It happened again.
According to the Texas Department of Information Resources, on August 16, 2019 twenty-two Texas towns were simultaneously targeted by a coordinated ransomware attack.
While the vast majority of the towns hit were small local governments, this incident sheds light on a popular misconception in today’s society: Cyber thieves only target large enterprises.
This unprecedented attack also begs the question, will we see a new trend where smaller firms are extorted in a “bundled package?”
Cyber Incidents by the Numbers
Aviation disasters and cyber breaches share one common thread — large catastrophic events tend to dominate headlines.
According to the National Transportation Safety Board, out of the 350 U.S. aviation fatalities in 2017, none were attributed to any of the major domestic carriers.
General aviation (i.e. private aircraft) accounted for 94% of these fatalities, but when a large domestic airliner carrier is involved, the news cycle amplifies the fallout and stories can last for weeks.
According to a 2017 study by The Ponemon Institute, 43% of cyber attacks targeted small business.
Given the intense coverage of breaches affecting behemoths such as Equifax and Capital One, it is easy to believe that large entities are victims of breaches by a wide margin.
This idea can lull small business into a sense of complacency, adopting a mindset that breaches are only a large enterprise problem.
Not only are small businesses more susceptible to breaches due to factors such as lack of capable IT resources, but they also suffer the greatest in the aftermath of an attack.
The same Ponemon Study found that 60% of small companies shutter their doors within 6 months of a cyber attack, a fact buried in the headlines.
The majority of these attacks are phishing/social engineering in nature, something that can be limited in scope with proper cyber hygiene training for the staff at these smaller firms.
Combating Coordinated Attacks
Don’t expect these attackers to change their tactics, techniques, or procedures (TTPs) anytime soon, for one simple reason — it’s working.
Until U.S.-based businesses, both large and small, become more resilient against these types of attacks, we will to continue to see large volumes of ‘multiple reuse’ phishing-based email compromise/ransomware attacks.
This scenario is a goldmine for bad actors, a literal extortion economy of scale, multiplying the effect of attacking just one small entity.
This attack vector requires very little overhead, as they can be developed once by an attacker and reused many times, ensuring a low level of effort, high volume and devastating consequences when successful.
Threats never disappear completely, they simply shift their target, strategy or method of delivery and reemerge in new ways.
Whether it’s internet pop-ups, credit card fraud or phishing email sophistication, we continue to witness a threat climate evolving in real time. The 2017 Google Docs phishing email marked the first coordinated phishing attack on a massive scale.
As the threats continue to evolve, the bar to achieve cyber resiliency continues to rise.
Ten years ago, a strong network perimeter, managed operating system patching and endpoint protection defined a strong cyber hygiene posture for many organizations.
Today, the same posture would be, quite literally, the bare minimum requirement in place and hope to show ‘due diligence’ within your corporate environment.
As the dust settles on yet another ransomware attack, there are always tangible takeaways for businesses of all sizes to consider and adopt.
We must align our security programs toward a “Layered Security” approach: having multiple layers of security so that a single attack cannot bypass all in-place security controls.
When it comes to the threat of ransomware and many complex threats, some best practices include:
- Implement a cyber hygiene program to strengthen the “human firewall.”
- Assess your risks and security gaps and plan for their remediation.
- Store offline backups of critical assets.
- Plan your response well in advance. According to Vanson Borne, an independent UK-based research firm, more than two-thirds of 3,100 organizations interviewed said they were hit by a cyber attack in the last year. What does this mean? A cyber breach is definitely a “when,” not an “if” scenario. Response plans should be created and tested prior to an actual event occurring.
There is no panacea when it comes to these cyber threats, but there are well-founded best practices that, when used properly along with a security metrics program, can help to ensure a minimal attack surface and a reduced scope and impact of any cyber event.
Aftermath of the Texas Cyber Event
The Texas cyber breach will most likely lead to smaller entities scrutinizing their outsourced IT service providers in greater detail.
Evidence of this can be found today by simply reviewing ‘due diligence’ questionnaires entities are requiring these service providers to complete. Expect to see these same entities require independent audits/certifications for outsourced providers as well.
Given the effectiveness of coordinated attacks an inevitable domino effect will ensue; municipalities can expect to pay higher insurance premia for cyber extortion coverage, more cities and towns will add cyber extortion coverage to their policies with increased limits, and outsourced IT service providers may charge higher fees for increased service level agreements to fulfill stricter security requirements.
Although Atlanta and Baltimore refused to pay a ransom in the aftermath of their breaches, smaller municipalities with smaller budgets may not have the same luxury.
This scenario for smaller towns is exacerbated by the length of time it took these larger cities to recover, and the additional expenses incurred by not paying the ransom demanded.
Besides reviewing cyber policies in greater detail, scrutinizing outsourced IT service providers more closely and following the best practices mentioned earlier, the most often-overlooked factor municipalities must consider is the implementation of a robust cyber hygiene program.
The biggest threat lies between the keyboard and the chair — by adding resiliency to this human element in our governments, we add resiliency to our nation.