Bull’s-eye on small business
Experts say hackers are preying on unprotected targets
In May, a “ransomware” attack locked up the data of more than 230,000 computers in over 150 countries around the world. Using a computer virus called WannaCry, hackers held the data for ransom, demanding their victims make payments of $300 each in bitcoin, a difficult to trace digital currency.
The incident was just the latest example of the large-scale business breaches that grabbed headlines in the U.S. and abroad.
In the same month that attack occurred, the giant retailer Target announced that it had reached an $18.5 million settlement with 47 states and the District of Columbia to resolve investigations into a 2013 breach that affected 41 million customers.
In March, two Russian intelligence officers and two hackers were charged in a Yahoo data breach affecting at least 1 billion user accounts.
Closer to home, MedStar Health, based in Columbia, Md., last year suffered a cyberattack that forced it to turn away patients and shut down computers at hospitals and other facilities.
Large businesses have beefed up their security in recent years. As a result, hackers increasingly are preying upon smaller companies that may not have robust cyber defenses.
How vulnerable are Virginia businesses to cyberattack risks?
To get answers, Virginia Business hosted a cybersecurity roundtable with a panel of seven Virginia experts from a wide range of industries.
The group included:
- Joseph DePlato, chief technology officer and principal cybersecurity architect with Bluestone Analytics in Charlottesville.
- Michael Hardin, vice president, risk management, at Apple Hospitality REIT in Richmond.
- Collin Hite, practice leader of the Cybersecurity & Data Privacy Group and the Insurance Recovery Group at Hirschler Fleischer in Richmond.
- David Inabinet, director of technology with Riverside Health System in Newport News.
- John Lewis, vice president of information technology at Lumos Networks Corp. in Waynesboro.
- Milos Manic, computer science professor and director of the Modern Heuristics Research Group at Virginia Commonwealth University’s School of Engineering in Richmond.
- Alyson Newton, vice president and Executive and Professional Specialty Practice leader with Marsh & McLennan Agency LLC (formerly Rutherfoord) in Richmond.
The discussion was held at the offices of Virginia Business in Richmond in late April. The following is an edited transcript.
VB: [What are] the biggest changes that you’ve seen recently in cyberattacks?
DePlato: In the past, you were seeing a lot of threat actors scanning the internet, [doing research using sources such as LinkedIn and Facebook], on their targets and then attempting to breach their targets. That’s changed rather quickly within the last year. People have become smart in securing their infrastructure. They know to put a firewall in place. They know to put multi-factor authentication, for example, in front of external-facing systems. Actors are doing phishing scams to get into these organizations, or the new term now is “whaling,” where they go after your CTO [chief technology officer] or CEO — your high-value targets at an organization. Once they break into those organizations, they’ll deploy a ransom on the network, locking these organizations down so they can’t function until the ransom has been paid.
VB: Mike, what are you seeing?
Hardin: As far as the hospitality industry goes, we’ve worked very closely with the brands of the hotels that we work with and also our third-party management groups. As to what Joe touched on, we’re focusing on making sure we have the proper hardware in place and that it is current and up-to-date along with current antivirus loaded on these machines to thwart those attacks. And we work with our group to make sure, if we need cyber insurance, we put our heads together and evaluate those options. Finally, we educate the people on the front lines of the potential threats, whether it’s through email, through phone, or in person, to keep an eye out and be prepared to handle those potential threats.
Inabinet: I’d like to add something to what Joe was talking about. You know the old-school type of scams out there on the network looking for vulnerable servers and things that are open — that still happens, but a lot of medium and larger companies have the budgets to buy all of this nice technology whereas smaller companies are like, “Well, maybe we aren’t as much of a target,” or maybe they just don’t have the resources to spend the money to protect themselves. What we’re seeing is a lot of smaller organizations are being targeted as much as bigger businesses because the bad actors now are well aware there may be a third-party relationship [that can make the companies vulnerable]. Remember the Target breach was a little breach that became a huge breach, and an HVAC contractor [working for the retailer] was the source. This smaller target was breached and [the attacker then] got into Target, and we all know how that turned out. Also to add on to what Mike was talking about, all of the technology is great, but we’ve found in talking with other people with health care … we have found really the number one thing you can do is educating your people [to be wary of suspicious emails or attachments].
VB: With the emergence of electronic medical records, is that a new issue?
Inabinet: Absolutely. You know they say your medical record is worth so much more on the dark web compared to a credit card. A credit card [theft] is kind of one and done, but with your medical record, especially someone who has some status, that’s worth a lot of money. Protecting that patient data is really job one.
Lewis: One of the things that has changed a lot is that, in the old days, companies used to have all their assets in one location, and a single firewall could protect you. Now with mobile devices … you really have to focus on protecting every device and training people and monitoring … To David’s point, it really comes down to the end users — it’s more important to educate them to be suspicious first in whatever they do … Companies also deploy all these cameras … and they can be taken over and used to attack people. It’s a real problem. You’ve also got a lot of smart TVs in households. So, there’s a lot of activity happening in people’s home networks that are reaching out to the cloud, and most homes don’t really secure themselves. That’s a fear for us. What do you do when an employee goes home and they’re using their gadgets? Is what they’re doing on their own network putting us at risk in any way?
Manic: I would like to add something. With the expansion of [internet of things] devices, everything talks to everything. It brings a great deal of comfort and luxury to everybody to do things remotely, which sounds really nice. The problem is interdependencies on a small or larger level. I organized the first [National Workshop on Resilience Research for Critical Infrastructures] about a year and a half ago [and much of the discussion concerned interdependencies]. We have a very hard and difficult time figuring out interdependencies.
VB: John, could you talk specifically about the threat to our infrastructure and how vulnerable that is to cyberattacks?
Lewis: I think everything is vulnerable if it’s a targeted attack. The big fear is — to Dr. Manic’s perspective — the interconnectivity of everything. Attacks can come in many ways. … I think a big challenge we have as a country, as an industry, is establishing industry-driven standards that everyone adheres to and then sharing weaknesses or sharing events. A lot of companies are really not willing to publicly announce, “Oh, we’ve had something bad happen. Hey, everyone, pay attention.” That may be embarrassing for a variety of reasons. Everyone is looking for guidance. There are lots of ideas, but there isn’t any mandated organization either from a government or from an industry saying, “We have to step up our game, and everyone has to follow this standard.”
Manic: We are not thinking enough [about threats] until something forces us to. Why? Because it costs. End of story … There’s something called fault tolerance. It’s a fixed algorithm: If this happens, I’ll do this. The problem is the approach is reactive. You’re talking about something you know has happened, which has no value tomorrow, because tomorrow is going to be a new day. So here we come to resilience, which is the idea of intelligent response or getting up after you fell down. It cannot be treated with the same algorithm because it’s going to be a different fall. That brings another facet … in this game, which is some kind of machine-learning. Trying to figure out how proactively what can go wrong, and if something goes wrong, trying to stay one, two, three, five steps ahead of the bad guys. So machine learning, artificial intelligence, call it any which way you like, I’ve been teaching and preaching about it for the last 15 years.
VB: Do we have enough people to combat these attacks? Is anyone having issues with trying to get cybersecurity professionals?
DePlato: I would say people are definitely interested in it, but it takes a specific mindset. You have to have a very analytical mind, want to solve puzzles and want to do deep analysis. In practice, what I’ve come across are a lot of managed-service providers who think that they can do security, and their idea of security is throwing some firewalls in place, putting some security appliances in place, and it ends there. And I’ve come across people that are in the cybersecurity realm that just like being known as a cybersecurity analyst or a professional hacker. But they don’t have that next level of knowledge. They don’t understand the long view or how to take an organization from where they are right now and get them to a point where they are secure and can actually defend against an attack.
VB: Mike, what about you? Are you able to find what you need?
Hardin: Well, personally for us, we rely heavily on the brands that we work with, and it’s more their role to hire and bring in those professionals. So they handle that for us. But we have an internal team that works together with everyone in our groups to make sure we’re staying ahead of the game, staying ahead of what’s coming. It’s a constant reminder that we do have to stay on top and ahead of these things and see what’s coming, make sure we’ve gone back and double-checked everything again, double-checked the training. We always want to be aware.
Manic: Our senators and congressmen state we have 17,000 open positions in [cybersecurity] in our state. That’s second only to California, which has 19,000 open positions. There’s this huge need that some universities like VCU are trying to fill. There are a number of strong universities in the state. All together I doubt they can fill the void. VCU had been trying slowly to grow this angle of cybersecurity certificates for those with different backgrounds. That’s probably the key because, just looking at young generations going into cyber education, it’s not enough. We need to recertify, retrain people with different backgrounds to somehow start filling the void.
Inabinet: It definitely takes a special kind of person. You have to be a really good analyst and be curious and realize how things yesterday are not necessarily how they’ll be today. It’s a constant cat-and-mouse struggle with trying to secure these networks.
Lewis: From a talent perspective, we struggle finding the right talent. In a lot of cases, we’re always looking for people that have experience, and they are just hard to find. The good ones are already taken. You’re playing the compensation game. The really good ones will train up with you and then leave. That’s a challenge in itself. But even with the younger generation, the more tech is commoditized; there are fewer opportunities for people to really understand how technology works to get over the hump and start learning about protocols and learning how to beat systems. There are lots of people that have pretty résumés. You bring them in and talk to them, and they’re book smart. They’re not going home at night [to] read and dream about this and take things apart and ask why. It’s the people that are really willing to go above and beyond what they’re told to do and have initiative. That’s the hard thing to find.
VB: We’re going to talk a bit more about the insurance and the legal side of things. Alyson, how can small businesses protect themselves?
Newton: I think first organizations have to understand that it’s an enterprise-wide discussion. It’s not just a discussion that should be had at the IT level. It should be had at all levels of the organization, starting with the board, the executive officers and filtering down to the employees. Doing training exercises to understand, “I shouldn’t be opening this email.” So it can’t be siloed in the organization. Secondly, I think you really have to know your data. What do you have? Where is it housed? What are you using it for and who has access to it? Is it backed up? And then also one of the areas we talk a lot about with our clients are outside vendor contracts. Some companies say that because their payroll is outsourced, “That payroll provider is liable if something happens to my data.” No, you are, because it’s your information, and you are legally responsible for it. I think [it is highly important to go] through that whole discussion of what should the culture be at the organizational level and then developing a checklist of everything you should be going through and to be very aware.
VB: Collin, would you like to add something here?
Hite: The first thing for the smaller and medium businesses [is to realize], as the others have said, you are a target. This idea that the criminals only want the Targets or the Home Depots of the world is a complete fallacy. Because smaller breaches don’t show up in the media because they’re not affecting enough people, there’s a false sense of security that the smaller companies are off the radar. So then they do as little as possible … These businesses need to be proactive. I like to tell clients, “You’ve got to spend money to save a lot of money.” They’re pennywise and pound foolish. We’ve got to get them over that hurdle. This is a risk management viewpoint, not an IT viewpoint. You’ve got to manage the risk by being proactive. It’s so much less expensive in the end than responding to a breach. If you’re not prepared and responding to it on the fly on Memorial Day weekend, or on Saturday night at midnight when you find out [that you have had a breach], and you don’t know who to call, and you don’t have cyber insurance, now you’re up the proverbial creek. You’ve got to do something and get your head out of the sand.
Newton: Just to piggyback on Collin’s point, that’s the importance for them to purchase the insurance. Something’s happened, and now we have to navigate this very complicated field of forensics, of regulatory compliance, of legal review, of public relations, where do we even start? And for a small business that might not have that experience or — with all due respect — that sophistication, it is very difficult for them.
VB: [How can insurance help with ransomware?]
Hite: Well, three things. One is, I think, ransomware has now allowed the price point to become a commodity. You can go on the dark web and buy the code to become a ransomware extortionist overnight. So that becomes the first problem. The second is, my understanding is, 20 to 35 percent of the criminal take is being reinvested in R&D by the criminals. They’re constantly evolving and that’s where insurance can step in. A well-placed cyber insurance policy will pay ransomware if you’ve purchased that aspect of first-party coverage and if you have a really good carrier. They have the forensic knowledge or the panel that will bring people in to help them pay it, get it paid, help get the system restored and do all of that. In the end, cyber insurance is the ultimate backstop on a lot of these costs and problems … And smaller companies, they need it. The Target can withstand an attack. [The retailer booked $162 million in expenses in 2013 and 2014 related to the breach.] The HVAC vendor was gone in about four weeks … These vendors are somewhat the weak link in the process. I had a presentation in front of a local client here recently who convinced themselves, “Well, we don’t take credit cards, we don’t deal with the public, we’re just a distributor.” And we talked a little bit more with the head of IT and the general counsel, and it suddenly became clear they’re tied into Kroger and Whole Foods for ordering. Well, you now own 100,000 customers because you’re tied into the grocery store systems for ordering. So you’ve got to get your people educated about their risks.