By Kevin Oklobzija, originally published in Rochester Business Journal on February 17, 2021.

Ransomware attack may be a matter of when, not if

Cybersecurity is always a priority for businesses of all sizes, but even implementation of the most aggressive system defense packages, along with advanced employee training, may not be enough to ward off an attack.

Cyber criminals have exploited vulnerabilities of systems as well as in work-from-home arrangements during the coronavirus pandemic to hold businesses hostage.

“It’s a matter of when, not if, and you have to be prepared for the aftermath of ransomware,” said David Wolf, vice president of Just Solutions, Inc., the Rochester-based IT support firm. “There’s a very fine line between being a victim versus being a survivor of it.”

That’s why experts say every business needs a “what if” playbook in place.

“Planning for what you’re going to do in the case of ransomware is very important,” Wolf said during a webinar on cybersecurity, the most recent in the Rochester Business Journal’s free webinar series. The cybersecurity webinar was sponsored by Just Solutions and Phillips Lytle LLP.

It’s imperative that system backups are nearly continuous, he advised.

“Last night’s backups aren’t good enough,” Wolf said. “Continuous backup, that’s the only way you’re going to do a real recovery.”

Paying your way out of a ransomware attack isn’t a solution. The Federal Bureau of Investigation warns against meeting any ransom demand “because you’re funding terrorist organizations,” Wolf said. Current legislation, if passed, would make it illegal to pay a ransomware demand.

Since a ransomware attack could shut down operations of a business, companies need to know what their business policy covers, said Anna Mercado Clark, partner and the leader of the data security and privacy practice teams at Phillips Lytle.

Don’t assume that just because your insurance policy covers “business interruptions” that a ransomware attack would be included. They’re almost always not.

“You really want to focus on what’s excluded,” Wolf said of a policy review. “Most exclusions are specific that you are not covered if your business is interrupted because you got encrypted.”

When it comes to gaining access to a company’s computer system, hackers don’t always use the usual means, such as phishing or spear phishing via email. A cyber attack on Target in 2013 resulted in the breach of 41 million customer payment accounts and led to an $18.5 million settlement, and the hackers entered through a third-party vendor.

“The Target data breach was the result of a breach of a 70-person company that was doing HVAC services,” Mercado Clark said.

As cyber criminals become even more sophisticated, so, too, do laws that protect the public. The Shield Act of 2020 requires victims of a breach to notify clients, employees and vendors.

But the requirements don’t just cover social security or credit card numbers. The definition of personal data has been extended to include biometric data, Mercado Clark said.

“What you look like, what your fingerprints look like,” she said. “It might also include information based on your biological or physical characteristics, and so the definition has now expanded to include somebody’s gait, somebody’s keystrokes, somebody’s sleeping pattern, somebody’s voice, their retina, their iris or any information that is based on those biological characteristics.”

Why is that so important? In 2018, 62 percent of companies in North America and Europe were using biometric verification in the workplace, Mercado Clark said. That number obviously has expanded in the past two years. Companies must be vigilant in protecting that data, she said.

One means of protecting company systems will be by shifting the traditional approach to security — putting up barriers “to keep the bad guys out” — to a modern-concept workplace, according to Sitima Fowler, vice president of marketing for Rochester-based Iconic IT, a managed IT service provider.

Fowler said the traditional approach to security “only creates barriers that legitimate employees must overcome — like multiple layers of authentication verification, which has a detrimental effect on the experience. It’s creating fatigue.”

The modern concept “begins with a zero-trust approach,” Fowler said. “We’re going to assume everyone is a fraud.”

But once the user has been identified, access to necessary systems is granted.

“You being the single source of truth identity can get to anything you need once we establish you are really who you are,” Fowler said.

Individuals can take precautions, as well. Zachary Armstrong, certified financial planner at Sage Rutty, advises clients to create a “secret” email account that is used only for financial matters. It has a different password and is never used for anything but personal finance information.

“You almost have to assume that everybody’s out to get you,” Armstrong said.

Wolf and Mercado Clark both said there’s no need to use an encrypted service such as ProtonMail. In fact, Wolf said, “ProtonMail is the email service of choice for the seedy side of the Internet on the dark web.”

They said the paid services from Microsoft and Gmail include the necessary security features.