Be Patient, You'll be Hacked Soon Enough

It started with a text from my son asking if our cars had full gas tanks. I ignored this thinking it was just an internet spin up of a grain of truth. Shortly though, I was seeing videos on mainstream media of people with grocery bags full of gasoline. In the vernacular; WTF?

If you are eager to be violated and experience the excitement of an existential struggle, I have good news. One is in the offing. From the family-owned mental health counseling business which was driven out of business when its patient files were all released on the internet, to the headline dominating shutdown of the critical gasoline pipeline company Colonial Pipeline, everybody is getting in on the fun. It’s all the rage. If however, you are the quiet sort that would rather read a book with a glass of wine or cocktail in the evening, I have some ideas for you. Read on.

Market Penetration is Way Up

The hacking industry, and mark my word; it’s an industry, has grown tremendously in the past 24 months. Fueled by a large influx of cash from scams related to COVID-19, the industry has taken advantage of the hot iron and is in full blown expansion mode. The hottest service the industry provides right now is ransomware and other ransom-based attacks.  The (overly) simple explanation of how this sort of attack works is that the perpetrator gains control over your data, either encrypting it in place or by stealing a copy. They then make a demand to restore access to your data or to destroy their copy and not distribute the data.

You might be thinking; “well, we’re not big enough to warrant the attention of bad actors like these. You would be wrong. Whether designed by someone with market segmentation strategy or just an unhappy consequence of automation, the hacking industry is exploiting all the market niches. Since it doesn’t cost anything to mount an attack, and since they are essentially scanning all systems they can find, hackers are capable of exploiting all systems they come across. Whether it’s for a few hundred dollars or for millions and millions in the case of municipalities and gasoline pipeline companies, they can ring value out of any vulnerable system they cross. And they don’t have to look at a system until it’s owner contacts them regarding the ransom. Essentially, it’s hand off until they have a fish on the hook. Then they take a look at the size of the fish and make a ransom demand.

Opting Out of The Fun

Opting out doesn’t have to be financially crippling. You can put a basic security strategy in place for a small percentage of your IT spending… probably. This depends a little bit on what you do, but it isn’t expensive for the most part. What it is is detailly. It takes a focused effort that begins with an assessment of your assets and what the relative values are to your business. And this is in two forms, the positive, which is what’s worth to your earnings. And the second is the negative which answers; “What kind of damage could be done to us with our data if it were to be released in the wild?” You can do these yourself, there are frameworks online to DIY, or you can hire someone with experience and a framework to do this for you.

Once the assessment is complete, you know where you stand and what the gaps are. Now you need to put an initiative in place to close the gaps and to monitor your situation annually. Being secure takes diligence. The hackers only need to be lucky once. You have to be secure every time to avoid a successful attack.

A Note On Ransom

I sat in on a recent panel discussion about cyber security which featured an FBI agent from the Cincinnati region. He (they) recommends against paying the ransom. If everyone did, this would alleviate the problem. Redbank doesn’t take a position on this issue, but I like his logic in theory.

Call To Action

Please, please, please conduct a security assessment to determine your information and other assets, their worth to you, and their vulnerabilities.

1.     Find a framework to guide your thinking.

2.     Assess your information, threats and vulnerabilities.

3.     Create a security capability development plan.

4.     Begin marching toward closing the gaps.

5.     Measure your progress against the gaps and reassess your information annually.

 

Here’s the link to the Wired article which discusses the demise of the family owned mental health counseling business. And here’s a link to a WSJ article on the Colonial Pipeline case and the fact that they paid the ransom.  

I hope you found something to apply to your business in this MBR.  Let me know either way.

See us here on LinkedIn.