Cybercrime expert warns businesses: Don’t be a victim
The cyberattack on Colonial Pipeline in May gained national attention, with the $4.4 million ransom demand it paid, the temporary shutdown of the company’s pipeline operation and the long lines at gas stations generated by panic-buying consumers.
But while this the first time many Americans heard of ransomware — where someone gains access to a computer system and encrypts it so the owner of the machine can’t use it until paying a ransom — it was hardly the first case, having been around for decades. And cybersecurity experts agree, it will not be the last incident unless precautions are taken.
Cyberattacks aren’t just hitting large corporations with deep pockets. The criminals, who usually live in countries like Russia or North Korea where they have no fear of being extradited to the U.S. to pay for their crimes, have also targeted smaller businesses, government entities, utility companies, school districts and health care operations, many of which have systems containing sensitive information.
According to Purdue University Professor Eugene Spafford, who specializes in computer network security, cybercrime and ethics, there are 100 ransomware cases every day, most of which go unreported.
“Right now a lot of places are being taken by surprise. They didn’t realize they would be targets,” Spafford said. “In a year’s time, I don’t think any organization can claim ignorance. If they don’t start taking precautions now, they could be victims later.”
Some companies and other entities in the Region contacted by the Post-Tribune declined to comment, afraid they would become a target, others didn’t respond at all. BP, NiSource and the Ports of Indiana said they’re taking the threat very seriously.
“We seek to manage this risk through a range of measures, which include cybersecurity standards, security protection tools, ongoing detection and monitoring of threats and testing of cyber response and recovery procedures,” BP stated in its 2020 annual report.
The cost of ransomware: Ransomware attacks could be costly not only to the target, but ultimately to consumers, as well.
In 2020 the malicious software hit more than 2,300 government entities, health care
facilities and schools, the security software company Emsisoft stated in its report, “The cost of ransomware in 2020. A country by country analysis.”
The average ransom demand was $84,000 in these incidents, but the company said recent evidence shows the amount may have increased. Spafford said while large corporations like Colonial Pipeline could see demands in the millions of dollars, the average ransom for smaller businesses is $50,000 to $60,000 and going up.
But Spafford said the real loss to a company, government entity or organization could be 10 to 20 times the ransom amount when taking into consideration the downtime, which Emsisoft estimated at 16 days on average, reporting requirements and money needed to be spent to make changes to the system. And this could ultimately result in increased taxes and prices for products, affecting the average person as well, Spafford said.
He said while the long lines at gas stations following the Colonial Pipeline ransomware attack was a matter of panic buying, not a lack of gasoline, attacks on electric grids, health care systems, railroads, air traffic, the federal government and other critical areas could result in system shutdowns of more than a week, which could affect consumers.
“That could be a real problem,” he said.
Edison Electric Institute, a trade organization for the electric power industry, which Merrillville-based NiSource is a member, said ransomware is a known threat that EEI and its member companies have been working to defend against since the attack strategy first emerged.
Scott Aaronson, EEI vice president for Security & Preparedness, said working through the CEO-led Electricity Subsector Coordinating Council, the electric power industry developed ransomware preparedness guidance in 2017 that includes measures that electric companies can put in place to defend against ransomware attacks and mitigate the impact of a successful attack.
Part of that strategy includes the ESCC’s Cyber Mutual Assistance program, which extends the industry’s practice of sharing critical personnel and equipment for emergency response to the cyber realm.
“Addressing dynamic threats to the energy grid requires vigilance and coordination that leverages government and industry resources. That is why we work across the sector and with our government partners to share actionable intelligence and prepare to respond to incidents that could affect our ability to provide electricity safely and reliably,” Aaronson said.
BP spokeswoman Christina Giannelli said the company takes safety and security, including cybersecurity, extremely seriously and works hard to remain aware of and respond to ever-revolving risks.
“We collaborate closely with governments, law enforcement agencies and industry peers to understand and respond to new and emerging cyber threats. We build awareness with our staff, share information on incidents with leadership for continuous learning and conduct regular exercises including with the leadership team to test response and recovery procedures,” the company stated in its 2020 annual report.
The Ports of Indiana, which includes the Burns Harbor port, has a dedicated information technology manager on staff who monitors and implements all best practices.
“Our ports and customers are our top priorities and security protocols have always been in place,” spokeswoman Jennifer Hanson said.
Taking precautions Emsisoft said in its report that 33% of companies paid the ransom demand, which in many cases ends up being less expensive than fighting the criminals.
Spafford said that’s a bad idea.
“Eighty percent of the victims of ransomware are victimized by the same group again in the next couple of months. They’re gangsters,” Spafford said.
He said there are several measures companies can take to lessen the chance of being attacked or the damage caused if it is. He said a lot of companies purchased cyber insurance, but the payouts for ransomware got so large some insurance companies are dropping ransomware.
He said some insurers are asking companies to have precautions in place in order to get the insurance. Smaller businesses without a lot of money could look at putting their data in the cloud, which provides some protections, or hiring a security provider on a contract basis.
Spafford said smaller government units, such as a town, also could contract with an outside agency, although he said health care agencies and school districts may be uncomfortable with this approach due to privacy issues. Companies also need to have a backup system and procedure in place so they could rebuild their system from scratch in the event of an attack.
“Unfortunately, many companies don’t have backups. They’re not used to having disasters,” Spafford said.
Another step would be to have a password to log in to an account, then sending a code to your cellphone. This way, if a password is captured, no one can get into your account, Spafford said.
Computer systems could also be partitioned so not all information is on one network. This way if someone gets into one part of the system, they can’t encrypt the entire system. Lastly, be sure to regularly install updates, run security software and have a robust, well-supported security department.
“Not a lot of mid-size companies have that,” Spafford said.