Three days after being hit with a ransomware attack, Sinclair Broadcast Group was still limping along without email, phones, file video or graphics, anonymous reporters told CNN. Sinclair reported in a United States Securities and Exchange Commission filing Oct. 17 that several servers had been encrypted with ransomware, and that unspecified data was stolen.
The attack on one of the country’s largest media empires (Sinclair owns or operates 294 stations across 89 U.S. markets) drives home the fact that no company is safe from cybersecurity threats.
But when the targets are giants like Sony or Sinclair, it can also create the impression that cybersecurity is something only major players need to worry about — and nothing could be further from the truth. No business is too small to be targeted.
Smaller operators need to be more prepared than ever, and the Pikes Peak Small Business Development Center’s Cybersecurity Summit for Small Businesses on Thursday, Oct. 28 is a great place to start.
The free, virtual event will feature workshops and lectures for local businesses and industries, as well as access to cybersecurity consultants for (also free) one-on-one consultation sessions.
Businesses will be able to choose which workshops suit their needs best, and it’s not just for noobs — the event’s Keynote Track will offer advice for those
who are already experts.
Rodney Gullatte Jr., founder and CEO of Firma IT Solutions, is a cybersecurity consultant for the SBDC.
“Yes, they are coming after you,” he said. “Many mom-and-pop [businesses], they think ‘I’m too small, they’re not coming after me, I don’t have anything they want.
“Sometimes it’s not about you, but the fact you are vulnerable. … They can use you as a launchpad to go hurt somebody else through you. So now you’re a part of the kill chain,” Gullatte said.
What many smaller businesses don’t consider is that cyber attacks are impersonal and not necessarily targeted at “big fish.” These days, they’re typically automated, and they don’t care whether a particular business actually has the money to pay their ransomware demands.
“I also see businesses that think the extent of the risk is just to themselves,” Gullatte said. “They fail to realize that the data on their computers being compromised can hurt people in ways they can’t imagine, because they are not cybercriminals.”
Gullatte said the upcoming cyber summit is an effort by trusted organizations and subject matter experts to save the small business community from these types of attacks — and from themselves. “Not everyone is going to listen, but if we can reach one person, we can impact many more through them,” Gullatte said. He also emphasized that businesses need to accept that an investment needs to be made to improve network and data security. “That investment varies, and many companies provide free estimates,” Gullatte said. “For those businesses that cannot afford to invest at this time, this cyber summit will increase their awareness and give them tools to better protect their business until they can invest in professional support.”
THE RISE OF RANSOMWARE
A Certified Network Defense Architect and Certified Ethical Hacker, Gullatte is intimately familiar with the latest methods of phishing, ransomware and other types of cyber attacks.
“The cyber attacks you hear about on the news, the Colonial Pipelines, the beef plant [beef processing giant JBS paid hackers $11 million in May]… I know how to do all those, but my job is to use that knowledge to help people, and not hurt them,” he said.
“The money that is made in e-crime … it’s very profitable being a bad guy in this sector.”
Gullatte makes clear that in his line of work, nothing can ever be 100 percent secure — but that attending the SBDC summit can greatly reduce the risk businesses take on.
“You won’t be the low-hanging fruit if you listen to what we’re telling you and implement it,” Gullatte said, “but once you can invest in a professional I recommend you do just that.”
Erik Huffman, Colorado Springs cyberpsychology expert and CEO of Handshake Leadership, said business owners often misjudge where cyber threats will come from, who’s behind them, and their own vulnerability.
“Not every [cybercriminal] is going to go for Walmart, Lowe’s or Home Depot. They are going to go after what’s easier … and it’s not all Russia and China,” he said. “It’s the person down your street who just failed out of cybersecurity school, and now they know enough to be dangerous.
“There is more money in cyber [crime] than there is in the drug trade, and cyber is becoming easier to do. It’s not people coding in their basement — there are tools they can download for free. John from down the street may [attack your small business] because he’s making $100K a week sending out ransomware,” Huffman said.
Ransomware continues to be the No. 1 cybersecurity threat — fully 25 percent of cybercrime investigations in 2020 involved ransomware, up from 14 percent in 2019. And when a business gets hit, be it big or small, the first reaction is often the same: shame and embarrassment.
“A lot of it is reputation,” said Shawn Murray, president and chief academic officer at Murray Security Services.
The problem extends to cybersecurity firms and managed service providers, as well, where it can be particularly humbling to be victimized.
“As cyber professionals, sometimes you don’t want to let people know you got hit or how you got hit … we don’t want our reputation to be damaged — but we all need to do a better job communicating, so we can learn from each other,” Huffman said. “If you got hit because your password was ‘admin’ — ‘Oh, we can’t let anyone know that was our password, that would be embarrassing.’”
“They’re supposed to report it,” Gullatte said. “I’ve talked to [Colorado Attorney General] Phil Weiser about it — a lot of companies aren’t reporting it.
“They will go to google and enter ‘How do I get rid of ransomware,’ try to do it themselves — the ransomware is still on the machine. … They’ll be taking calls and credit cards with the infected machine still on the network,” he said.
And while cyber insurance can hedge against losses, Murray warns that businesses need to read their insurance contracts very carefully.
“Cyber insurance companies right now — because they’ve had to pay out so much — they hire a forensics team to come in, and if you’re not doing the things articulated as due diligence in your insurance clause, their forensics team will be able to tell them … ‘There’s a clause, we’re not paying — they didn’t do what they said [they] would,’” said Murray.
Gullatte believes many attacks are avoidable — even major, headline-grabbing breaches like the Colonial Pipeline hack last summer.
“That didn’t have to happen, and that’s basics. … If your employee is gone, kill the account before they leave! They left it open,” Gullatte said.
Murray emphasized that the commonsense (yet often neglected) step of backing up data is essential.
“Then, when you get a ransomware attack, you can say, ‘Yeah, we’re not paying that, scrub everything, reinstall everything.’ … It may take a little time, but that’s not even cybersecurity — that’s just business continuity,” he said.
Murray said accountants and attorneys are the biggest targets right now, mostly because of all the sensitive information they’re privy to.
“I love my accountant, but I made him go to a secure platform for sharing my tax documents years ago. … You can’t just send me a PDF with my last name and the last four digits of my social security number —”
“From his Yahoo account,” Gullatte interjected with a laugh. “There are medical practices in this town still running their business from AOL accounts,” Gullatte added. “That’s breached all day long.”
Huffman says the general public is still too concerned with headline-making hacks on major corporations and nation states, and that the focus ought to lie elsewhere.
“It’s about the elderly woman who gave away her life savings because she got scammed; the small business that closed up shop because they can’t afford to pay [the ransom]...” he said, “That’s far more frequent.”