Ransomware hacks continue to cast dark clouds over the horizon for our nation’s supply chains. These threats will continue unabated in the absence of fundamental changes in how organizations address cybersecurity. Views and rhetoric on these attacks are rapidly escalating at the highest levels, yet many small businesses are failing to act.
In late September, an Iowa agri-business that provides grain for livestock and poultry operations across the Midwest, New Cooperative, disclosed it was victimized by ransomware likely of Russian origin. Some fear the hack could have threatened the grain, pork and chicken supply chains, sending shockwaves throughout the economy.
It’s hard to dismiss these claims after Charlotte drivers faced long lines and higher prices at the pumps earlier this year when the Colonial Pipeline fuel supply was crippled due to a compromised password for a virtual private network, or VPN.
After the Colonial Pipeline incident, the White House warned companies to take urgent action to protect themselves. "The threats are serious and they are increasing,” wrote Anne Neuberger, cybersecurity adviser at the National Security Council, in an open letter to business leaders.
More recently, in a September interview with the Associated Press, Gen. Paul Nakasone, director of the National Security Agency and commander of U.S. Cyber Command, took a more aggressive stance. “Even six months ago, we probably would have said, ‘Ransomware, that’s criminal activity.’ But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue. If it’s a national security issue, then certainly we’re going to surge toward it.”
On a technical level, the federal government has steadily advanced guidance and directives for enhanced technical security measures for all businesses and organizations. In August 2020, the National Institute for Standards & Technology published SP 800-207, Zero Trust Architecture to outline a framework for a new security paradigm. President Joe Biden released an executive order on May 12 of this year, Improving the Nation’s Cybersecurity, that explicitly called for implementation of zero-trust architecture by federal agencies.
Weaving these together, the U.S. government is clearly accelerating efforts to protect critical infrastructure in the face of escalating cyber threats and public incidents impacting everyday life.
Many small-business owners think these threats and warnings do not apply to them, that they are too small to warrant the attention of cybercriminals. They are wrong. A vulnerability or software flaw in Kaseya’s VSA product compromised an estimated 1,500 small businesses with ransomware. It could have been much, much worse because that software is commonly used by IT firms or managed service providers who support up to 1 million small businesses.
Remote access is another significant threat vector. The Dutch Institute for Vulnerability Disclosure, which discovered the Kaseya vulnerability, has identified a disturbing trend that many remote access products, including VPNs, are showing structural weaknesses, resulting in increased security threats. The unfortunate irony is that VPNs have been widely implemented and hailed as the best way for remote access. This dynamic has become especially alarming as more employees shift permanently to remote and hybrid environments that rely on such tools.
What should small-business owners do? A great place to start are the resources available from the nation’s leading defenders. The Cybersecurity & Infrastructure Security Agency in its CISA Insights advisory on July 14 outlined highly effective mitigation and hardening guidance for small businesses and the IT professionals that serve them.
Additionally, at Calyptix, we encourage a zero-trust architecture. Far more than any single-security tool like two-factor authentication, it is an underlying paradigm that focuses on users, assets and resources and eliminates implicit trust, whether based on a device, location or user.
Why are these measures required? In remote environments, employees are often logging into business systems using insecure home or public internet connections while working behind unpatched and consumer-grade routers and wireless access points. In addition, many employees often use unpatched personal devices running vulnerable software to engage in tasks that usually include risky web surfing. Others are connecting to the business systems with dedicated work devices that are extremely hard to monitor and maintain in the wild and are also utilized for personal tasks. Consequently, when remote users connect these risky devices to the network, especially with a virtual connection such as a VPN, voila! That risk can expose the entire business network environment.
Remote, or flexible, work is not going away anytime soon. Nor are cybercriminals. Businesses of all sizes must take action and embrace a fundamental shift to cybersecurity. It starts and ends with the employers rethinking access and segmentation.
Reducing cybersecurity risk for small businesses
Regrettably, many small-business owners take a scattershot approach to cybersecurity. They hear about the added remote access protection offered by a VPN — like a unique, encrypted tunnel to the internet — so they get one. They learn multi-factor authentication is a best practice, so they add software for that, too. They set up mesh wireless access points for improved performance. They put antivirus protections in place. Perhaps they partner with a managed service provider to just make it all work and avoid downtime.
Here are five things small businesses should be doing:
- Build a strong foundation for cybersecurity: Small businesses need to move away from the many-product, stop-gap, turnkey approach. It’s like adding an Internet of Things-connected camera doorbell to secure the front door when there’s a hole under the fence alongside the house. To truly secure business computers, network and data assets, each organization needs to reexamine its own unique framework of data, systems, devices and connectivity and build a foundation that maintains total focus on cybersecurity. We cannot build a fortress from a straw house.
- Rethink ownership of cybersecurity: Businesses must also rethink ownership of cybersecurity and stop relying on employees to create strong passwords and avoid bad links. Training people to avoid duplicating passwords and phishing scams is simply not enough. People do not voluntarily change behavior in the absence of external controls, which is why city planners use speed bumps, roundabouts and other creative solutions to slow traffic through an urban corridor. If there is a short cut, someone will find it and others will follow.
- Give employees access only to what they need: Every business must actively identify, build and maintain a secure foundation to protect its information and access to it. Firewall security and adding multi-factor authentication are critical. Yet even before that, each business must first identify all computers, printers, servers, access points and other devices and segment them with secure controls based on the type of data they generate, use, transmit and store. Applying the principle of least privilege, the business would only give users access to the online tools, resources, systems and data they need.
- Stop putting cybersecurity on the back burner: Making cybersecurity an ongoing priority is essential given the continued evolution of today’s threats. Businesses across every sector must be persistent to implement secure configurations, patch and upgrade software and monitor online activity to spot unusual events. By examining unusual activity, organizations can illuminate risky practices, identify unauthorized devices and software, and even detect compromised systems. Responding constructively to the findings of an incident investigation process will set every organization on a path of continued security improvement.
- Implement a zero-trust approach and segment data: Start by grounding cybersecurity with a data classification framework that maps the unique requirements of data to proper segmentation. When possible, shield data and related systems with a zero-trust environment that denies access to systems and data by default. With zero-trust, access is only enabled after a user with pre-established authorization has been identified with a secure authentication method. Businesses can establish a solid foundation for secure and resilient systems so they stay focused on running their operations. It all starts by approaching cybersecurity from the ground up, foundation first.
Take cybersecurity responsibility and accountability
Businesses must take on cybersecurity responsibility through a proactive approach. Every business, regardless of industry or scope, must demonstrate accountability to its customers, clients, and employees. This requires fundamentally changing how every business approaches cybersecurity.
Size does not matter. As the Federal Communications Commission puts it, "Every business that uses the internet is responsible for creating a culture of security that will enhance business and consumer confidence.” Small businesses are the lifeblood of our economy, and cyber criminals recognize that. By building cyber protections into business operations, companies of all sizes can feel more confident and stay focused on growth.
Ben Yarbrough is the CEO of Calyptix Security Corp., an all-in-one network security provider for small and medium-sized businesses.
