The Cybersecurity threat from Russia
On Thursday, February 24, 2022, Russia invaded the sovereign nation of Ukraine. Immediately after, in a speech, President Biden said the following:
“Let me also repeat the warning I made last week: If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond. For months, we have been working closely with our private — with the private sector to harden their cyber defenses, sharpen our ability to respond to Russian cyberattacks as well.”
While I don't doubt the veracity of this statement, there are 31.7 million small businesses in the U.S, and many, many, many of them are on their own when it comes to protecting the data that we control. And the threat posed by Russia is no small matter. Here are a few key points:
- New analysis suggests that 74% of all money made through ransomware attacks in 2021 went to Russia-linked hackers.
- At the end of 2021, Google discovered that more than 1 million devices had been infected in the Russian Botnet attack.
- Russia has a long history of cyberattacks, including the White House back in 2015
Another wrinkle to this story is that Ukraine has significant offensive capabilities, as well, and those are being directed at Russia. In fact, a successful DDoS attack —a Distributed Denial-of-Service attack, pronounced DEE-daus— took Russian state news site RT offline Thursday and well into Friday right after Ukraine was invaded.
What can we do?
The White House hasn't released new guidance; they did release the following five best practices back in June 2021:
- Backup systems, regularly test them and keep the backups offline.
- Update and patch systems promptly.
- Test your incident response plan.
- Check your security team’s work via a 3rd party.
- Segment your networks.
While this is all good advice, this assumes a few things:
First assumption: You know what systems you have and what their status is. The reality for most businesses is that technology has grown organically and maybe in various states: modern, dated, really dated, or hidden. Let's touch on the last one first. Unless you have recently had a code audit (something we can help you with) there is likely technology that nobody knows about. This technology may be something that a developer who is no longer with the company created or something a marketing person bought and then forgot. It's surprising how many things are not on a company's radar and serve small but mission-critical functions. The reality of business is that keeping technology up-to-date is always a case of ROI. If the return on investment isn't there, the can is kicked down the road, and that process can be repeated for a long time. As a general rule of thumb, you can assume the following:
- Built in the last 3 years — probably ok
- Built 4 to 8 years ago — should likely be replaced
- Built 9+ years ago — probably in bad shape
This was still considered cool in 2012...
Second assumption: You have an ongoing roadmap with a support and replacement schedule for all of your technology. Knowing where everything is today is the first step — keeping things up-to-date is a never-ending responsibility.
Item #4 on the White House recommendation list is "Check your security team’s work via a 3rd party." As a 3rd party technology consultant, I obviously have some bias.
Get ready personally
If you can't influence the technology decisions at your organization, or even if you can, it's important to start protecting yourself personally. This is not fun to hear, but there will be more security breaches, and your data will be compromised. Here are three things you can do to mitigate the impact:
- Install antivirus software
- Use a password manager
- Don't click on links you don't recognize
Install antivirus software
If you aren't running antivirus software, you should be — EVEN if you are on a Mac. At Metal Toad, all of our machines run Sophos, and it's worth getting your organization to buy you a copy or buying one yourself.
Use a password manager
One of the most significant issues with data being hacked is usernames and passwords. 72% of people reuse the passwords, and 13% use the same password for all their accounts. When a website or application is compromised, ALL of the websites and applications using that password are also compromised, potentially leading to a chain of data loss and/or fraud. The best way to avoid this is to use a password manager. At Metal Toad, we use Lastpass to manage all of our passwords and keep track of duplicates, etc.
Don't click on links you don't recognize
I'm choosing my words carefully here. Don't assume because you received a call (or text) that appears to be from someone you know that it is a legitimate link. Emails and texts can be sent to appear to be from trusted individuals, and scammers can create phishing websites that may look like your bank, credit card, email, etc. If I receive an email notification, I'll often go directly to the website it is supposedly originated from to verify its authenticity.