On May 7, 2021 hackers shut down the Colonial Pipeline, the main artery pipeline of gasoline to the East Coast of the United States.  It may be some time, or possibly never, before we know the full details of the hack; however, we do have enough information to understand the way the hackers were able to penetrate a secure system and disable a critical pipeline.  This attack is just one of a string of high-profile attacks on critical infrastructure in the United States, including the recent SolarWinds attack that led to the compromise of major technology companies and the government of the United States.  These attacks have become so ubiquitous lately that they may now appear to be just noise.  The response from the federal government has publicly been ambivalence and blame.  The hackers demanded a 4.4 million dollars, but the true cost to the company will be many multiples of that amount.  Because of the number of these attacks of large companies is now background noise of the news, many small business owners are drowning out the persistent threat, thinking that it couldn’t happen to them and their business.  Unfortunately, statistics show that is far from the truth.  The real devastation is happening to small businesses that never even make the news. There are increasing threats to you and your business.  The good news is that there are several steps that you can take to protect your business and not be the latest silent casualty.

Reading the headlines and the information about the hack that has been released publicly, I was impressed by three details that have become the themes of recent attacks.  First, ransomware compromise through email is still alive and well today.  It seems that no matter how companies improve technology to protect email systems, even through artificial intelligence, users manage to find ways to click on the irresistible link.  Hackers have become experts at social engineering, often specifically targeting individuals over time to understand how they use communication systems, who they communicate with, and how they communicate.  That reconnaissance allows them to manipulate their target to do something they would not normally do, thus finding a weakness that they can exploit.  For lucrative targets, the attacker may spend weeks or months planning and perfecting their attack.  Some may only take hours or days for less protected systems.  In the end, e-mail is still the number one way that hackers are penetrating business networks.

Second, it is still very profitable to be a hacker.  Using free tools, inexpensive hardware, and Internet connections in faraway places, hackers can plan, implement and carry out sophisticated attacks will seemingly little effort.  The payday is big when it works, and it does work more often than not.  Payments are often untraceable using cryptocurrency like Bitcoin, which has seen an exponential rise in value over the last 6 months.  The Colonial attacker’s take was $4.4million, with $312,493[1] being the average hacker payday in 2020.  Businesses and individuals paid out an estimated $4.2billion[2] in that same year.  The more interesting detail about these amounts is that the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) warned that they may go after companies that pay the ransom.  In other words, punishing the victim of an attack for paying their attacker.  Why?  Many of the hacking networks are linked to terrorism, funding violence throughout the world.  10 years ago, terrorists made their money by controlling much of the oil wealth in the Middle East.  The fall of ISIS shut down that business, so now they’ve turned to computer ransomware to fund their terror efforts.  The United States government wants to stop the flow of money to the terrorists, so they are going after the businesses that pay the ransom because it is so difficult to track the trail of money and shut it down[3]. "For years, the Federal Bureau of Investigation has advised companies not to pay when hit with ransomware, a type of code that takes computer systems hostage and demands payment to have files unlocked. Doing so, officials have said, would support a booming criminal marketplace.”[4] Your business suffered a huge loss of time, reputation and money, and now you could be criminally prosecuted as a victim of a ransomware attack.

Third, it appears that the critical infrastructure that runs the pipeline was not completely isolated from systems connected to the Internet.  That meant that someone accessing websites and emails was also connected to the same systems that ran the pipeline.  Although the details aren’t completely clear how they were interlinked, the connection was significant enough that they had to sever the ties, shut down the pipeline and pay a ransom to get the systems operational again.  One of the critical components of layered security is to separate critical infrastructure from public systems.  It appears that Colonial didn’t have this separation and it gave the hacker the ability to get into systems that should have never had the connection to the outside world.  I’m confident that Colonial invested heavily in security measures but missed an important piece of security. This is an example of the old security adage, you must be right 100% of the time, the hacker only has to be right once.

Small businesses are even more susceptible to attacks as large businesses.  Sure, the payouts for the hackers isn’t as big for an attack on a small law firm or dental office, but neither is the difficulty of the attack.  These large companies have security teams, budgets and specific systems to protect them.  Small businesses often don’t have any of that, so they become the low hanging fruit for hackers.  It is easier to for a hacker to get into 50 small businesses for $100,000 in ransom each than one large business for $4.4 million and the payout to them is the same.  Small businesses, and even individuals, are the bigger target for these hackers.  There are measures that you can take to protect yourself and your business.

First, you need to be aware of the threat and be willing to take action to protect yourself.  If you’ve read this far into the article, you are well on your way to doing the right things in your business.  Educate yourself and your employees about the threat that is out there.  Make sure they understand that one mistake by them could lead to your business closure and their loss of a job.  It could also mean criminal prosecution for you and others involved in the business.  Knowing the seriousness of the threat will keep them more vigilant with your computer systems.  They will be more aware when that email comes in that asks them to open a PDF invoice that doesn’t look quite right or click on a link to a website that they didn’t feel good about.  You can also invest in annual and weekly training for your employees to make sure they understand the threat and can do something about it.  You can also invest in advanced e-mail security with artificial intelligence to add an extra layer of security.  Finally, you can test your employees periodically to find out who is most likely to do the wrong thing for your company.  All these efforts don’t cost very much, but they are invaluable to your company.

Second, make sure you have the right cybersecurity policies, procedures, and insurance in place for your business.  Prosecutors will be less likely to go after your company if you can show that you were doing all the right things to protect yourself.  No security system is 100%, and the regulatory agencies and prosecutors know that.  It has been shown over and over again in court, that a business that was doing everything they could for the size of their company to protect themselves is not liable for civil and criminal penalties[5].  Insurance is also important.  I strongly recommend that you have cyber liability, employee theft and errors and omissions insurance.  Speak to your insurance broker about these different types of policies and make sure you have the appropriate coverages for your size of organization.  Having these policies in place could make the difference between staying in business after an attack or not.  Your business is more likely to be destroyed today by an attacker that comes in digitally than one the comes in physically.  Make sure your insurance is designed to protect against the current threat.

Third, implement the right systems in place for your business for security.  Microsoft, the largest hosting company for business email, says that multi-factor authentication is the most important tool you can use to protect email systems[6]. Identify your critical systems and make sure they are separated from public or easily accessed networks.  Some different areas to look at are your office WiFi, remote workers accessing your office systems and network shares.  When I analyze network systems for small companies, I often find that companies give our passcodes to their internal WiFi to guests, allow remote employees access all the systems from home computers without additional security measures in place and store all their office data on one file share with no security protecting critical data like financials, customer, or personally identifiable information (PII).  Measures can be put in place for small businesses to protect these systems and add another layer of security onto the network.

If all of this seems daunting, you are not alone.  Because of all the noise in the news about hacking and the fight to run and grow your business, you can easily put this on the long to-do list of things that you may one day get to.  Just like hiring a good CPA to handle your taxes, it is essential for you to find a trusted advisor to help you secure your business.  Think of the threat of a hacker the same way you would of not filling your taxes correctly and being called into an audit with the IRS.  The outcome could be the same, many dollars spent, possible prosecution and the failure of your business.  A technology security expert is as valuable for you today as your CPA.  Just like you wouldn’t file your complicated taxes by yourself, you shouldn’t handle the security of your business alone. Your IT advisor will work hand in hand with you to protect your business, take most of the work off your plate and give you a plan to be successful.  More importantly, they will give you the peace of mind to know that when the day comes that an attacker seeks to get into your network, you have a trusted advisor to walk you through it and come out okay on the other side.

Unsure if your network and systems are protected correctly?  Take a 15-minute self-assessment today and see where you rank against other businesses. Visit www.StimulusTech.com/self-assessment to get started today.

[1] https://www.tripwire.com/state-of-security/featured/average-ransomware-payouts-shoot-up/
[2] https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
[3] https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
[4] https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
[5] https://www.gflesch.com/elevity-it-blog/will-you-get-sued-if-your-business-is-hacked
[6] https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984