Safeguarding Your Company from Ransomware and Cyberattacks
At the MHI Cybersecurity Workshop, business executives will witness the debilitating effects of a successful ransomware attack on a material-handling company, but thankfully, they won’t feel any of the pain.
Cybersecurity experts Chris Finan and Robert Knake will lead a tabletop exercise simulating a cyberattack and a fictional company’s response, and attendees will receive a resource packet to help them establish a comprehensive cybersecurity program for their companies.
Finan and Knake said the seminar at MHI’s headquarters in Charlotte, N.C., isn’t designed to scare logistics professionals about one of the biggest threats facing their businesses. Rather, their goal is to show that cyberattacks are a manageable risk, so long as companies stay vigilant and committed to best practices.
“The adversary in our scenario is going to achieve their objective, so we’re going to discuss how you handle that,” said Knake, principal at the boutique cybersecurity firm Orkestrel. “Are you in a position to not pay a ransom? Are you able to recover your networks and systems from backups, patch the vulnerabilities in your security posture and get back to business? The goal of the exercise is to help people see the pathway to that outcome.”
Knake and Finan have serious cybersecurity chops. Knake recently returned to the private sector after serving as deputy national cyber director at the White House’s Office of the National Cyber Director. In that role, he led the development of the National Cybersecurity Strategy and oversaw federal cybersecurity spending. He also has served as a director at the National Security Council (NSC).
Finan, a former White House cybersecurity official, served as the director of cybersecurity legislation and policy at the NSC and now is an entrepreneur advising cybersecurity startups. Safeguarding companies from ransomware can seem overwhelming given the frequency and severity of high-profile attacks, he said. But in reality, “it can be managed just like any other business risk,” he added.
“It starts at the CEO level,” Finan said. “You have to have executive ownership of this problem. You’ve got to take the time to communicate its importance to your staff because you’re going to need the entire company to buy in.”
Logistics in the Crosshairs
Warehouses and distribution centers are attractive targets for ransomware criminals because they’re fast-paced business environments where disruptions to operations quickly hurt the bottom line. In addition to lost revenue from unplanned downtime, shippers risk disappointing their customers and losing market share if they can’t make deliveries on time.
Those companies also have vast quantities of sensitive data about customers and their own internal operations that they wouldn’t want to be disclosed to competitors and the public at large. Consequently, hackers “see fertile hunting ground in the supply chain and supply-chain technologies,” Finan said. “Those companies are very much in the crosshairs.”
Facing financial and reputational damage, it’s no wonder why many companies accede to hackers’ demands and pay up. But the FBI doesn’t support paying a ransom to cybercriminals, noting that doing so only encourages future attacks. There’s also no guarantee that companies will get their data back.
“I have a very strong view that you should not pay ransoms,” Knake said. “Every time you pay a ransom, you’re helping these criminal organizations improve their capabilities. These are sophisticated organizations, so they’re reinvesting that money to become more advanced. That’s why I support banning ransom payments.”
Best Practices
Implementing a few best practices can greatly reduce the risk of a successful ransomware attack, Knake said. One essential component is requiring multifactor authentication to verify employees’ identities before they can access a system, application or service. It adds a second layer of security beyond just a username and password, which can be compromised by hackers.
Multifactor authentication can take several forms. Employees may be asked to answer a security question or enter a pin they receive via text message or email. They also may be able to use a fingerprint, eye scan or voice recognition to prove their identity.
Secondly, companies should back up their data to the cloud frequently, and their IT departments or vendors should regularly install patches to software programs, ensuring that vulnerabilities are corrected promptly.
“Most cybercriminals reuse vulnerabilities that are already out there, so if you patch your software, you’re going to have decent protection,” Knake said.
Finan said patching software can become complex for companies with “large software footprints, so we encourage companies to look for ways of turning on automated patching—making sure these systems are patched regularly, or at least when there are high-severity vulnerabilities announced, they get those notifications, and they’ve got a process in place to quickly patch those systems.”
Patching software is a necessary but insufficient precaution. Knake said he’s concerned that a growing number of hacking groups are taking advantage of “zero-day vulnerabilities,” or weaknesses in software programs that haven’t been discovered yet.
“We used to think that only the Chinese and Russian military and intelligence organizations were really capable of doing that—finding unique vulnerabilities in commonly used software and using them to exploit targets for criminal gains,” Knake said.
To identify vulnerabilities, companies should have their IT department or vendor perform regular cybersecurity audits, examining all computer-based systems and their associated levels of risk. Companies also should invest in firewalls, antivirus programs, data encryption and intrusion-detection systems to help prevent and detect attacks.
Training is Essential
Every employee should receive ongoing training in the latest social engineering techniques used by hackers, such as phishing emails and scam phone calls. Training is especially important when onboarding new hires, but even established employees should be reminded not to share sensitive information such as login credentials, to choose strong passwords and to change them frequently.
Workers shouldn’t reuse old passwords or have the same password for multiple applications. To prevent a successful breach from spreading to multiple computer-based systems, employees should have access only to the data they need to perform their jobs. Companies should periodically review who has access to what data, recognizing that employees’ roles may change over time.
Employees should be taught not to open suspicious-looking attachments and to use caution when visiting external websites. For a fee, most cloud-services vendors will provide advanced filtering of incoming email, reducing the amount of spam landing in workers’ inboxes, but they may not detect the increasingly sophisticated threats launched by top ransomware criminals, Knake said.
Hackers frequently comb corporate websites, LinkedIn, Facebook and other sites for email addresses and information they can use to create highly targeted phishing emails, he said. The emails typically urge employees to give up sensitive information by creating a sense of urgency, convincing them to abandon normal cybersecurity procedures and cast their doubts aside.
With the emergence of artificial intelligence, companies can expect these highly personalized phishing attempts to become more common and harder to identify, Knake said. The risk is elevated when a trusted customer or vendor suffers a breach and hackers use their email accounts to send phishing emails, adding a layer of authenticity to the attack.
If something sounds fishy, or if someone requests sensitive information, workers should be instructed to pick up the phone and contact that person directly.
Click here to read the full feature.