While he'd never call it official business advice, Jim A. Garcia can offer an important tip to protect against cybersecurity threats.
"Whatever you think you are doing, and wherever you think you are [in terms of security], they are much smarter than you," the executive director of the Associated Contractors of New Mexico said of hackers, malicious actors and others seeking to wreak havoc online.
“Everyone thinks they’re good,” Garcia continued.
Not to worry. The statewide trade group representing the transportation and utility aspects of the construction industry hasn’t become the latest victim of online criminals.
But as cybersecurity incidents across New Mexico continue to pile up, it’s difficult to not notice the effects on businesses and other organizations. Some — such as TriCore Reference Laboratories and Albuquerque-based First Choice Community Healthcare Inc. — became vulnerable after an unauthorized third-party accessed a vendor’s computer system.
Others — like Bernalillo County, Albuquerque Public Schools, First Financial Credit Union and Goodwill Industries — felt the effects directly.
La Fonda Holdings LLC, the company that operates the popular La Fonda on the Plaza luxury hotel in Santa Fe, is one of the latest New Mexico businesses to report a data breach. The company announced on Sept. 6 that an incident last month resulted in the removal of certain data from its computer systems after unauthorized access to its network.
Meanwhile, signs of a steady — if not increasing — number of cybersecurity threats appear across the country.
Cyber threats in our midst
On Sept. 8, a Kentucky town became at least the 34th local government affected by a ransomware attack this year, according to Brett Callow, a threat analyst who works for the cybersecurity firm Emsisoft. The day before — on Sept. 7 — officials in a Colorado county disclosed that a cyberattack discovered in mid-August was due to a ransomware variant.
Locally, Cyber Security Works, an IT security company based in Albuquerque, found ransomware vulnerabilities — security flaws that can be exploited to gain initial access when breaching a network — increased 7.6% between January and May of this year.
It’s unclear how many cybersecurity incidents — a broad term that encapsulates various kinds of illegal online activity — that the FBI’s Albuquerque field office has investigated this year. The FBI couldn't release a current figure because some might be related to ongoing and open investigations, said Frank Fisher, the FBI’s public affairs officer for the Albuquerque field office.
But according to 2021 data, the local FBI office fielded reports of online crime from 2,858 victims in New Mexico last year. A single victim might appear in multiple categories, but non-delivery or non-payment of items purchased was reported most frequently. That was followed by personal data breaches, extortion, individuals posing as technical support specialists and fraudulent relationship transactions — where someone persuades a victim to send money based on a so-called personal relationship.
In New Mexico in 2021, the FBI investigated 19 reports of ransomware, according to agency data. That’s up from 10 the year before, Fisher said.
Nationally, between 2019 and 2021, the number of ransomware complaints reported to the Internet Crime Complaint Center increased by 82%.
It’s likely the actual number of incidents was much higher.
Target businesses before businesses are targeted
To keep that figure from increasing, the FBI’s Albuquerque leadership has made an effort to reach New Mexico businesses before malicious actors can.
Since July, Special Agent in Charge Raul Bujanda and others have spoken to business groups throughout New Mexico. They’ve met with the Greater Las Cruces Chamber of Commerce, the New Mexico Hospital Association, the New Mexico Restaurant Association, the Albuquerque FBI Citizens Academy Alumni Association and the Associated Contractors of New Mexico annual convention.
“Our cyber squad does a lot of these types of presentations year-round. What’s new about this campaign, is we are targeting New Mexico businesses,” Fisher said.
During one FBI cybersecurity presentation in early August, Juan Carlos Guerra emphasized the need for digital security in the workplace. A supervisory special agent and 17-year veteran of the FBI, he runs a 15-person unit devoted to investigating online crimes out of the FBI Albuquerque field office.
Speaking before the Albuquerque FBI Citizens Academy Alumni Association, Guerra stressed the need for private businesses and the FBI to work together to limit malicious actors. In the extreme cases where an incident takes an entire network offline, the FBI may even have the tools necessary to unlock systems that were encrypted by various flavors of ransomware, he said.
But overall, Guerra said practicing good “cyber hygiene” goes a long way when it comes to countering threats. That means considering the policies and protocols in place that mandate password complexity and remote access to company computers. It also means educating employees about what potential threats look like and how enhanced security measures not only help but are necessary.
According to digital security experts, requiring employees to use multi-factor authentication — or two-factor authentication — is a straightforward measure that can limit exposure to threats. Essentially, it requires an employee to use a second form of authentication every time they log in
Some employees will have questions on how to implement the required technology. Other times, employees will push back on policies that increase digital security such as multi-factor authentication.
The FBI's Guerra said he understands why that is the case. But at the same time, "I don’t know why you wouldn’t use [multi-factor authentication]. It can be inconvenient, but these threats aren’t theoretical. [They’re] happening all the time,” he said.
How to 'play safely'
The Associated Contractors of New Mexico's Garcia had a hand in bringing the FBI to the group's annual convention on July 30 at Sandia Resort and Casino. He’d seen the FBI digital security presentation before and found it to be a “huge wake-up call.”
That wake-up call led to the Associated Contractors of New Mexico making a financial investment for new hardware and software. But it also led to an effort to get staff onboard and invested in digital security.
In its work, Associated Contractors of New Mexico sends and receives sensitive information and data related to state and federal contracts. Garcia said that — among other things — it meant staff had to get serious about how it handled email communications.
“We developed a new protocol for accepting an email, for opening an email and for responding to an email,” he said.
The policy change eliminated from the workplace what Garcia called unqualified communication — those emails that friends and family send with cute pictures, viral memes and other correspondence unrelated to the work at hand.
The Associated Contractors of New Mexico and its IT vendor J and J Technical Services began collecting suspicious or non-work emails so they could perform an analysis to better understand how the policy change worked.
“It was crazy the number of bots and hits that were coming through,” Garcia said. “We had far underestimated what we needed to do to play safely.”
