skoog: There was one entity this
past year, I think it was considered the fourth largest ransomware hacking group in Eastern Europe, and they cleared $110 million in 2020.
CEO: What can companies do, par-
ticularly smaller companies, to make sure their vendors are not opening the door?
Skoog: Smaller companies certainly
CEO: Why have the folks behind ransomware been successful?
Skoog: From the bad guys’ perspec-
tive, it’s a recognition that two years ago we made $60 million on ransomware attacks. This year we made $80 million. We think we could make $100 million next year. And why can we make that? Because companies still aren’t putting in the basic protections to reduce those risks, and then that’s
Tom Skoog
Ransomware certainly has surpassed the threat of having data stolen; these bad actors are realizing I can make a lot more money by just locking them up.
BLUE & CO.
Blue & Co. is a regional accounting firm with 10 offices in Ohio, Indiana and Kentucky that focuses predominately on health care—offering audit, tax, financial consulting and IT risk and security services. Blueandco.com
44 ColumbusCEO l March 2022
are a little more challenged in terms of what kind of leverage they may have with vendors, but there ought to be pretty strong language in your contracts about what kind of cybersecurity controls that vendor has in place. And it’s becoming more and more common for organizations to ask for proof of those controls through an audit known as a SOC 2 report that has accounting firms come in and look at and validate what kind of security controls a company has in place. And then that company’s able to take that report and give it to prospective clients or prospective customers.
CEO: Is there anything on the law enforcement side?
Skoog: The challenge is that most of
File/ColumbusCEO/ROB HARDIN
Ray Paprocki, (CEO): Can you talk about the top threats that businesses will be facing in 2022 regarding ransomware?
these attacks are being launched not in the United States, rather against U.S. entities. So most of them are being launched from Eastern Europe and inside of Russia. Their ability to make arrests, if you will, are certainly limited. The way that they get paid and the way that they launch their attacks, they build anonymity into their processes. Meanwhile, the Chinese are interested in getting intellectual property and reducing R&D costs. I had a client in Ohio—they’re a manufacturer, and they’re selling to the oil and gas industry. And they had lost a bid to a new Chinese competitor. When the sales guy happened to be down at his customer, he saw the product, and he said that’s basically our product. They did some forensic work and they had shown that their engineering systems had been breached from China. Now they have a brand-new competitor that has put no R&D into their product, and they’re selling it at 30 percent less than what this company was.
CEO: What are some of the secondary impacts of a ransomware attack?
Skoog: Not only is there the payment,
but there’s the cost of the down time and there’s the cost to recover. One of the larger secondary impacts that we’ve seen this year is what’s happened in the cyber insurance market. Because that market has done a complete 180-degree twist from where It was a year ago. Rates were very affordable. The underwriting process was rather laissez faire. And now all of those things are
SPECIAL ADVERTISING SECTION
completely the opposite. On average, rates are up 40 percent, but in some of the higher-risk industries like healthcare or legal, rates are up as much as 300 percent, and in some cases they won’t even write for those industries. Underwriting has gone from a simple questionnaire to a very prescriptive set of controls that you must have in place. And deductibles are up significantly. The carriers want the insured to be sharing in more of the risk.
CEO: What are the best defenses
companies can deploy to reduce risk, especially the smaller companies that don’t have the big budgets?
Skoog: For the smaller companies, it
gets down to a few fundamental things. One is training your employees; this ransomware gets delivered almost exclusively through phishing emails. Second is what’s referred to as next generation antivirus software. There’s several on the market, but getting those so that they’re alerting you, hey, something suspicious is happening on this machine; take this machine off the network right away.
The third thing that I would focus on is patching and making sure that you’re very diligent about applying software patches. Ransomware is looking for patch fixing: Can I get my little piece of ransomware into this company before that company patches this technical vulnerability that Microsoft, Adobe or Apache identified. It really is a race against the company applying those patches and the bad guys getting their ransomware software into your network before you patch. If you’ve got very, very good patching practices, that’s going to greatly reduce the risk. For larger companies, one of the things that the insurance carriers are requiring is that you really should be having a third party monitoring your systems. That’s 24 hours a day, 7 days a week, with monitoring tools that that third party owns so they can identify for you, hey, something has happened here, and they can alert you to it and walk you through what you ought to be doing. I had a client, a hospital, that was patching some file servers, but that practice took time. I mean, it wasn’t like applying a patch for your iPhone that
takes a minute to download. This was hours of work to apply these patches. They got one of the servers patched, and the next day there was a ransomware attack on their other two servers. But their monitoring partner called and alerted them and said you’ve got something funny going on with these two servers. They were able to physically take those servers off the network and get that ransomware out and then get them patched. They ended up not having a situation where all their systems got locked up.
CEO: Final thoughts? Skoog: I think that continued
diligence around good, solid security practices are more important than ever. Ransomware certainly has surpassed the threat of having data stolen; these bad actors are realizing I can make a lot more money by just locking them up, and I don’t need to figure out how to sell this data that I stole. I got to go find a buyer for that and there’s more risk involved with it. Until companies stop paying ransoms, then these attacks won’t stop.
CD-0006298564-01
March 2022 l ColumbusCEO
45