When I attended this year’s Amplify IT Cybersecurity Conference in Oshkosh, it didn’t take long for me to start to feel pangs of unease that soon bloomed into a sense of dread. The more keynote speaker Brett Scott spoke about cybersecurity threats, the more I wanted to go home and hide under my covers. Scott, who serves as the director of security enablement and training for Americas for Tech Data, described a bleak picture that includes ever-more sophisticated attacks on businesses and organizations, stark and even life-threatening dangers that can arise, and a massive shortage of cybersecurity experts.
In the face of fear and uncertainty, education and action are some of the best antidotes, so I reached out to Tom Wojcinski, director of Wipfli’s cybersecurity and technology management practice, for some analysis. First, the bad news: Cyberattacks continue to go strong.
“Ransomware has been more malicious and virulent than anybody expected. It’s been giving organizations across industries fits,” he says.
Businesses and organizations of all sizes are vulnerable. Small businesses often think no one will come after their data because it’s inconsequential, but that’s not the case. In fact, small organizations may be more at risk because they have less money to devote to cybersecurity efforts, Wojcinski says.
“Ransomware is not about if anybody else has value assigned to your data; it’s about the value you assign to your data. Ransomware is based on you wanting to get your data back and your willingness to pay for it,” he says.
As long as people continue to pay ransoms, ransomware will continue to proliferate, Wojcinski says. In addition, there are criminal organizations that make and sell malware. They have development cycles on their ransomware toolkits and continuously add new features, making them easier for less-sophisticated hackers to use.
The influx of people working remotely also has created vulnerability for many organizations. Businesses traditionally focused defensive protection efforts on their network perimeter, which was defined by the physical workspace. The endpoint has now become susceptible because it’s outside a traditional office, Wojcinski says.
To reduce risk, remote workers should use a virtual private network and multifactor authentication (MFA) to connect to office resources. If the business uses collaboration technologies such as Microsoft Teams, employees also should use MFA to access those and the company should restrict data federation capabilities, which provide a way for people across an organization to work collaboratively.
“It’s convenient to leave open federation on, but it means anyone can connect to your organization and opens you for an impersonation attack (where a malicious actor can pretend to be a company leader),” Wojcinski says.
Organizations must take proactive steps to prevent attacks. Those include securing systems and making them harder to infiltrate, educating people about spotting and defending against social engineering attacks, implementing isolated backups, testing the ability to restore data, and ensuring the organization can wipe away its systems and restore good data and programs to continue operations.
“It requires a lot of effort and vigilance to make sure you’re in a position where you don’t have to pay the ransom,” Wojcinski says.
One of the most important steps remains educating employees about how to spot attempted cyberattacks. People are the weakest link, Wojcinski says, pointing out that they tend to overshare information and are often resistant to inconvenient steps like MFA. This all makes individuals and businesses more vulnerable to social engineering attacks. Organizations including Wipfli can lead businesses through penetration testing and phishing exercises to help identify risk.
Big changes are on the way in the insurance industry as well. Insurers are looking at the losses they’ve incurred due to ransomware and beginning to tell organizations that if they don’t take certain steps, they won’t be able to renew their cyber policies. Measures include adding MFA on remote access points, email and internal administration accounts as well as requiring endpoint detection response utilities, which are designed to help detect and prevent ransomware from entering.
Wojcinski says that while adding these steps will lead companies to incur additional costs, they’re overdue and necessary steps. At the same time, it will take a couple of years for organizations to comply.
“There’s going to be continued improvements and developments. It’s just going to take some time,” Wojcinski says, adding that attackers will keep finding new ways to get in. “Just because we plug a couple of doors doesn’t mean they’re not going to find some other entry point.”
