In a Forbes article several weeks ago, I observed that the remote work model creates a greater cybersecurity threat since it exposes us to bad actors in ways that are much riskier than when we’re all working in our offices with the benefits of technological and social barriers to attacks. In our “post-Covid” world companies must think harder about how to protect themselves, and as we settle on appropriate return-to-the-workplace solutions for our organizations and employees we should take into account cyber-risk and recognize that cyberattacks are only going to increase in seriousness, scale, and frequency. Chadi Hantouche, cybersecurity expert and leader of Wavestone’s Asia Pacific practice, describes our new reality as “not a problem that can be finally and definitively ‘solved.’ Problems have defined solutions, and often concrete end points, but cyber threats are not problems any more than criminality is a problem—it is an ongoing challenge you need to address constantly.”
One unexpected hallmark of our global pandemic has been the stunning rise in cyberterrorism, which has been aided and abetted by the parallel growth of cryptocurrency. We’ve all gotten used to hacks, pranks, scams, and other annoyances of our online lives, but in recent years we’ve witnessed technological threats that we’ve only really seen before in James Bond movies: organized criminals, likely with the explicit support of foreign governments, attacking American businesses with sophisticated cyberweapons to shut them down and demanding huge sums of money as ransom. This phenomenon is not just criminal; it’s terrorism, and unfortunately it’s also now part of our business risk reality.
Cybercrime is nothing new, but security experts are struggling to keep up and the impact is getting more serious. Ransomware—when hackers, historically from Russia and now China, break into private systems to hold data for ransom—is up 150% or more since the beginning of 2021, with an estimated impact of $1.4 billion or more. The realities include:
· Since 2016, over 4,000 ransomware attacks have occurred daily in the U.S.
· Experts estimate that a ransomware attack will occur every 11 seconds in 2021. (Cybercrime Magazine)
· The average downtime a company experiences after a ransomware attack is 21 days. (Coveware)
· In 2020, ransomware payments were 7% of all funds received by cryptocurrency addresses. (Chainalysis)
· Damages related to cybercrimes are expected to increase to $6 trillion by 2021. (Cybersecurity Ventures)
It’s plain to see that ransomware crime and cyberterrorism are not just annoyances, they are a major national security and economic issue—and one that the U.S. government arguably should be taking much more seriously. The software security company Varonis outlines several worrisome trends, including criminal attention shifting to more vulnerable industries like healthcare providers and schools; evolving “strains” of ransomware and the spread to mobile technology; and, almost preposterously, the growth of RaaS, or “Ransomware-as-a-Service.”
Ransomware has been front-page news this year, with massive attacks on the Colonial Pipeline and the global meat-producer and supplier JBS. Over the 4th of July weekend, there was an attack on Kaseya, a technology company few people outside the managed services industry had ever heard of. But while Kaseya is a relatively small company, it provides a powerful case study, because Kaseya is a small company with a huge reach: it provides software such as remote system monitoring and backup to thousands of small and midsize businesses directly, and to many thousands more through managed services providers (MSPs). If cybercriminals can crack into this kind of technology ecosystem, they can disrupt and hold many businesses hostage—a terrifying concept for a country like the USA where small business is our lifeblood.
The way Kaseya responded to their ransomware attack can offer some helpful insights for what to do if you are attacked.
Kaseya successfully defended itself against what has been called one of the largest cyberattacks ever. Here is what they did right. Within an hour of being alerted to a potential attack by internal and external sources, Kaseya shut down access to all its affected software. This protocol limited the impact of the attack to fewer than 60 of Kaseya’s 36,000+ customers. The company’s rapid remediation and mitigation measures saved thousands of small and medium-sized businesses from suffering devastating consequences to their operations and minimized any impacts to critical infrastructure.
Next, Kaseya engaged its internal incident response team, partnering with leading industry experts in forensic investigations. Once an attack was established, law enforcement and government cybersecurity agencies, including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the White House were immediately notified and engaged within the hour. With the assistance of these agencies, the root cause of the attack was identified. FireEye Mandiant IR, a leading computer incident response firm, also worked closely with Kaseya on this security incident.
While the patch was ready to go within a day, Kaseya CEO Fred Voccola made a tough call to keep the system down for several more days. “We wanted to be absolutely sure that our customers were protected,” he said. “It was a hard decision to make, but it was clearly the right thing to do.”
Kaseya’s customers are now back online, so it did turn out the tough choice was the correct one … as it often is. And due to the company’s intentional segregation of their software modules, out of its 27 modules, only one (VSA) was compromised. Additionally, of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, no more than 1,500 were affected. Furthermore, Kaseya protected more than 99.9% of its core customers, with only 36,950 of 37,000 not being breached. If the ransomware attack on Kaseya ever becomes a business school case study (perhaps a Tylenol scenario for SaaS?), it will serve as a reminder of what’s most important: “protect first.”
Ransomware is a serious problem for the post-Covid world for companies large and small. And if you own a business, ransomware could destroy it. There’s an old expression: “What doesn’t kill you makes you stronger.” Kaseya has taken heed of that lesson and it has emerged stronger. They followed their playbook and reverted to one of their core values: protecting their customers. Moving forward, the company has prioritized strengthening security operations across the organization, with internal security teams have studying the environment to identify possible future vulnerabilities and address them.
As leaders and companies, we must do more: expect ransomware attacks; protect ourselves as best we can; and have a playbook we can run when the inevitable happens. Because when it comes to cybercrime, at least right now, it’s not a question of if, it’s a question of when.