6 minute read
YOUR DATA IS NOW MINE
Are you prepared for a ransomware attack?
BY TED McINTYRE WITH CYBER SECURITY SPECIALIST DEREK BROWNE
DESPITE THE PANDEMIC, the construction world churns away at warp speed. It’s hard to find time to scrutinize whether that Facebook friend request or email link are legit, or to remember whether you’ve bothered to update your computer software or back up your files in the past month… or year…or ever.
And that makes you ripe for the picking for cyber-attackers, says Derek Browne, Chief Information Security Officer at Federated Insurance/ Northbridge Financial.
The online threat du jour has become ransomware, Browne notes, where your computer files are encrypted, forcing you to pay the criminal to release your data (usually in untraceable Bitcoin), in the hope that they actually keep their promise—and that they also don’t decide to share those files with the rest of the world, just for kicks.
According to 2020 Threat Intelligence Index from IBM’s X-Force cybersecurity unit, ransomware accounted for nearly 60% of all attacks on Canadian IBM customers last year. During a CHBA cyber security webinar in March, a member noted they had been subject to a ransomware attack two years ago from a computer program named Phobos. It was a reminder that it’s not just major corporations that get targeted by cyber criminals, and that it’s a growing business.
It’s like a spreading virus, Browne warns: If you don’t take precautions, it’s simply a matter of time before you or someone you know gets infected.
OHB: WHO NEEDS TO WORRY MOST ABOUT THESE THREATS— LARGE OR SMALL COMPANIES?
DEREK BROWNE: “Most social engineering and ransomware are just crimes of opportunity. I, as an attacker, can spend a lot of time researching your company to find out who owns it, who the accountant is, who the employees are, and then try to attack those individuals with very targeted emails, pretending to be a key person in the company. But unless the target is known to be valuable, it’s not worth my time. If I were to mount a ransomware attack on OHBA members, without a doubt the easiest route is a simple phishing attack—just spamming out a bunch of emails until somebody clicks the link.
“Of the test simulations we send to our clients’ companies, 12% click on the link. Proper security training can help reduce that to almost zero.
“But once the attacker gets that click, they have access to your environment and will look into your email address book and see who the most high-value targets are. And then they’ll use them as the next tier of victims. And they maybe they’ll look on your email to see if you’ve applied for a loan and get your credit card info, or maybe your drivers’ licence and picture, which they can sell in the underground market. “
And then they can download malware from there. It happens fast.”
YOUR COMPANY’S REPUTATION IS AT STAKE TOO.
“A lot of a home builders’ or renovators’ business is word of mouth. And if all of a sudden you cannot deliver on your business, or are known as the source of an attack on your partners, and your customers, that’s very bad for business. So it just makes sense to spend the time and money to protect yourself from something like this. Just as you would lock your door at night, you need to lock your virtual doors as well.
BUT AREN’T MOST PHISHING ATTEMPTS PRETTY OBVIOUS?
“Some are. Look for things like poor grammar, poor spelling, or if they don’t know your name. Maybe the logo colours are off or the resolution looks fuzzy. One of the biggest indicators is the email address it’s from. Examine the address to see if it looks correct.
“Context is everything. If someone is reaching out at a time they normally wouldn't or asking something of you, or has questions abut your company such as who handles finance - any of that is enough to raise a red flag. But if it might even look like an email from a partner saying we need to deal with this invoice immediately. If there is any doubt, pick up the phone and call them.
BUT WHAT IF THEY GET YOU? SHOULD YOU PAY THE RANSOM?
“I advise never to pay, because you’re paying criminals. But it’s easy to say and hard to do when you can’t run your business. And the problem is that while you’re more likely to get your files back from the attackers today than in previous years, they’re now making you pay twice—or more. And there can be double or even triple extortion, where not only does the attacker encrypt your data, they’ll also make a copy of it. If it’s your customer data or something else you don’t want exposed, they’ll extort you for that too. And third, they might even threaten to call all your customers they have data on and tell them that you’ve exposed them. It’s a nightmare.”
HOW SHOULD ONE RESPOND?
“If you get hit, your best option is to wipe everything out, recover from back-up and start clean. Which is why it’s mandatory to have regularly backed-up files that are kept someplace not connected to your office network.
“But first there has to be a response plan in place. Make sure you know who to call, from IT to police services and lawyers. And it’s important to have engaged with them previously, because if something happens, you don’t want this to be the first time you meet them.
“We do security awareness training for all of our new hires, and we always hammer home that if something bad happens, report it immediately. Call your manager, talk to the people around you, because they probably received the same phishing email as well. And inform your clients.”
AND YOU’RE ONLY AS SAFE AS YOUR PARTNERS ARE.
“It’s part of the contract you should have with your clients: ‘What are you doing to protect your data? If you have an incident, will you tell me within four hours so that I can protect myself and disconnect?’ Their security has to be at least as robust as yours.”
THE WORK-FROM-HOME TREND MUST ALSO BE AN ISSUE.
“You may have spent $250,000 protecting your work network, but now all that infrastructure is sitting there, while your data and most of your people are at home, having maybe gone out to the local electronics store, bought a router, plugged it in and probably not changed the default password or SSID for the wireless network. So that has imposed an additional risk for sure.”
HOW DO YOU KNOW IF YOU’VE BEEN COMPROMISED BEFORE?
“Apart from running antivirus software on your system, be it Malware Bytes, Sophos, Avira, etc., everyone should check out Haveibeenpwned.com, a website run by Australian Troy Hunt. You type an email address in it and it tells you if that email has been exposed in any breach that Troy is aware of. So if your data was exposed in a LinkedIn or Dropbox breach a few years ago, he knows if your account was compromised.
SHOULD WE THINK OF SECURITY EXPENDITURES JUST LIKE WE DO WITH INSURANCE?
“Whether you think of it as insurance or as a greater visibility to your company’s security posture, you should be doing it. Do the technical assessments, which tell you if your computer or your network have vulnerabilities in some way that an attacker can take advantage of. And do the non-technical assessments, like having a security professional come in and ask the hard questions: Do you conduct partner security assessments? When you do, do you ask them the right questions? It’s important that you engage experienced security pros who are keeping up their certifications and have experience in your industry, so that they’re speaking your language.
“But it’s important to have the actual insurance too. I know Federated has cyber security insurance, with coverage for first-party loss when something happens to your own computer, and third-party loss when advising customers that you’ve been affected.”
