In July 2020, when employees at Boyce Technologies — a New York–based provider of network technology solutions — logged onto their computers and tried to open files, they got an alarming message. Their data had been encrypted, a tipoff that cybercriminals had breached their network.
The attackers had extracted hundreds of documents, which they were threatening to post to the dark web, according to a report in Cointelegraph, a cryptocurrency and fintech news site, and interviews with several security analysts. In order to restore network access and return Boyce’s files, cybercriminals demanded a ransom.
The attackers — part of the DoppelPaymer gang believed to operate in Russia — knew they were hitting the 150-person company at a critical time. Back in the spring, when New York City was a COVID-19 epicenter, Boyce pivoted from making transit communication systems to making low-cost, FDA-approved ventilators for COVID patients.
When there’s desperation, the bad guys [cybercriminals] are more likely to get their money.
Boyce has not commented publicly about whether it paid the ransom and declined to respond to questions for this article. But at the time of the attack, it was shipping several hundred units a day to hospitals around the country. A company in that situation has a tough choice to make, says Larry Ponemon, founder of Ponemon Institute, a cybersecurity and privacy research organization. They must either pay up or endure life-threatening production delays in the middle of a pandemic.
“Sometimes the consequences of not paying are just too high,” says Ponemon. “This was a worst-case scenario, where you could have people dying.” He adds, “When there’s desperation, the bad guys are more likely to get their money.”
Smaller companies, bigger targets
Although cyberattacks on large companies dominate the headlines, small and midsized enterprise firms (SMEs) like Boyce are now the most common targets of attacks. But unlike big companies, which boast sizable IT budgets and remain on high alert for new threats, many smaller organizations aren’t even aware of the threat — a vulnerability that cybercriminals prey upon.
“Many companies think it’s the big companies that get hit,” says Alex Holden, founder of the Wisconsin-based security consulting firm Hold Security. “When they’re attacked, they’re always surprised and wonder, Why us?”
Cybercriminals also target SMEs for another reason: They provide an easy path to an SME’s high-profile customers — so-called supply chain attacks. Several months before the cybercriminal group hit Boyce’s systems, it reportedly found its way into Visser Precision, a Denver-based manufacturer and defense contractor, and stole sensitive data on its customers. These included Boeing, Lockheed Martin, Tesla and SpaceX, according to a TechCrunch report.
Remote work has made the problem for SMEs even worse. Employees who were once in the office on a company-owned device and always connected to the network are now at home, in some cases using a personal device that’s not connected to a VPN or that other members of the household, and lots of other unsecured household devices, also use. Cybercriminals know this — so they are increasingly targeting remote employees and their unsecured endpoint devices. According to a recent report by Malwarebytes, 20% of cybersecurity leaders say they have faced a security breach in 2020 that was the result of a remote worker.
Stop the phishing expeditions
Many SMEs would like to beef up their cybersecurity defenses, but say the pandemic has put up major major financial hurdles. In a September 2020 survey by network security firm Untangle, one-third of SMEs identified the lack of a sufficient IT budget as their greatest challenge to securing their networks, with 38% saying they allocate just $1,000 or less to IT security. That penny-wise-dollar-foolish attitude is costly. Cybersecurity experts warn that a failure to protect an organization against hacks can end up costing far more later. In 2019, for example, the average cost of a data breach for an SME, including lost time, was $150,000.
While SMEs will never match the cybersecurity systems of big companies, they can cost-effectively adopt some of their best practices, notably educating employees. The greatest single area of impact, says Ponemon, is phishing emails — fake messages that aim to trick users into verifying their username and password or clicking on a malicious link. According to Verizon, 32% of all data breaches in 2019 occurred because of phishing, where criminals weren’t looking for software vulnerabilities, but human ones.
“Phishing used to be so obvious, like the logo of the company was fuzzy, words spelled wrong, bad grammar,” says Ponemon. “It’s changed quite a bit. Some scams are unbelievably personalized. They know you, they know where you live.”
Even Ponemon has fallen victim to a recent phishing attempt. Attackers hacked into and read his emails, then crafted a message that looked like it was from someone he regularly corresponds with. To help people spot phishing attempts, Ponemon advises that IT leaders at SMEs educate their employees on the tactics cybercriminals use and conduct regular simulations with fake emails.
Beef up password protections
Cybersecurity experts also recommend training employees to understand the value of multifactor authentication for logins, basic encryption for files and longer passwords. These are far more likely than short passwords to withstand automated “password spray” attempts — when cybercriminals try the same password across many accounts before moving on to trying another one.
“If you only have six or seven characters, you can have all those uppercase, lowercase, special characters, numbers, it doesn’t matter. It’s still going to only take seconds or minutes to break it,” says James Lee, COO of the Identity Theft Resource Center. “But if you have a 12-character password, that will take 300 years to crack. Your password will outlive you.”
If companies can’t afford the IT staff to spearhead this training, Holden recommends a “fire marshal” approach. Just as many companies have fire marshals to oversee the procedures that should be followed in the event of a fire, SMEs could deputize several employees within the organization to have oversight for cybersecurity best practices.
“Now that breaches are an everyday event, ignoring cybersecurity is like someone saying it’s OK to have open fires in enclosed spaces,” says Holden. “We need the same level of concern and behavior change for cybersecurity.”