Facing The Reality of A Cyber Attack
As often as the term “cybercrime” or “cyberattack” are featured in the news, it does not sink in for many small business owners until their business is directly affected. In 2019, Verizon Data Breach Investigations Report found that 43% of cyber breaches targeted small businesses, and 56% of breaches were not discovered for months or longer1.
In a world where nearly all businesses have evolved to incorporate technology as tools vital to operations, cyberattacks threaten the core of a business. At times a malicious attack can shut down operations with catastrophic results to the longevity of the business.
Not all cyberattacks inhibit the same characteristics, however, Verizon found that financial gain is main goal of cyber aggressors 71% of the time1. The rise of cryptocurrencies, such as bitcoin, have allowed cybercriminals to request large ransoms that if paid are virtually untraceable.
In the following article, we will do our best to illustrate what small business owners encounter when they have discovered a malicious IT breach intended on shutting down operations in seek of a ransom payment.
Part One: The Cyber Attack
As mentioned previously, 56% of security breaches are not discovered for months or longer. Hackers are experts at sneaking into IT systems, remaining undetected for quite some time. They intricately monitor data flow in and out of the organization to better understand the business. Often, they will review financial statements, or sensitive data, sent by small business owners via unencrypted email to determine if the business is capable of paying a ransom through cash reserves or cyber insurance policies. During this period of snooping the hacker will seek to gain more access to vital components of the organization, such as email, applications, or software that the business relies on daily.
At a given point, the hacker will install a variety of malware in the company’s network. Malware is a very broad term that may include, but is not limited to:
- Viruses: Viruses are designed to spread from file to file, inhibiting the files ability to open, its function, or delete it entirely.
- Spyware: Spyware exists to monitor a user’s screen, stealing passwords, credit card numbers or internet habits.
- Ransomware: Ransomware is malware that locks files and prohibits computer access, while the attacker requests a ransom payment often via a form of crypto currency.
- Trojans: Trojans hide in applications that appear safe and legitimate, creating backdoors for other forms of malware to access the network.
All of these malware varietals are tailored to disrupt IT networks in specialized ways. Oftentimes, several of these tactics are used together in a hybrid approach to penetrate IT firewalls and cyber security defenses. In this case, ransomware is designed to lock files throughout an organization and prevent access, demanding a ransom in exchange for a digital key that will unlock the files. Anti-virus software, strong passwords, and security software are not always guaranteed to prevent cyber security attacks.
While most business owners believe they are fully protected from cybersecurity threats, often time it just takes one email, or phishing attack, to penetrate network security. A tactic known as email phishing targets individuals through emails designed to mimic messages from co-workers. An employee will receive an email that appears to be sent from an email address closely resembling a coworker’s email account. In many cases, one letter may be different in the domain. If the business’ email is ABCcompany.com, the fraudulent email may be sent from ABCompany.com. In the fraudulent email, an attachment such as a PDF or spreadsheet file will contain malware that when clicked will begin installing on the employee computer without notifying the user. If the employee moves on to more emails, disregarding the file simply as corrupted or mistakenly empty, the company will not know the wiser. This is how malware is introduced to many companies without being detected.
Once the ransomware is installed and the hacker is ready to activate the attack, the business ultimately becomes aware of the malware attack when files become locked across the network. The cybercriminals will likely leave a digital ransom note visible to IT administrators or end users on their desktop, including a method for payment such as a Bitcoin wallet or crypto coin payment credentials.
This is when panic sets in for most businesses. Computers are rendered useless, email is inaccessible, files are locked across servers, and any operational activity or machinery driven by servers, computers, and sometimes even WIFI are grounded to a halt. This interruption leaves employees sitting at their desk with little ability to perform work functions, while the IT team and management must spring into quick action to begin a recovery. Each hour that passes by without recovery results in lost production and profits.
Part Two: The Recovery Process
- Server Backups & Backup Recovery Plans
- Who Should I Call When Hit with a cyberattack?
- What is Cyber Insurance? Do I need Cyber Insurance?
The Recovery Process: Server Backups & Backup Recovery Plans
Server backups are vital to a clean recovery for any company experiencing a ransomware incident. This means the first step in fighting a breach involves a thorough assessment of your backups to identify the viability of restoring your network from server backups.
In an ideal world, every company maintains an established recovery plan that is reviewed each year. Recovery plans are integral in determining which systems need to be recovered first to restore activity in the company. For some operations, email may be the most important application, while in manufacturing companies the most vital activities may include production equipment.
Companies with no disaster recovery plan established often lose critical hours combing through their IT network to better understand how operations are interconnected with various servers. Restoring backup files is time intensive, requiring large uninterrupted blocks of hours to run. At times, the restoration process can fail out multiple times resulting in wasted time during the recovery process. Determining which servers need to be restored first involves prioritizing which business operations are critical to re-establishing revenue related activities. Larger companies with more complex revenue producing functions may result in competing interests to establish backup restore priorities. This is why it is critical to have your internal IT, or a managed IT service company, establish a disaster recovery plan.
If the malware has infected and locked files stored in the backups, less options become available for fighting the breach via backup restoration. Instead, most companies negotiate with the hacker to determine a price deemed acceptable for unlocking the files. There is very little leverage the company maintains in this situation, so unfortunately ransoms are often paid when companies have no other options. There have been instances when ransoms are paid and the decryption key required to unlock the files and sensitive information never arrives, leaving companies out of money with little progress towards remediation.
The Recovery Process: Who Should I Call When Hit with a cyberattack?
If you have a managed IT service provider, or an internal IT team, they are typically the initial point of contact during a cyberattack. This will initiate the first step of fighting the cybercriminals as the IT team immediately assess server backups for a viable path forward.
If you have a cyber insurance policy, it is recommended to notify your insurance agent, alerting them of the attack. The insurance provider will want to know the current status of the breach through a risk assessment, the teams you are working with, as well as the next steps for a recovery. It is important to communicate and document potential or real costs along the way. This will provide the insurance provider with a deeper understanding of your case and hopefully keep you under coverage with your policy’s coverage.
The type of sensitive information housed in your server or network will determine the involvement of a legal team in your remediation process. Ransomware hackers often target companies likely to store credit card information or Personally Identifiable Information (PII). PII includes any data that could be utilized to identify a person, typically with the intention of stealing identities for financial benefit. If your network stores credit card information or PII, it is necessary to contact your legal counsel, as they will advise on how and when to notify your clients.
Many businesses do not think to notify authorities once a Managed IT provider initiates the disaster recovery, however notifying the FBI has become a common practice. The FBI does not provide IT recovery services; however, they may have more information regarding the specific attack you are experiencing as well as other companies that have faced similar situations. In late 2019, the FBI released a PSA condemning ransom payments, while requesting notice to FBI,
“Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”3
The Recovery Process: What is Cyber Insurance? Do I need Cyber Insurance?
Cyber insurance is designed to protect businesses from cyber threats and data breaches, covering costs required to fight a breach that may be insurmountable for a small business. When determining if cyber insurance is required for your business, it is important to note the overwhelming concern cyber-attacks have place on economies across the world.
The World Economic Forum published in their Regional Risks for Doing Business 2019 Insight Report, “‘Cyberattacks’ are the most pressing risk for chief executive officers in Europe and North America and in six of the 10 largest economies: the United States, Germany, the United Kingdom, France, Italy and Canada.”2
Depending on your cybersecurity insurance policy, Network Security Coverage may include expenses for legal guidance, IT forensics to determine the scale of the breach and access points, data restoration, and credit monitoring for employees. Business interruption coverage is a separate policy that most businesses employ to recoup lost profits or extra costs incurred during the ransomware recovery process. Without cybersecurity or business interruption insurance policies, many businesses are left covering large costs on their own with little other options.
Part Three: IT Monitoring & Cyber Training
Once the cyber-attack has been successfully remediated, identifying weaknesses that resulted in the initial attack is integral to preventing another ransomware incident. This includes an intensive evaluation of your backup services, as well as your disaster recovery plan, making adjustments based on your experience during the remediation process.
Malware infects networks through various methods, therefore thorough network monitoring services are essential to detecting malware immediately. Monitoring software, such as Malware Bytes, McAfee, and others are designed to support data protection, encryption and network security. These security monitoring tools also specialize in triaging suspicious links and attachments sent via email. Preventative measures such as these are helpful in preventing malware from entering the network.
Cyber training is critical for spreading awareness of the risks presented by malware throughout an organization. Routine training can educate users on how to evaluate if an email is likely spam or not, as well as remind users to reset passwords periodically. Training often includes staged emails sent to the organization that simulates the tricky emails hackers use to phish employees. However, if a user clicks on the staged emails, it only gives a warning and requires more training from the user to avoid a reoccurrence of a malware infection.
Managed IT providers are integral in implementing desktop monitoring services, IT security training for employees, as well as establishing routine backup services that are all necessary to remediating or preventing a ransomware incident. Find a managed IT service team that understands your business is an important first step in creating a cyber defense for your company.
Kansas City Managed IT partners with small businesses in the Kansas City area looking to grow their organizations, while avoiding the risks presented by malicious cyberattacks. If you are looking to better manage your IT network with reliable computer backup solutions, contact our experts today for a complimentary consultation.
1 Verizon 2019 Data Breach Investigations Report https://enterprise.verizon.com/resources/reports/dbir/2019/summary-of-findings/
2 World Economic Forum published in their Regional Risks for Doing Business 2019 Insight Report http://www3.weforum.org/docs/WEF_Regional_Risks_Doing_Business_report_2019.pdf
3 High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations https://www.ic3.gov/media/2019/191002.aspx