Courtesy Tech II
By Christine Graf
In 2021, an estimated 37 percent businesses were the target of ransomware—a type of malicious software designed to block access to a computer system until a sum of money is paid.
The price tag for these worldwide attacks was a staggering $20 billion. The dollar amount is expected to reach $265 billion by 2031, experts say.
In order to combat ransomware and other cybersecurity attacks, the Federal Bureau of Investigation (FBI) has partnered with members of the private sector. Through a program called InfraGard, they work together to protect the country’s critical infrastructure.
Craig Stephenson, senior cybersecurity analyst at Tech II Business Services in Saratoga Springs, is a member of InfraGard. Tech II provides managed information technology services to small and medium sized businesses.
According to Stephenson, cyberattacks represent a clear and present danger to all companies regardless of size.
“We are being inundated on a daily basis by bad actors from around the world. They are trying to steal the intellectual property from businesses or trying to get money from them. The FBI put together an unclassified video, and it’s an eye opener on how China is specifically and systematically trying to attack the United States in regards to stealing intellectual property.”
When it comes to ransomware, Stephenson said what he calls the “human firewall” is to blame for most attacks.
“The way that most ransomware is getting into systems is when someone is clicking on an email they aren’t supposed to.”
He said it is vital for companies to educate their employees on how to avoid falling victim to ransomware. One way that Tech II Business Services works to educate their clients is through the use of phishing campaigns. By sending out bogus phishing emails, they are able to determine if any employees within an organization click on what is designed to resemble a suspicious link.
“What this does is that it trains employees,” said Stephenson. “One of the things that small businesses need to understand is that they are required by New York state law—the SHIELD Act—to do this type of training for their employees on an annual basis.”
As part of the SHIELD Act, administrative, technical, and physical safeguards must be adopted by any person or business that maintains private information.
Bryan Brayton, director of managed services at Layer Eight, agrees that employee training is essential. His company provides managed informational technology services to small and medium sized businesses in the Capital Region and North Country.
“At the end of the day, the most vulnerable portion of the business IT infrastructure is the user,” said Brayton. “One of the most important things that small businesses can do is to educate their employees and have formal cybersecurity training programs. When you hear about these ransomware attacks or breaches, in rare cases it is an actual hack or vulnerability. Normally what happens is that a user was tricked into clicking on an infected attachment or going to web site that is harvesting their credentials.”
Once an attack occurs, companies that do not maintain regular data backups are more likely to pay the ransom.
“The advice is never to pay the ransom, but at the end of the day, if you need to get your data back, you are probably going to pay the ransom,” said Brayton.
Although none of Layer Eight’s clients have fallen victim to ransomware attacks, Brayton said several local companies have retained their services after being attacked.
In addition to training employees, businesses should have adequate endpoint protection as well as next generation firewalls. Software and hardware should also be kept up to date.
“That includes all of the latest operating system and application patches. All of that can mostly be automated and should be done at least weekly,” he said.
Password management is another area that companies as well as individuals should pay attention to. Brayton cautions against using the same password for multiple sites or saving passwords in an Excel spreadsheet. Instead, he recommends using a secure password manager that can be accessed through a multi-factor authentication (MFA).
MFA is an authentication method that requires the user to provide more than one verification method in order to gain access to a computer application or online account. Stephenson recommends using MFA on every application that a person uses whether it is for business or personal use.
Because of the SHIELD Act, it is essential that business owners understand their legal responsibility when it comes to cybersecurity. The laws are designed to protect the customer, not the business owner.
“Your retail stores and small mom and pop businesses weren’t covered by the cybersecurity legislation in New York state until the SHIELD Act was expanded in March of 2020. Every business in the state is now covered by a minimal set of laws related to cybersecurity protection. If you’re not comfortable doing this yourself, you should be reaching out to a managed service provider. It doesn’t matter who it is. Just do it,” said Brayton.
Companies that are cutting costs by opting not to contract a managed service provider may end up paying in the long run. More than 60 percent of small businesses are forced to close within six months of experiencing a significant data loss. In 2019, the average cost to a small or medium sized business to recover from a security breach was $129,000.
When it comes to protecting personal data, Brayton advises people to pay attention to their online accounts.
“We’re seeing a trend that someone will end up with your user name and password to your IRA or other retirement account,” he said. “They will get access to your retirement accounts and start setting up loans to pay out to themselves. Unless you are paying attention to your 401K, you have no idea that loan even happened.”
Stephenson said it is also important to stay up to date on the new ways in which cyber criminals are targeting victims.
“You need to continually educate yourself to what is going on in the world in regards to how these people are trying to steal your money, and your identity. They are going to go to any lengths to get it. They have no scruples or morals.”