In early May 2019, the city of Baltimore fell prey to a debilitating ransomware attack. Emails and voicemails were crippled. The hackers seized data from the parking authority, water bill system, and real estate transactions. Anyone planning to purchase a home in May in Baltimore would be delayed.
Hackers demanded Bitcoin payments equal to around $100k to return the services and data. If they did not receive the money they would wipe out the data, costing the city significantly more in damage.
As of the writing of this article, more than 2 weeks after the attack, Baltimore mayor Bernard Young is standing strong against those that have perpetrated the attack. His stance is that paying these ransoms is what makes the practice possible and he posits that the money that is given to hackers is then likely used for them to build more sophisticated attacks.
However, when asked, after over 14 days of his city being hamstrung, if he planned to capitulate, he is quoted as saying, “Right now, I say no, but in order to move the city forward? I might think about it.”
In all likelihood, the reason that the city of Baltimore was put in the position of being saddled with a ransomware attack is not because it was specifically targeted. Ransomware attacks like this one are becoming more and more prevalent, and mainly have to do with opportunism. Something about their system made it particularly vulnerable and hackers were able to exploit that, costing them what will result in millions in damage whether they pay or not.
Don’t be Baltimore
Nothing against Charm City, but it is crucial in the age of rising incidences of cybercrime to be better prepared for attacks like these. Unfortunately, as criminal behavior increases the budget needed to remain vigilant must also increase.
Consider that according to CSO Online, damage from ransomware attacks grew 15 times in less than two years to more than $5 billion in 2017. And total cybercrime costs are projected to hit $6 trillion annually by 2021.
With this in mind, most companies are following the trend of increasing their cybersecurity budget. According to Varonis.com, over 75% say that they have readdressed this budget line with expenses going up over 140% in just the past 10 years. If your company isn’t keeping up at this pace, you may be inviting a devastating attack.
What might it cost you?
According to a study by IBM, individual cyberattack costs rose to an average of 3.9 million in 2018.
These costs are astronomical, but that is just the beginning. Take into account not only aspects like ransom but also lost revenue over the average 50 days it takes for a company to recover from attack as well as reputation costs and customer turnover.
What you can do to protect yourself
- Protect the crown jewels: The largest losses in cyber attacks come from the compromising of crucial data, representing over 40% of costs. Back up and silo the most important data in a dedicated server which is not networked and has limited access.
- Be Prepared: Put a plan in place for what to do if you are faced with an attack.
- Be Vigilant: Of course you don’t want to compromise the privacy of your employees, but making background checks part of your hiring protocol is crucial, online services such as NetDetective or BeenVerified to do this work for you.
- Get help: Again, spending money on this issue is likely going to be a fact of life. Get consultants to help you through where to prioritize spending.
- Create a culture of cybersecurity: This one doesn’t necessarily cost much money, but is likely the most important measure you can take. Make sure your company takes security seriously and set up protocols that make this clear.
Let’s talk cybersecurity — Better passwords are a great start!
Remember, like in Baltimore, most of these crimes do not involve hackers specifically looking for your company. 70% of breaches are caused by random process failure which often includes employees not following password procedures. Remarkably, two-fifths of reported cybersecurity incidents are the result of a breached password.
Typical password fails include:
- Being stuck in a password rut: Over 50% of people use less than 5 different passwords their entire life!
- Ancient passwords: Over 20% say they still use passwords that are over a decade old.
- Very poor password choices: Sadly, “password” “qwerty” and “12345” were among the most popular passwords of 2014.
How to create better password protocol
- Length: Making passwords more characters makes them more difficult to crack. Experts say to make passwords at least 12 characters long as each character adds an exponential level of security.
- Variance: Recommend not putting words or pronouns into passwords at all. Common advice is to take a phrase and to use the first letters of each word to create a memorable password. For example “My wife and I got married in 2008 and went on our honeymoon to Vegas!” would become MwaIgmi2008awoohtV!
- Have a different password for every site: This sounds overwhelming, but there are online services like LastPass and Dashlane that use complex encryption to keep your various passwords organized and safe.
- Two Step Verification: Usually this means a code is sent to an employee’s cell when they are logging in on a secure site. Taking advantage of this kind of two-step verification is crucial. You’ll be surprised to see how easy it is to set up two step verification on some of the most used websites.
Other tips:
Communication is key: Keep cyber security top of mind, often referencing it in company-wide emails and at meetings. Tell people about trends in phishing scams and convey tips on keeping secure.
Be watchful: If someone is acting suspiciously, be wary. Create a system where employees can anonymously report anything they find questionable.
Ensure your supply chain: Making sure your vendors and any IoT devices you are using are secure is essential. Many breaches are caused by weak security in a vendor company, or on a networked device that is brought in from another company. Also try talking to your bank about their safety protocols.
Unfortunately, the problem can not be ignored and this is a battle you will only win with investment and vigilance. Staying abreast of best practices is key. See below for a useful infographic from Varonis to help you prioritize your cybersecurity spending and avoid becoming another Baltimore.
Rob Sobers is a Sr. Director at cybersecurity firm Varonis. He has been writing and designing software for over 20 years and is co-author of the book Learn Ruby the Hard Way, which has been used by millions of students to learn the Ruby programming language. Prior to joining Varonis in 2011, Rob held a variety of roles in engineering, design, and professional services.