Last summer, an employee at a New Jersey-based company used a personal USB device to download something off the company system and, without meaning to, injected malware that resulted in a ransomware attack on the whole system.
Perhaps he should have known better: according to Norris McLaughlin cybersecurity law Chair Rebecca Warren, he was the company’s head of IT. Ninety percent of cyber attacks are occasioned by human error, Warren said as a panelist on NJBIZ Cybersecurity Panel Discussion on Feb. 16.
Though that statistic hasn’t changed, the number of such occasions has. There’s been an “exponential increase” in phishing and cyber attacks since the onset of the COVID-19 pandemic, Warren said.
The uptick happened almost immediately and has been one of the focuses of the joint federal-state New Jersey COVID-19 Fraud Task Force launched in March 2020. Carbon Black released data in October showing a 238% increase in phishing scams alone, where bad actors send faux work-related emails to people within a company to get them to click on a link that imports malware into the system.
Warren was joined by Chiesa Shahinian & Giantomasi Privacy & Data Security and Corporate Securities Group Member Michelle Schaap, New Jersey Cybersecurity & Communications Integration Cell Director Michael Geraghty, PCH Technologies President and CEO Tim Guim, and Grid32 Cybersecurity President Seth Danberry.
Danberry is a self-proclaimed hacker—the good kind, he assures—and his company Grid32 Cybersecurity will hack into your systems to expose your cyber vulnerabilities. They won’t hurt a thing, though.
“We give them info on how it happened and how to avoid it,” Danberry said. He does so with a pentest, short for penetration test. A pentest an authorized simulated cyberattack on a computer system performed exclusively to evaluate the system’s security.
Those who don’t take precautions and beef up their security run the risk of falling victim to ransomware, which is exactly what it sounds like: hackers lock a business’ system and require a ransom to rescind it to the owner once again. According to Carbon Black, a $50,000 minimum asking price is not uncommon, and the average ransom in 2019 was $111,605. But that’s not the biggest or baddest: Tech news site BleepingComputer reported that hackers demanded a $10 million ransom from outdoor technology company Garmin after hacking into its systems in August 2020. Though Garmin did not confirm that it paid that ransom, it did confirm with BleepingComputer that it received a decryption key from its hackers to gain control of its system back.
Though it’s one way to solve the issue—maybe—Warren noted that paying the ransom doesn’t guarantee hackers will give a key back to decrypt hacked information, and even if they do, what did they do with the information when they had control of it?
“When you pay a ransom, you validate the business model,” Geraghty said.
Panelists recommended security measures such as multi-factor authentication, which requires two separate pieces of information to gain access to a system, like a password and zip code. A passphrase can be more secure than a passcode, Danberry suggested; and keeping information on a cloud rather than in on-premise computers adds another layer of protection, according to Guim.
Guim recommended determining which data is most important to your company and building rings of security around it.
“The best advice I can give to the audience is if you’re a robber and you approach two houses, and you hear a barking dog [at one but not the other], you’re going to go to the house without the barking dog,” Schaap explained. “Be proactive. Don’t wait for the ‘when’…incidence response planning is critical.”
And don’t save it on the internet, she said. Because if you’re hit with a ransomware attack, you won’t have access to it. At CSG, they give out notecards, and have as many as you want, keep it in your glove box, by your desk at home, in your bag. Businesses want their employees to feel free to be candid: if they clicked on something, you want them to tell you. Then you can watch for any attacks, quickly respond, and recover.
Businesses that fall victim to cybercrimes can report them to the Internet Crime Complaint Center. While Schaap says that the feds might not be able to do anything about it, it allows them to compile a database of bad actors. They may be able to identify the bad actor based on how they’ve attacked in the past.