A cyber attack can have devastating consequences for a company of any size. Just ask a Northeast Ohio medtech CEO who suffered a “two-week panic attack” after a Romanian cybercriminal gang shut down operations in February 2019.
Using a “GandCrab” ransomware attack — a type of malware that encrypts a victim’s files and demands payment of a ransom to regain access — the crooks literally held the medium-sized company hostage before the malicious software could be lifted.
The attack froze employees off the company’s PCs, servers, email files, and inventory management system.
“It was a moment where someone else is controlling your life,” said the CEO, who asked to remain anonymous for security reasons. “A nightmare that I do not recommend ever wanting to experience again.”
The ultra-connected global business environment
The medtech company’s recent troubles are emblematic of today’s ultra-connected global business environment. With increased digital connectivity comes increased cybersecurity risk, a threat landscape that continues to shift as remote work becomes more prevalent, said Ellen Boehm, senior vice president of Internet of Things (IoT) Strategy and Operations at key factora software solutions company from Cleveland.
“We’ve been going this way for years,” said Böhm. “COVID accelerated the need for safer systems to make this connected world a reality.”
Protecting critical business assets can be a tall order for small and medium-sized businesses that lack a dedicated IT team or the time to focus on cybersecurity, Boehm said. However, she believes these companies are ignoring online protections at their peril.
In 2019, about 76% of American businesses experienced a hack, with 60% of small businesses failing within six months of being breached the Ponemon Institute.
Running work-from-home protocols ensure employees access sensitive company data via personal laptops, iPads or while using their home Wi-Fi networks. Unapproved devices may not be on an employer’s network, leaving gaps for hackers and increasing the likelihood of a successful attack.
It took KeyFactor three months to remotely secure its own systems during the height of the COVID-19 pandemic, despite a background in software security that gave the company an edge over most industries. Some smaller customers were defenseless in those early days as they didn’t have the staff or expertise to fill virtual gaps.
Small and medium-sized companies “typically outsource their IT,” said Boehm. “Or they don’t have to hire a person to do those detailed infrastructure bits because there isn’t a full-time need.”
Not too small to be hacked
Even having cybersecurity protection in place isn’t a magical shield against a determined hacker, the medtech CEO noted. Criminals infiltrated his system by exploiting remote monitoring software that the company’s service provider had yet to patch against GandCrab.
During its long recovery period, the company was unable to bill customers or operate an inventory control system. A team of consultants, security guards, and forensic investigators worked nights and weekends to regain system access while the company struggled to fill orders.
“We went back to the paper business until we could get back to the normal flow of things,” the CEO said. “We all had to be on our toes, and there wasn’t much sleep in those two weeks.”
The calm came easier when the company’s service provider paid the ransom. In response to the new remote work environment, the company also strengthened its online systems with an overhauled firewall, isolated backups, better defense software, and an updated patch schedule.
“My advice to companies is to familiarize yourself with your service provider,” the CEO said. “Do they have the sophistication and tools you need? Are they stretched too thin? Do you get good response time from them? These are important questions.”
Businesses across all industries are hit by cybercrime, including entrepreneurs who claim they are invisible to bad actors, noted John Nicholas, a professor of computer information systems at Akron University.
However, ransomware and other dangers lurk, with global ransomware costs projected to dwarf $265 billion by 2031. according to Cybersecurity Ventures.
Small businesses with fewer security measures are an attractive target for ransomware thieves — victims might find their files inaccessible until they make a hefty payout, Nicholas said.
Modern phishing emails are also more sophisticated, crafting everything from typical “Nigerian prince” scams to complicated emails impersonating a victim’s bank or PayPal account. Phishing is an attack designed to reveal a victim’s personal information — credit card numbers, banking information, and more — through websites pretending to be legitimate.
Then there are “vishing” cons, where scammers claim the work has to be done on an employee’s computer. The attacker then redirects the recipients to a deceptive website that downloads malware into the system. Malware is an umbrella term for software designed to stealthily infiltrate a device, with data loss or system damage being the most common result.
With more people working from home, the already rising tide of online crime has turned into a tsunami, Nicholas said. While many of these attacks are obvious spoofs, a single employee taking the bait can be enough to compromise an entire network.
Put simply, today’s businesses cannot have employees working from unencrypted personal devices, especially since artificial intelligence and machine learning are another vector for the bad guys, Nicholas added.
“If I ran a small business, I would invest in a few laptops and tablets and have my IT staff secure them,” Nicholas said. “Especially if employees drop or lose devices, this data is encrypted and cannot be viewed by anyone without great effort.”
Businesses without IT staff would be wise to hire a third-party network fixer, says Nicholas. At the very least, business owners should find a local university or chamber of commerce where free cyber advice can be offered.
“Small businesses should take this seriously — don’t fall into the delusion that you’re too small to be hacked,” Nicholas said. “It’s not about the size of the company, it’s about getting your hands on as much data as possible. So take it seriously and do your homework.”
preparing for a disaster
Regardless of their size, small and medium-sized businesses should constantly be preparing for the worst, said Nathan Sterrett, a Kent-based certified information systems security professional. Sterrets Arwood Security Consulting The company conducts tabletop exercises for IT staff and executives alike, providing incident response options and essential knowledge about the damaging effects of data loss.
“Security challenges come with a loss of control over data as people work on it not only in the office, but also on the couch or laptop,” Sterrett said. “Especially with some of the new technologies that have matured during COVID, like Zoom and Microsoft Teams.”
“That’s where the risk comes from, because people don’t understand what they’re giving employees access to, or what the consequences will be later on.”
Arwood Security Consulting
With 12 years of industry experience, Sterrett has seen firsthand what a cyber attack can do to an organization. A customer, a manufacturer of turnkey systems for manufacturing processes, was hit by a ransomware glitch that crippled its email systems and an application development code repository.
Sterrett helped the company move its code network to cloud storage while implementing tighter security controls on users’ workstations. Some semblance of business normality returned after a few weeks, although it took the company two full months to return to pre-attack levels.
Businesses with a “closet full of servers” should consider digitizing their data and be prepared to shell out $20 to $100 a month to have a new cloud system managed by a vendor, Sterrett said.
For day-to-day work, Sterrett suggests companies use multi-factor authentication (MFA) instead of relying on simple usernames and passwords. MFA validates the identity of specific users and provides layers of protection on top of standard sign-in procedures. A business password manager adds another layer, offering businesses the ability to generate passwords along with a secure place to store credentials.
Businesses can’t sit back and hope hackers can get past them, said the medtech CEO and latest ransomware survivor. It’s better to think of cybersecurity as insurance than to answer some really scary questions when it’s too late.
“You have to spend the money to protect your system or you will be taken out,” the CEO said. “You have to master the basics and get the best tools you can afford. If you don’t, you’re asking for trouble.”
