Today we continue our cyber series talking about security in the business world and not just educating business owners about how to protect their cyber interests, but the employees as well. What about ransomware attacks, how do they work when it comes to business and industry? Can they have a real impact? Can they be as devastating as they are where they to show up on our home computer? Nicole Cliff and Sara Rees from the Georgia Cyber Center walk us through this.
Brad Means: I’ve learned a ton so far Nicole and Sarah. I know our viewers, based on our emails have as well. So thank you both.
Nicole Cliff: Absolutely.
Brad Means: Nicole, let me start with you, just a general question about businesses. Overall, and we touched on this a couple of weeks ago, but I wanted to really get into it. What should they do to protect themselves when it comes to cyber threats?
Nicole Cliff: So a couple of weeks ago, I was in a professional development session where and FBI agent who is in cyber talked about thinking like a criminal. And I think that businesses have to step out themselves and kind of put on that criminal thinking hat. What do I have that a cyber criminal wants. And think through their assets as in what would prevent my business from functioning? What do I have that they could take?
Brad Means: You’re talking about like if they say attack your software, if they can get into your email or those vulnerabilities?
Nicole Cliff: Exactly, so that’s why it’s important for the business to do what’s called an asset inventory. They have to know what they have in order to protect it. So when we’re talking about a business has in asset inventory, we have to look at things like databases. We have to, of course, look at the server, the hardware, but you have to look at it in terms of the databases that the organization has the actual data. Most organizations forget to think that their data’s very valuable and without it, they can’t function every day. And what about cell phones? Employees most days have cell phones and the data that’s stored on those cell phones. So you have to have a comprehensive list of what the organization has and once you get that list, which, you know, takes a lot of work to derive that, but then once you get it you want to rank those assets from most critical to least critical. And the reason this is important is because you’re not gonna offer the same level of protection against a more critical asset compared to a least critical asset.
Brad Means: You know the whole time Nicole was answering the question Sarah, I was getting fearful for our small business friends who watch and thinking okay, what is their online presence is minimal? Do they need to take the steps? Do they have the vulnerabilities that Nicole was outlining?
Sarah Rees: Sure, Brad, I think that that’s something when we talk about big businesses, they obviously know they have databases full of information, credit card information, and PII from their customers, but smaller businesses I think.
Brad Means: What’s PII mean?
Sarah Rees: That’s personally identifiable information.
Brad Means: Okay, thank you.
Sarah Rees: And that’s something that we have to be aware of. That’s things like your name, your birthday, your Social Security, your address, anything that identifies you in the physical world and is tied to your identity. So that’s very sensitive information and big businesses understand that they hold that and they have to protect it. But a lot of little businesses like you said, if they don’t have a lot of online presence, maybe they don’t sell anything on a website. Maybe they really don’t even have a website. They don’t feel like a cyber attack or the information that maybe they do hold is targeted, but that’s really a misconception. So if you think about a brick and mortar store. If you’ve ever been into one of them. Sometimes they ask for your birthday, right? They get your address, your birthday, your phone number, your email and they put all that down and it’s for good reason. They want to be able to reach out to their customers, let them know when they have promotions, send them a birthday update. But that’s sensitive information, that PII, that belongs to their customers and so if they’re keeping that, let’s say it’s a very small business and it’s on a spreadsheet, on a computer that they use, that spreadsheet is really just a tiny database sitting on a computer that is vulnerable and it could be exposed, so that sensitive information still has to be protected.
Brad Means: All right, so what’s the role of the employee then Sarah, when it comes to limiting that exposure when it comes to making sure that they’re not part of the problem. They’re just, you know, we’re just the worker bees, what can we do.
Sarah Rees: So when it comes to employees, obviously, education is the key. But what businesses have to do is understand their organization so depending on the size of your business and what you do, what your business function is, you’re gonna have different categories of employees. Some of them might be folks like accounting, HR, right, sales and then you have your IT staff. So a lot of businesses and the employees in them think well, it’s the IT or my IT security staff that need to be worried about this. But really everyone has to take some ownership for cybersecurity. So you have to target training at the different groups of employees that you have and it has to be relatable and relevant to what they do. I wouldn’t give highly technical training to your sales or your HR staff, because you know, they’re not going to be working databases or on, you know, devices like routers and switches, things that run the network. That’s the IT staff, right.
Brad Means: So Nicole, what’s that look like on a day to day basis? Does it look like classes or experts being brought in or do we all take a day off from work and go to the Georgia Cyber Center. How do we better protectors of our information.
Nicole Cliff: So I think it’s important that businesses have an inside training awareness educational program, but they also need to be connected to an outside resource, which is one of the reasons I’m very passionate about working for the Georgia Cyber Center and the Georgia Workforce Academy is we have the opportunity to deliver affordable relevant training to security and IT professionals. We also aim to raise awareness in offering field trips, speaking engagements to business, organizations and offering information to the public, which is what we’re doing on your show here.
Brad Means: Is it expensive? What the Georgia Cyber Center offers?
Nicole Cliff: Compared to our industry partners, no.
Brad Means: Yeah, I would imagine it wouldn’t be.
Nicole Cliff: And that’s why again, I said I’m so passionate about it is because everybody doesn’t get the opportunity to extend the service that we are extending.
Brad Means: You know, y’all have made me, I don’t know if paranoid is the right word, but fearful of everything I do online. Last time we talked about making sure that the lock was in the address bar to make sure that you were on a secure site, that the https appeared. What can we do Sarah, from the minute we get to work and log on to make sure that our habits reflect our desire to keep our company’s info safe?
Sarah Rees: So, I don’t want you to be scared Brad. But I want you to be cautious. The internet is, it’s something that was built it created a very trusting environment for people. You get an email and you trust that that person, because you know them has attached something that you need to read. So if you go back to where it started in the 90s, where we did have all these threats. So, fast forward to now, we’re still too trusting and even for those people that are cautious, we have to keep just, you just have to keep your wits about you and be aware of the threats. So something that I recommend specifically for all users and this is something you can take home, but is also important for employees at a business is to be aware of social engineering. That’s one of those very, very common vectors. It means it’s a route in. We talked in previous shows about emails and how that’s a way they get in phishing emails. Well, it extends past that. It’s not just phishing emails. Vising, which is voice solicitation is another form and actually it’s so prevalent.
Brad Means: You’re talking about when someone calls you and you feel like you’re talking to a legitimate human?
Sarah Rees: Yes, and it’s happened to me personally, it’s happened to family members of mine. You get a call and usually the premise of these is you know I’m with Microsoft or I’m with your internet service provider or I’m from the company you bought your laptop from and you have a virus or something’s wrong with your computer and I’m gonna help you fix that because we don’t want you to be in harm’s way. So a lot of times, that’s where they’re pushing these consumers to maybe go to a website and download something, but that thing that they’re downloading is a tool that allows that hacker because it’s not really Microsoft calling, to come in and you know, collect your information, spy on what you’re doing. So it’s important that users understand and that’s just one instance. Those companies, antivirus services, Microsoft, they don’t call consumers directly. Right, it’s just the IRS scams that we saw in email. The IRS doesn’t usually send emails because they can’t verify if you got that email. That’s why they use the postal system.
Brad Means: This is probably a whole show unto itself and I’ll ask either one of you. I want to go to break and talk about a lot more cyber issues when we come back, but before we do, I think I’ve asked you this each time, what are these bad guys after? Whether it’s at the business level or the individual level? Once they get our information, name, birthdate, social, our company’s secrets? What do they do with it? How does it benefit their wallet?
Sarah Rees: Well, you can sell the information, for example we talked about PII. A lot of that can be sold or used because I can open credit in your name. Now obviously the mitigation for that is keep your credit frozen and only unfreeze it when you actually want to open a credit line.
Brad Means: Yeah, I love that advice, yeah.
Sarah Rees: But stealing identities is a piece of that. When we walk about intellectual property, that’s huge when we talk about companies. That can put a company out of business.
Brad Means: They can sell it, there’s a market for it.
Sarah Rees: Absolutely, absolutely, sell it to competitors.
Nicole Cliff: Cyber espionage.
Brad Means: Cyber espionage is real, it exists, and you do need to protect yourself every step of the way. What about ransomware? How much of a threat is that? It’s one of the topics we’re gonna tackle when we continue to look at cyber issues, as our special series on the Means Report continues.
Brad Means: Welcome back to the Means Report. Nicole Cliff and Sarah Rees from the Georgia Cyber Center walking us through a lot of cyber issues, especially as they relate to businesses and employees and Nicole, we promised the viewers we would talk about ransomware when we left. I always thought ransomware was something that hit your home computer, you had to pay somebody to give you your information back or else they made a virus destroy your computer. What is it and how does it impact the business community potentially?
Nicole Cliff: So think of it in terms, most people can relate to someone being kidnapped and that person being held hostage and there is a ransom offered against the release of that person. So normally the bad guys would ask for $100 million or $100,000 in unmarked cash. So there’s a form of payment offered against the release of the kidnapped. So what’s happening in the cyber realm is the data is being held hostage. And the attacker offers a ransom against that data and the how of how they’re holding it hostage is they actually encrypt the data with a special key and make the data unreadable to the business. And they tell the business you have to pay a ransom in the form of a digital currency called Bitcoin. This could be 100 Bitcoin, which is equivalent to, depending on the market, 400 to $500,000 and so they say if you pay us this ransom in the form of digital currency, we’ll release your data. We’ll give you the key to un-encrypt it. The sobering statistics associated with this type of attack is that a ransomware attack in 2019, a business can fall victim to that every 14 seconds.
Brad Means: This sounds like something from a television show or movie, but it’s happening all the time.
Nicole Cliff: It absolutely is. Healthcare institutions are at the top of the list for this type of attack.
Brad Means: What are you supposed to do if it happens, if you’re the victim of a cyber attack? It sounds like it could devastate your organization. We’ll talk about that in a few minutes, but what’s the initial response if you get hit?
Sarah Rees: So the first thing anyone should do if they’re the victim of a cyber attack and this is, you know, the same for if you’re talking about your home network versus a business network is look to try to contain it. So some types of malicious software can spread without any intervention. What you want to do is immediately remove any computer that you suspect to be connected from the network so that means unplug the network cable, not the power cable, or disconnect it from the wireless network that it’s connected to. So, that stops the virus from moving through the network to other connected PCS, laptops, mobile devices. Then the reason I say don’t unplug the power because if we’re talking about a business setting and you have the resources either in-house or you’re able to call someone in to do forensics or incident response, you can actually lose evidence if you power the computer down. Some of that evidence is volatile, so by leaving the computer on, it gives those specialists the ability to see some of the things and help recreate what happened, maybe get a better idea of what was compromised. So, again, contain the scope by disconnecting that machine. If you have something where there are credentials involved, so for example a password, an account was compromised, those immediately need to get changed and be very careful using the network where there was a compromise until it’s been thoroughly inspected because just because you think you, you know, only have this one computer that was a problem, if you don’t know about another computer that’s been infected and then you go and do something critical on that computer, you could be increasing the damage. So first is contain it. Next, once you have the ability to get an understanding of if there was any information stolen or compromised or exposed, you may has a business have the responsibility to disclose that to your customers. So talked about PII. If you had people’s information and that was lost, you have to.
Brad Means: You have to tell them.
Sarah Rees: You have to disclose, right.
Brad Means: And may of us have gotten those letters and those emails. Nicole, we’ve talked about educating our employees when it comes to cyber security. We’ve talked about the proper response if you are attacked. What about our assets, our data, our information in our companies, our formats that everything’s on. How can we maybe take some preventative measures to make sure if we do get hit, those areas are less vulnerable?
Nicole Cliff: So we just talked about a ransomware attack, and the ransomware attack is an attack against the data, so if I have backup copies against the data, that’s great mitigation control, it’s not a fail proof technique, but it’s something that we recommend.
Brad Means: Backed up on a computer or backed up on a disc and put in a warehouse?
Nicole Cliff: Both. It could be both. So there’s a very easy rule to follow. It’s called 3, 2 1 and that’s have, we recommend to a business they have three independent copies of their data and two of those copies should exist in different formats. So they could be on another computer, an external hard drive, but at least one of those copies in the 3, 2, 1, at least one of them needs to be off site. Because many times what happens with a business is if they store all of their backup copies on site and something happens and the onsite location is compromised, they’re not able to get access to that data in order to be able to restore their systems.
Brad Means: And have you found that that is a way that helps most businesses restore their systems is that they can just plug those copies in and recover, get back on their feet?
Nicole Cliff: Well, it is a professional recommendation, but again it’s not fool proof in that if those backup copies aren’t being tested, then the business could run into some issues when they go to restore. Because maybe they’re restoring on a different type of computer with a different application, different application software that has a different update that could cause some issues with compatibility of that data and it being readable. The other side of that, you know something different than ransomware is that organizations should perform vulnerability assessments, and this is basically, you could have an outside entity, a third-party resource come in and perform some vulnerability testing to tell the business where they’re vulnerable, where their risks lie and of course once you get that information, you want to action against those items.
Brad Means: I bet you businesses would be surprised if they had that assessment done, how vulnerable they are. So what if they do get hit, Sarah, how do you even begin to recover. You’ve painted a devastating picture and especially for the smaller companies? What do they do?
Sarah Rees: Especially when we talk about the smaller companies, Brad, unfortunately it is very devastating. There’s a statistic that says about 60% of small business that are hit with a.
Nicole Cliff: So sad.
Sarah Rees: Serious cyber attack go out of business within six months.
Brad Means: That’s the worst. They get, no fault of their own and they close.
Sarah Rees: Right, right. So it’s something where a lot of small businesses, they lack protections or they lack attention in that area because they say well, I’m not sure that that’s really necessarily something that’s going to impact me and even if it does, I just don’t have the resources.
Brad Means: Right.
Sarah Rees: But right now where we are, you don’t really have the ability to not do it, right. It’s too much of a risk. So there’s things that you can look at, like Nicole mentioned, vulnerability assessments, knowing what you have so that you can prioritize the resources that you do have against those assets, but there’s things out there like cyber insurance, which again it may not be something that a very small business can look at, but as your business grows, it’s something that helps with that recovery period. So, oftentimes, it’s the cost of recovery that cripples small businesses, so that can be offset. A cyber insurance policy is sort of like your car insurance policy where if it’s a fender bender and fixing it is less than your deductible, you’re just gonna fix it, right?
Brad Means: Right.
Sarah Rees: But if you total your car, that’s where you need that insurance step in and help you with that recovery cost. So that’s how cyber insurance works.
Brad Means: Are the days of downloading Norton anti-virus and going along your merry way over?
Sarah Rees: I think for a business, absolutely. There is a lot more out there, yes.
Brad Means: I love what you said, though. Let’s say you’re planning to start a business and you say well, here’s my budget. Oh, oops, it doesn’t include cyber security. You might not want to go forward right?
Sarah Rees: Right.
Brad Means: I mean you can’t afford not to have this.
Sarah Rees: You know something that I recommend, Brad, a lot of, especially your small businesses, if they have an IT person, a lot of them say well, I can’t afford to hire a full-time security person, too. That’s okay. Give that IT person the skills they need to help offer the protection and assess where you are. Give that person the training. There’s a lot of smaller institutions that, you know, your IT folks wear that second hat of security and that’s absolutely okay. We can’t get stuck in a mindset that I have to have a specific dedicated person with that role. That can be the responsibility that someone else has, you know, on top of IT, because that’s gonna make it something that you can actually do. You can empower that employee and get your business off on the right foot.
Brad Means: Quick check of how we’re doing in this region. All we report on Channel 6 all the time is how this is just the cyber capital of the world and we have all these people moving here. Are we churning out the experts to tackle some of these issues that y’all have described? Are we doing a good job of getting people to plug into the workforce?
Sarah Rees: Yeah, I absolutely think we are. We have a lot of great programs at Augusta University, at Augusta Technical College. We have students in our building for both of those programs. We have professionals coming in. You know my only concern is making sure that the K12 space, all the kids, like the middle school area are aware of what cyber security is. We do a lot of work with kids and teachers to make sure that they’re aware of the opportunities and the types of skills that are needed in that field because there’s a lot of misconceptions. They think it’s just sitting behind a computer and coding all day, and that’s not it.
Brad Means: You’re right, they think it’s just coding all day. There’s a lot more to it. Nicole and Sarah, thank you for what you do to educate everybody out there and to educate us here at the Means Report. We appreciate you. The Georgia Cyber Center is a rich resource when it comes to all things cyber. You heard Nicole and Sarah talk about what they can do in this community to better educate us and to help your business stay safe. If you have questions, email them. There’s the address on your screen. Our next installment is coming up on June 2 and 3, where we will continue to learn about all things cyber. Business owners big and small. I hope you learned a lot today. I know I did.