Pipelines, banks, Internet networks, hospitals, manufacturing plants, water treatment systems. We don’t have to imagine the damage hackers could wreak by crippling just one of these gears in America’s biggest economic engine – we see it playing at the gas pump this week.
Often all it takes is an unconscious worker clicking on a contaminated email link, or an IT department becomes momentarily lazy about the hygiene of the IT system. While we don’t know exactly what led to the Colonial Pipeline ransomware attack, it reminds us that every digitally connected business has vulnerabilities and that critical US infrastructure is the juiciest target.
For a company that transports fuel across the U.S. Gulf Coast and down the East Coast, it’s easy to see how cybersecurity could slip down the list of concerns. Managers must regularly worry about repairs to avoid oil spills, work accidents, natural disasters and pandemics – all risks listed in the annual reports of publicly traded pipeline operators. But devoting resources now to cybersecurity can save you a lot later.
Just ask Colonial: The company quietly paid nearly $ 5 million in untraceable cryptocurrency to hackers in Eastern Europe last Friday to regain control of its systems, according to Bloomberg News, an amount that in itself can be tiny compared to the cost of disrupting the pipeline. to close.
This was after the Associated Press reported that an external audit of Colonial in 2018 revealed “glaring shortcomings” in its data management practices. As it turns out, the company was looking to hire a new cybersecurity manager two months ago.
Almost 80% of all breaches have a financial motive, said Sampath Sowmyanarayan, chief revenue officer for Verizon Business, which has a team that studies cybersecurity breaches in partnership with the FBI. “It’s almost always a question of money,” he said. After all, in a ransomware attack, the key word is ransom.
Colonial is not the only one to neglect its digital health. Small energy companies spend only about 0.25% of their income on security, Brian Walker, director of risk consultancy firm The CAP Group in Dallas, told Bloomberg News. Big tech companies and banks spend around 1.5%, on much larger sums.
CEOs around the world should take this as a wake-up call; In recent years, large share buyback programs have shown that companies generate so much extra cash that they don’t know how to spend it otherwise. Shareholders would much prefer to see money spent to recover from a breach that better vigilance could have avoided, and at a much lower cost.
Data breaches cost businesses $ 3.86 million per incident on average last year, although for entities without advanced security automation, the damage was even greater at $ 6.03 million, according to one. report from International Business Machines Corp.
Paying a $ 5 million ransom by Colonial may sound like a lot, but – please cover your ears, hackers – it’s not hard to imagine demands growing much more when nationally important infrastructure. and socially necessary are involved, known to generate billions of dollars a year in profits.
Still, “advanced security” shouldn’t spark Hollywood images of retinal scanners opening secret rooms filled with expensive high-tech equipment. In fact, the first line of protection against cyber threats is much more fundamental: Teach your employees not to be so cavalier in their clicks and shares. “The James Bond thing is pretty small in the scheme of things,” Verizon’s Sowmyanarayan said.
The biggest avenues for breaches these days are phishing – emails claiming to be from a legitimate source that steal information from unsuspecting users – and social engineering. An example of the latter is a caller pretending to be from the Internal Revenue Service and asking you to confirm your Social Security number as they build a profile of you. Or maybe the caller is claiming to be your employer wanting to confirm your login details. Sometimes the scam is obvious, but other times the hackers can be very convincing.
Remote work also presents new risks. In February, hackers exploited remote access software at a water treatment facility in Oldsmar, Fla., Which used an outdated computer system and reused passwords, in an attempt to poison water with dangerously high levels of sodium hydroxide. Fortunately, an emergency responder quickly intervened.
A natural question raised by the colonial attack is whether the government should play a more direct role in overseeing the cybersecurity of critical infrastructure owned by the private sector. In this divisive political environment, that would be a heated debate, and what big business would say is clear.
However, the US National Institute of Standards and Technology, an agency of the Department of Commerce, provides a cybersecurity framework, which Verizon recommends to its business customers. Among other things, it emphasizes the training of the workforce. Some companies may go so far as to develop their own internal phishing attempts to test employees. The click-through rate in phishing simulations has fallen to 3%, but “there is a long tail of companies with much higher click-through rates,” according to Verizon’s 2021 Data Breach Investigation Report.
Other good habits include backing up data, updating network packages, auditing logs, and “whitelisting” applications so that users can only access programs approved by the administrator. said Sowmyanarayan. It’s no wonder the information security team at Verizon Media Group (also known as Yahoo and AOL) is called the Paranoid.
The terrorist attacks of September 11, 2001 prompted organizations to rethink security. The COVID-19 pandemic has imposed more stringent health and sanitation protocols. It would be a mistake to treat the Colonial Pipeline hack any differently when it comes to cybersecurity.
Tara Lachapelle is a Bloomberg Opinion Columnist
In a time of both disinformation and too much information, quality journalism is more crucial than ever.
By subscribing you can help us make the right story.