Six months in, the main takeaway from the Rapid Response Center’s early operations is this: Among small and medium-sized organizations, cybersecurity hygiene is sorely lacking.
The RRC, the National Cybersecurity Center’s emergency service for organizations that suffer a cybersecurity breach or attack, has successfully handled 10 incidents since January from law firms, nonprofits and small businesses, CEO Ed Rios said.
Rios said about 75 percent of all cybersecurity penetrations are caused by human error — typically clicking on a malicious link or using a weak password.
The RRC researches the breach and offers additional services like forensics to determine the cause, help getting back in operation and training to avoid future breaches.
“We provide, on a more-than-monthly basis, training on cybersecurity for employees as well as board directors and C-suite executives, and for-profit, nonprofit — whoever needs it. And that has helped immensely,” he said.
But it is “critically important” for organizations to train their people before disaster strikes, Rios said.
“A trained workforce goes across every business sector. Every … employee who’s using a computer should have constant training on the cybersecurity for that computer and system, just like they have recurring training for safety,” he said.
“We call that continued training and practice of proper procedure ‘cybersecurity hygiene.’”
It’s not just that technology is constantly changing, Rios said, “it also means how criminals and adversaries use that technology, how they exploit vulnerabilities and how they come up with new nefarious ideas on how to penetrate and get you to click when you shouldn’t.”
Training can’t just be a one-time event, and companies should treat cybersecurity awareness the way they treat workplace safety awareness, with continual activities and daily reminders.
But not enough organizations have a designated person or department to handle cybersecurity and ongoing education — particularly among small and medium-sized businesses, Rios said.
Rodney Gullatte Jr., founder and CEO at Firma IT Solutions, agreed.
“They’re naked,” Gullatte said. “And you can quote me on that. It’s a pretty dire situation.”
Gullatte gives examples. A business changes hands, with the new owner blissfully unaware that a former IT service provider still has full remote access to their business.
A company gets a business class modem — “the door between the big bad internet and your business,” Gullatte says — but the owner doesn’t know how to change the default username and password. With a Google search, a cybercriminal gets those details — and control of the modem.
USB drives create more vulnerability, he said.
“I can take a really small USB device and throw it in your parking lot, or come in for an appointment in your office and throw it on the floor somewhere, and there’s a 46 percent chance somebody’s going to pick that up and stick it in their computer,” Gullatte said.
“Once you do that, I own your system — or the attacker owns it,” he said. “You don’t have to be that vulnerable; there are ways to shut those USB ports off. But if you’re an accountant … you may not know IT that well. So it behooves you to sub that out to someone else.”
Too many small- and medium-sized businesses wrongly assume they’re safe because they are too small to be targets for cybercrime, Gullatte said. Every business is a potential target, and those that can’t afford a full-time cybersecurity manager should spend a fraction of that salary to outsource the work.
“Even the [former] cybersecurity czar … said there’s no such thing as 100 percent secure, but that does not mean that you don’t try,” Gullatte said. “You don’t have to be low-hanging fruit.”
And no business is immune to human error.
Rios cited a recent case in which a nonprofit sought help from the RRC after “about 500 W-2s went out into the wild.” There’s no way to get them back, but the RRC was able to determine how it happened, which W-2s were lost, and offer training to avoid future breaches.
He said the RRC is opening another door between businesses and the cybersecurity expertise and training they need, at a critical time.
“Some of the companies are only 10 people strong or even smaller, and there’s no way they could really afford managed services or their own IT professional, but if something’s not working well at that organization … we’re here to help them — that’s why we’re a nonprofit,” Rios said. “[The RRC] gives small and medium business, nonprofits and private citizens the opportunity to ask questions and allows us in the NCC to share threat information to answer those questions.”
Shawn Murray, cybersecurity engineer and chief academic officer with Springs-based Murray Security Services & Consulting, said company leaders are sometimes reluctant to take cybersecurity measures even when they know what’s needed.
He described cases where business leaders wouldn’t use the patches needed to prevent devastating ransomware attacks like Petya, Wannacry and Heartbleed because they didn’t want to disrupt productivity.
“Unfortunately that’s the mentality of a lot of companies all around the world,” Murray said. “And if you’re not going to have a mature patch program or update vulnerabilities on your systems, you’re going to be vulnerable to these types of attacks.
“It all comes down to risk management. All of it is risk — the risk for not implementing patches, risk for not implementing them fast enough, or implementing them too quickly before you test them, and therefore you have a business disruption.”
Murray said the big issue is that cybersecurity managers need to translate risk and technical issues into business language for the leaders of organizations.
Rios agreed the “tendency to be too technical” is part of the reason for the lag in businesses addressing cybersecurity threats.
“We need to fix that,” Rios said. “We need to make that so it’s recognizable without having a technical background.
“We do that at the NCC, and we do it really well. It takes technical experts that have the communication skills to present [it] without all the 1s and 0s and technical software gobbledygook and cross that threshold into ‘Do this, don’t do that, here’s why.’”