Pelland Blog

You Think It Can’t Happen to You?

July 4th, 2021

If you are aware of ongoing news events, you know about the recent online cyberattacks at big companies like Colonial Pipeline and JBS. In both instances, ransomware was involved. Colonial Pipeline reportedly paid $4.4 million in ransom, after shutting down the delivery supply of gasoline, diesel, heating oil and jet fuel across much of the eastern United States, causing a spike in prices that you have paid at the pump. In the case of JBS, the meat processing network across the United States, Canada and Australia has been affected, with the impacts being felt by consumers at grocery stores and supermarkets. It has not yet been disclosed at the time of this writing what ransom, if any, was paid by JBS, but it joins a wave of ransomware attacks against businesses and organizations since the start of the year that includes Molson Coors, E & J Gallo Wines, Kia Motors USA, and the District of Columbia Police Department. Most victims prefer to keep their companies’ identities anonymous for obvious reasons.

Lest you think that these attacks only target big businesses and our national infrastructure, think again. Also recently, a ransomware attack targeted the Steamship Authority, the Massachusetts transportation entity that runs the primary transportation network that connects Woods Hole on Cape Cod with the islands of Martha’s Vineyard and Nantucket, disabling its reservation system. You may be seeing a connection there that suggests that the tourism industry is more vulnerable than you may have imagined.

According to Cybercrime Magazine, the fact is that a new business will be targeted by a ransomware attack every 11 seconds in 2021. The primary points of entry are vulnerable software (generally the result of a failure to apply security patches or the installation of apps than are either unsecure or intentionally contain malware) and email phishing. According to Fortinet, 1 in 3,000 emails sent to businesses and that pass typical security filtering, contain malware that includes ransomware. The average downtime for a business that has been attacked is 19 days, and the average ransom paid is nearly $250,000.00. An attack on a small business would have a smaller ransom, but could you afford to pay $25,000.00 or be unable to access your reservation system for days on end? A large percentage of these ransoms are covered by cybersecurity insurance, for businesses that carry that coverage. The ransoms always require payment using cryptocurrency, making the perpetrators totally untraceable other than generalities regarding their country of origin.

Although it is true that the reports that we see covered by the national news media involve larger organizations where the impacts are more broadly disruptive, smaller businesses are generally far more vulnerable and even more likely to be targeted. The recent surge in employees working from home, where security standards are usually less stringent, has also contributed to the proliferation in attacks. The smaller your company, and the more personally associated you are with that business, the more likely you are to be an easy target. If you are one of the hundreds of millions of people with an account on either Facebook or LinkedIn, your personal data has already been stolen since the start of this year and is being freely distributed on the Dark Net. That data likely includes your name, address, email address, phone number and more. There is a connection between these data breaches and the phishing emails and scam phone calls that you receive.

One common point of entry in recent weeks has been email that allegedly comes from your email service provider, claiming that your email account has been put on hold pending some sort of “verification”. While writing this, one of my clients forwarded me one such email that she had just received. The “verification” link was a cryptic 200-character URL based in India. How many people, through either carelessness, naivety, or a sense of panic over the thought of losing their email access, will click on those links?

Email service providers are getting far more vigilant about trying to stop malicious emails before they reach your inbox, but it is a frustratingly endless task. Users get upset if legitimate emails they either send or receive are falsely flagged. One of the large email service providers that my company uses for many our clients’ email accounts found itself blacklisted by Microsoft about a month ago, after a single user had sent out an email with malicious content. As a result, thousands of subsequent legitimate messages were not reaching their intended recipients with either Outlook or Hotmail email addresses. Then yesterday, an email account for one of our clients was automatically disabled after she had sent out an email to a couple hundred seasonal campers with a Microsoft Word document attached, a risky violation of typical email terms and conditions. She was unaware that Word documents are frequently used to harbor malware and that this would trigger a red flag.

In other instances, we have clients who ask us to set up email accounts for every new employee, typically designating a weak password to be used. We reluctantly follow instructions, but include a link to Security.org’s HowSecureIsMyPassword.net website, which can show that the designated password could be cracked by any computer in a day or less.

When it comes to employee email accounts, the questions you should ask yourself are:

  1. Does this employee actually need his own email account?
  2. Are you prepared to pay the costs and disruption to your business if your network is breached as the result of using a weak password?
  3. Are you prepared to pay a ransom because a minimum wage employee with little or no training in cybersecurity standards clicks on a malicious link?
  4. Do you give every employee a key to your front door and access to your cash register?

Ignoring these concerns comes at your own peril. Would you leave your car unlocked on a city street, maybe with the windows open, and maybe even with the keys left on the seat? If your car would be stolen, you would only have yourself to blame; however, if the car was then used to intentionally drive into a crowd of people, you would be guilty of criminal negligence. Another example would be somebody working the night shift at a convenience store, having a handgun for security and leaving it on the counter. That would be an invitation for an armed robbery and potential injuries or deaths.

If you would never think of doing anything as careless as either of those two examples, why would you use a weak password, or use the same password for multiple purposes? Using the same password to access more than one email account or online application is like leaving those keys on the seat of your unlocked automobile, except that the key ring including the keys to every other vehicle that you own, the front door to your office, and the front door to your home. You think it can’t happen to you? Think again!

This post was written by Peter Pelland