In the wake of headline-grabbing cyberattacks at several well-known companies in recent months, business owners in southeastern Wisconsin may be wondering if they are becoming more prevalent or harder to prevent.
In October, La Crosse-based Kwik Trip announced it was working through a “network incident” that caused a disruption to some of its systems, including its production facilities in La Crosse, internal communications system and customer loyalty program, according to a statement.
Then, in November, Johnson Controls, which has its operating headquarters in Glendale, reported experiencing “disruptions” to portions of its IT infrastructure and applications. The three-week cyberattack involved the use of ransomware by a third party to access the company’s internal IT structure, according to an SEC filing, resulting in a $60 million impact on the company’s fourth quarter sales.
The Medical College of Wisconsin is yet another local organization dealing with the aftermath of a cyberattack, carried out in May by Russian cybergang Clop, which stole the private health and personal data of thousands of customers. MCW and its software provider are now facing a class action lawsuit alleging at least $5 million in monetary damages.
The most recent cyberattack incident to make national news was earlier this month at Lurie Children’s Hospital in Chicago, which shut down its computer systems for a week after its network was accessed by a “known criminal threat actor.” The hospital remained operational, with limited access to communication systems and medical records for several days following the incident.
[caption id="attachment_585475" align="alignright" width="300"]
Bolstad[/caption]
Over the past year, there has been a “larger rise” in the number of cyberattacks – specifically ransomware attacks, said Keegan Bolstad, sales manager at Milwaukee-based Ontech Systems.
What’s driving the uptick in ransomware attacks is an emerging underground business model known in the cybersecurity world as “ransomware as a service,” or RaaS. With the rise of artificial intelligence, Bolstad explained, cybergangs are now shifting away from executing cyberattacks themselves to instead supplying their ransomware know-how to other less-sophisticated hackers.
“They sold their toolset, they sold their knowledge as a service to others,” he said.
In the past, only highly trained individuals were equipped to carry out cyberattacks, but now it’s easier than ever for the average cybercriminal to go online and purchase hacking tools, along with step-by-step directions.
[caption id="attachment_585474" align="alignright" width="300"]
Olson[/caption]
“You can basically buy kits to do all of this and they’re very inexpensive. There are kits for less than $1,000. If you trip up one person, one company, you can make your money back tenfold,” said Jared Olson, security team lead at Ontech.
Another factor driving the trend is ransom payment. Even though many cybersecurity firms advise against paying ransom to cybercriminals, companies – often at the guidance of outside counsel, such as insurers – continue to pay ransoms, in turn providing a financial incentive for criminals to continue carrying out attacks.
Artificial intelligence is also making it easier to automate cyberattacks, meaning criminals can hit several organizations at once with ease.
U.S. companies reported 3,122 data breaches in 2023 – up 75% from 2022 – impacting a total of 349,221,481 individuals, according to the Identity Theft Resource Center’s Annual Data Breach Report. The vast majority of the data breaches were linked to cyberattacks, with health care, financial services, professional services, manufacturing and education as the top industries impacted.
[caption id="attachment_585472" align="alignright" width="300"]
Knutson[/caption]
“AI can be used for a lot of awesome things to make our lives easier,” said Amanda Knutson, supervisory special agent at the FBI’s Milwaukee field office. “It’s also going to make (criminals’) lives easier.”
She explained that most cyberattacks attempted today rely on social engineering, basically psychological and/or emotional manipulation, and AI will make it harder to parse out these attacks.
For example, phishing email schemes that have traditionally looked suspicious – with obvious spelling or syntax errors, usually because the sender is a non-English speaker – won’t be so easy to spot now with the use of AI.
The same thing could happen with voice messages created using AI, Knutson said. Adding yet another layer of deception to cyberattacks, voice cloning technology that uses artificial intelligence to create fake audio recordings have become so prevalent, the Federal Trade Commission recently placed a ban on robocalls that use AI-generated voices. The FCC made this decision after a fake robocall imitating President Joe Biden was sent out to voters in New Hampshire, according to a Reuters article.
Preventative measures
There is some good news for business owners amid heightened risk of cyberattack threats. You likely won’t have to completely change your cybersecurity system to contend with some of these modern threats. You just need to make sure you’re doing the basics well.
[caption id="attachment_585469" align="alignright" width="300"]
Lutgen[/caption]
“It really starts with making sure an organization understands their own risk tolerance,” said Brad Lutgen, partner at Madison-based Ghostscale. “We don’t see enough organizations formalizing a risk assessment and risk register process.”
This would involve a company focusing its cybersecurity budget on the areas that impact the business the most. Through a risk assessment, a business can find out what cyberattacks it is most at risk for and which threats could cause the greatest financial and reputational harm. Once a business knows those risks, it can prioritize them by cost.
Ghostscale also uses something called a stack attack as a preventative measure. The company takes data remnants from data breaches it’s helped investigate and works with its client to put that data on their network. Then, Ghostscale can test the tools a client has bought from various security vendors to make sure they are configured properly.
A strong incident response plan could be the difference between losing access to your internal systems for just a couple of days, as opposed to several weeks, said Lutgen.
“Everyone has a limited budget, and you need to focus your budget on the areas that impact the business the most,” he said.
Ontech helps clients implement several preventative measures, including dark web research and mobile device security.
With the rise of remote work, and usage of multiple electronic devices, securing company data through encryption is key. Businesses should also have policies in place for devices, including how long they can be accessed after a period of sitting idle. If devices aren’t protected with strong passwords, it’s easier for criminals to access data, which could eventually end up on the dark web.
Bolstad said the FBI recently informed Ontech of several clients who may have their personal data listed on the dark web.
“That gives other threat actors the ability to log into the system remotely and those users have everything they would need to be able to carry out an attack,” he said.
What to do if you’re attacked
Once your personal information is put on the dark web, there isn’t too much you can do to remove it, according to Knutson. There are several free websites, including haveibeenpwned.com, where people can check to see if their personal information has been listed.
The FBI takes no official stance on whether a company should pay out a ransom, but generally does not advocate for payment.
“It’s a business decision, we’re not going to tell organizations what they should do,” said Knutson.
Ontech cautions against negotiating with cybercriminals. It makes even less sense to negotiate if an organization already has a valid data backup in place and its data exists safely elsewhere.
“Often times, they can’t prove that they really have anything, but their demands for some of these ransom requests to get the data back is significant,” said Olson.
Being in constant communication with a local FBI office can help companies that have been impacted by a cyberattack. The FBI can help businesses regain control of their systems after an attack and may have further insight for business owners. FBI offices across the country work collectively to solve cybercrimes, giving them greater insights into national trends.
“There is potential that we have certain pieces of intelligence that we could share with them that could help their decision makers in determining what they should do next,” said Knutson.
The FBI also issues cybersecurity advisories that highlight current trends and give businesses guidance on how to protect their systems and prevent attacks.
Cybersecurity tips for companies
- Check ic3.gov regularly for cybersecurity alerts and advice from the FBI.
- Don’t use the “remember me” option when logging into personal accounts online. This makes it easier for criminals to hack into your accounts as the credentials are saved in a web browser.
- Put in place an incident response plan, including data backups. Start by having a professional assess what cyberattacks your company is most at risk for and what impact those attacks could have on your company’s finances and reputation.
- Make sure all devices that house company information are encrypted. This includes secondary devices such as tablets and phones.
- Per the advice of cybersecurity professionals, don’t pay out ransom to cybercriminals. Paying out ransoms gives criminals an incentive to continue carrying out attacks and there is no guarantee the bad actors will keep their promise.
- Make sure your company has a risk register in place. This form organizes potential risks and information relevant to each risk. That information can be used for prioritizing and decision-making if your company is impacted by a cyberattack. Having a risk register also provides legal coverage in the event of a cyberattack.
- Implement a security awareness training program for employees that changes your company’s culture. For example, instead of sending out a fake phishing email once a year, continually test small batches of employees throughout the year. Employees who don’t click on the email can then be entered into a drawing for a prize like a gift card.
- When introducing new software, think about security from the beginning. Consider who needs access to what information and structure user roles accordingly.