Remote workforces, sophisticated hackers change the risks businesses are facing
The COVID-19 pandemic has changed the ways businesses operate. It has also changed the potential security risks that hackers leverage to gain access to corporate data. People working from home and the use of personal computers heightens the opportunities for a data breach. In order to get an idea of the new cybersecurity landscape, the Milwaukee Business Journal recently assembled a panel of experts to explore what companies – large and small – need to know about today’s changing threats.
TABLE OF EXPERTS
Paul Riedl, Jr.
With 15+ years in the technology industry, Eric Torres shares his passion for educating the business community on the ever changing cybersecurity threat landscape. As the Director of Channel Development, Eric shares his knowledge and insight on mitigating cyber threats at hundreds of peer to peer presentations and industry events throughout the year. Once named to CRN Magazine’s “100 People You Don’t Know, But Should” list, Eric brings his expertise in business continuity and the managed service provider community to this role, and focuses on supporting the Datto Partner Community in growing their business.
Derek Laczniak is director of cyber practice at M3 Insurance. He is a recognized leader in the cyber security risk management landscape with expertise in network infrastructure and security exposure. As a cyber security strategist and advisor, Derek helps organizations manage risk through preventative controls and formal risk transfer mechanisms.
Paul Riedl, Jr. grew up in the Milwaukee area and attended Marquette High and Marquette University. His love for entrepreneurship started at the young age of ten and he is now the owner and CEO of River Run, a 27 year old Milwaukee Based IT Firm he helped start. Paul resides in Whitefish Bay with his wonderful wife Julie and has three kids. Paul serves on the Board of SaintA and is an active member of Holy Family Parish in Whitefish Bay. He loves soccer and is still active in the Milwaukee Soccer Community (pre-pandemic, of course).
MODERATOR: What cyber threats are most concerning to businesses today and how are they changing over time?
Paul Riedl: The quick answer is that everything is a concern. Phishing scams are getting very difficult to detect, because they have the look and feel of real emails, and the bad actors are getting more sophisticated. It used to be that if they got into your system, you could do a recovery from your backup. Now, they are destroying your backup before they encrypt your data.
Eric Torres: Networks are getting infected without the company or administrator realizing it. The hackers infect the system, but then wait so they can infect the backups. They break into individual mailboxes and pose as that person to send emails to others.
Derek Laczniak: The threat to companies used to be losing data. That is still an issue, but the size of the ransomware asks is becoming a big concern. One of the largest underwriters of cyber insurance reported that the average ransom has increased fourfold since 2018 – from $40,000 to $170,000. And they are not just encrypting the data once. They are taking the data so they can double back and charge the company again.
Torres: I agree. They are using a recurring-services business model. Instead of a onetime fee, they want $1,000 a month. Or, they will give you your data back if you will help them infect two other networks.
Because of the pandemic, many companies have a significant number of employees working remotely. How does that change a company’s risk profile and what can be done to mitigate that risk?
Laczniazk: The key here is that you have greater exposure. The biggest threat we are seeing is employees who don’t use authorized hardware when they are working remotely. They jump on their kid’s laptop to answer emails, and that is a problem. And because of the pandemic, more people are using remote access points. As a result, the tunnels coming into your business network may not be protected, because your employees’ home networks or home wireless routers may not be properly protected.
Riedl: People are always looking for shortcuts. If they can’t get something to work on their company laptop, they will jump on their personal laptop or their kid’s laptop. Your IT team has to figure out ways to prevent users from developing shortcuts that could pose a threat. We also have to do a better job of educating. We have to emphasize that you don’t use the wi-fi in the coffee shop or at the airport to do a transaction. Make sure employees are using secure networks.
Torres: Early on in the pandemic, there was a shortage of business-grade hardware. It was almost impossible to find laptops, so end users were forced to use their personal equipment. That was the same equipment their children were using for school or games and that introduced many risks. Our home networks are also nowhere near as fortified as business networks. Very few people have a firewall at home. They rely on their Internet service provider to take care of them and the bad guys know this.
How should cybersecurity training and education be adapted for remote workforces?
Riedl: Education has to be mandatory and we have to make it easy for people to access that education. It should be online and frequent. There should be interactive classes so the facilitator knows the message is sinking in. You should also provide on-demand training that people can take as a refresher course. Finally, repetition is key. In marketing, they say you have to say something seven times before someone says, “Hey, I did not know that.” In our world, it is more like 70 times.
Laczniazk: Companies must do simulated phishing and they should do it more frequently than they did before. If they were running fake phishing campaigns once a quarter, they should be running them every month now. What I like to see my clients do is to make it a competition. Create teams and keep score. Have your admin team go against your sales team; have your executive team go against your production team. Make it competitive and interesting. That will help to make the message sink in.
Torres: I agree that education is critical. You can’t buy security as a once-and-done thing. It has to be ongoing, something that you bake into your everyday operations.
Business executives may not fully grasp the potential pain of a security breach. Describe what a typical company encounters once it discovers its system has been hacked?
Torres: Time is of the essence when there is any kind of breach. Those first few seconds are key to keep it from spreading to even more equipment on your network. The pain is not just monetary – the ransomware ask. It is the total amount of downtime as productivity comes to a screeching halt. There is the reputational damage to your brand, having to let your customers know that you did get attacked. That is way more painful than the monetary part. Is your company’s reputation going to survive?
Riedl: There is a lot of pain and it just keeps coming. You have feelings of anxiety, uncertainty and anger. You don’t know if the hackers are still in your system or what they are doing. You have to set up an internal team and bring in outside resources – a security firm, a law firm, and possibly the FBI and local law enforcement – while you try to continue doing business. It becomes a whirlwind of handling your emotions while trying to move everything forward. Your reality changes by the minute. Your insurance carrier may pair you with a security firm far away so having a local Incident Response (IR) team ready to assist you as expert “boots on the ground” should be in your plan.
Laczniazk: It is all about the unknown. You have likely never gone through something like this before. You are sitting there knowing that you have a really big problem, but you can’t see it or touch it. And you are embarrassed. You don’t want people to find out, but you know they will. The unknown and the fear that comes from that are really the big things that hit you.
Talk a little about the importance of mitigating risk through insurance and contingency planning. What does a company want to look for in terms of insurance and what needs to be included in the contingency plan?
Torres: Planning is a requirement. All of our lives we plan for things. When you were in school you had fire drills. This is the same thing – but it is about the network. If the network goes down – from ransomware, from hardware failure, from a natural disaster – you have to know what you are going to do – who you are calling, where your people are working from, and the resources you need to get up and running first. There is a hierarchy of what needs to be done to restore your network and keep business afloat. And it all comes from having a thoughtout recovery disaster plan. It is important whether you are a two-person organization or a 2,000-person organization. I cannot recommend enough that you get an expert to walk you through the entire process. Relying on yourself to plan this out is a mistake. You need an expert to walk you through it.
Riedl: The things you have to think about are business continuity and disaster recovery. You have to have an incident response plan (IRP). Even simple things like communication become an issue. Having a hacker in your system is different than having your server crash. How am I going to communicate? Do I really want to send emails with a hacker in my system?
Laczniazk: My esteemed panelists hit it on the head with establishing a hierarchy, and insurance is absolutely a critical component of planning for a data breach. Purchasing insurance does more than cover the expenses associated with a breach. It also rents you a network of experts. It gives you immediate access to the people you will need – the legal, forensic and other specialists. That is why insurance has to be part of an IRP. In this day and age, it is not a luxury product. It should be a cornerstone of planning.
Do contingency plans or insurance policies need to be modified when there is a large remote workforce?
Torres: I think it is important to consider that remote workforces will likely be the new way of doing business. The traditional five days per week in the office may become three days or two days per week. With a remote workforce the big thing is knowing who is where if there is some sort of breach or disaster.
Riedl: With a remote workforce, you have to make sure you have tight rules and systems in place to prevent employees from becoming too creative in the ways they get their work done. You don’t want people printing HIPAA-type information on the public library’s printer. If they leave something on the printer, you have a breach and the next thing you know it is in someone else’s hands. You have to think about the different types of equipment your employees have. Do they have company computers at home? Do they have a good firewall at home? You not only have to keep tabs on where your company assets are, but also on what your employees are actually using.
Laczniazk: It is really important to restrict access and force things that used to be voluntary. You used to have the benefit of people using a closed office network at least once every couple of days. Now it may be several weeks before they come into the office. That means that critical updates and patches need to be pushed automatically to individual end users – now more than ever.
What about small companies? When should they start to seriously consider cyber insurance and contingency plans?
Riedl: Small businesses are most vulnerable because one security event could take their business down. They have to have a plan in place, but it doesn’t have to be a big, phonebook-style plan. They just have to have bullet points stating: This is what we are going to do; here is who we call. And they should have insurance. If done right, at a minimum it will mean that they have end point protection and e-mail protection installed as most carriers require proof of this type of mitigation.
Laczniazk: Don’t feel you cannot afford to be secure. Like the insurance you purchase for everything else, you can get coverage that you need. The smaller you are, the cheaper the security products become, including insurance. There is a correlation between size and cost, and there are products that will provide protection that small businesses can afford.
Torres: Small businesses face the exact same threats as large businesses. The bad actors do not care how big your business is or what your data is. They just know that your data is important to you.
What types of security products are out there to protect companies from being hacked, to help them detect and minimize the risk when they are being hacked?
Torres: We have shifted to a Zoom and Microsoft Teams lifestyle. With the changes in security risks, the need for other tools has exploded – including multi-factor authentication. The biggest thing we are seeing are the new toolsets businesses are scrambling to implement. There are a few different security products – multi-factor authentication, dark web scanning, email filtering, firewalls, anti-virus, anti-malware – that provide security from the outside. Where we come in is when something gets past those security features.
Laczniazk: All I am going to say is multi-factor authentication, which requires a user to provide at least two forms of identification before accessing the network. It is a baseline protection that helps with phishing and it helps with email compromise. It is readily available, accessible, cheap and such a simple thing to do. And it is very effective. Multi-factor authentication should be a focal point if you are wondering what you need to be doing. It is an easy one to check off the list.
Riedl: Multi-factor authentication is a really good solution. Make sure you have quality firewalls. If you are accessing your business from home, you should have a business-grade firewall in your home. There are also endpoint protection devices that watch what is going on. If they see a service fire up, they can send an alert and stop that service from functioning. They can also send a message to a security operations center that can put human eyes on the situation to see what needs to be done. That tool alone really decreases the chance of a breach.
If there were one thing you would want the business executives to take away from this conversation, what would it be?
Torres: Have an expert look at where you are right now. Do a risk assessment, a network assessment. Talk to your local service provider. See what your risks are and what you can do to mitigate them. Back up your data, secure your network, protect the endpoints and train your employees.
Laczniazk: For me it is preparation. Have an incident response plan. Purchase insurance. You put sprinklers in your building. You have an evacuation plan if there is a disaster. You should do the same for your data. Have a plan. Now, more than ever, it is fundamentally important to be prepared on every front – whether it is your hardware, whether it is your software or whether it is your network. Be prepared. Spend a little time on the front end so you can save a lot of time and money on the back end.
Riedl: The one thing I want people to take away from this is to take cybersecurity seriously. Make sure you are planning for it and make sure you have the right people in the room when you do that.
Cyber Attack Timeline
For a company with no malware/ransomware plan in place
Within 10 Minutes of Attack
- Stop malicious activity to limit encryption or exfiltration of data and begin to assess damage
Within 2 Hours
- Incident Response (IR) Team Creation
- Call Insurance Company - Obtain Legal and Mitigation Partners
- Assess Legal & Mitigation contract amounts & Insurance Coverage
- Sign contacts as soon as possible to begin mitigation
- Alert FBI
- Determine non-compromised communication tools (personal phones & e-mail)
- Attend hourly update meetings and calls
- Begin Negotiations with Bad Actors – multiple counteroffers
- Accept terms
- Determine where/how attack occurred & extent of damage
- Begin building new, clean network
- Work with attorneys to create internal/external communications
- Arrange for “Proof of Life” with hackers to confirm Data Decryption will work
- Approve ransom payment and convert to bitcoin
- Test Decryption Tools & Start Decryption process
- Bring new network online
- Install End Point Protection solutions onto all workstations
Day Four and Beyond
- Complete decryption process & continue forensic investigation
- Communicate with clients and employees
- Provide appropriate info to FBI & Police
- Users begin using new system & continuously monitor for suspicious activity
- Continue monitoring services
- Prepare final forensic report: share with attorneys & settle with Insurance
- At this point, tens if not hundreds of thousands of dollars in unplanned expense has occurred
For more detailed information and complete white paper, contact River Run.
Originally published in the Milwaukee Business Journal on December 18, 2020.
Share this article