In the wake of the recent ransomware attack on Colonial Pipeline, where the transportation of oil to its final destination was compromised, the U.S. Department of Homeland Security issued a directive that pipeline companies must report ransomware attacks to the federal government within 12 hours. This event serves as a harsh reminder that safeguards against cyberthreats are largely inadequate.
This is especially true for the mortgage industry, where ransomware attacks happen frequently but rarely get reported. Many in the mortgage industry never fully appreciate the threats to data security until it’s too late.
Part of the challenge right now is that everyone is distracted by technological advances in other areas, such as artificial intelligence and machine learning. These tools are the way of the future, for sure, but mortgage companies all too often forget basic “security hygiene” for areas where the most vulnerability exists. Being susceptible can stem from something as simple as not using anti-spam technology on your email gateway, or not educating your employees about spam, phishing and social engineering.
Criminal pattern
It also helps to understand the evolution of ransomware. A few years ago, ransomware attacks were random, not targeted. Hackers settled for whatever they could get. Today, ransoms are running in the millions of dollars. In the case of Colonial Pipeline, the company paid $4.4 million to restore its operations, although a sizable portion of this money was reportedly recovered.
As more companies pay ransoms, this has led to a rise in more ransomware attacks. The troubling trend that has emerged is that criminals are targeting companies that have insurance and, therefore, are considered rich targets. Criminals are looking at targets where process delays prove costly. Colonial Pipeline is a great example — if you shut down their pipelines, it’s going to cost them millions of dollars per day simply because they’re not able to deliver their product.
In the mortgage industry, companies also have the same risks of becoming ransomware targets —they are considered rich targets because a delay in process costs them money. The reality is that if you don’t close on time, there are consequences, and it costs you money.
Another trend that’s emerging is a combination of ransomware and extortion. Criminals steal intellectual property from businesses and threaten to release this information to competitors if a ransom isn’t paid. Companies whose data has been encrypted sometimes have trouble recovering this information after ransomware attacks.
Secure defense
The first step is to know how cybercriminals act and how to avoid being in a position where your data is being held hostage. Businesses must understand that having good security is not a luxury; it’s the cost of doing business. This is step one toward building a good line of defense.
Believe it or not, the way that many people get tricked today is with a phishing email. If criminals can get you to click the link and download the file, they are 90% of the way there.
Let’s start with the premise that your business, especially if it’s public, is an open book. The internet is no longer as big as it used to be in terms of reconnaissance. People can find information easily. A 10-K financial-performance report filed by publicly traded companies, for example, will tell criminals everything they need to know about whether the company is a suitable target for ransomware, and whether it’s susceptible to an attack from the outside, often known as a technical attack.
Hackers can get a good idea of how much a company can pay before setting the wheels of an attack in motion. Not investing in good security will cost much more down the line. It’s now the cost of doing business.
Robust backups
Businesses need to prepare for the eventuality that their data may be held for ransom. This is the second step in building a good defense. If your business’s intellectual property doesn’t have a backup, you have greatly limited your options. The options are to close the doors or pay the ransom.
Cybercriminals will encrypt everything on your systems and make it so you cannot work anymore. Then they’ll tell you that they’ll let you go back to work if you pay them. Hopefully, they do what they say, but there’s nothing forcing them to give you the keys to unlock your files after you pay them.
The way to counteract this situation is to have robust backups that are kept offline and cannot be encrypted by the attacker. This is called a “disconnected backup,” which can help a business limit the damage of a ransomware attack.
The extortion part of it is trickier. Once cybercriminals get into your system, you must decide if the threat of having your data leaked, the fact that your system was breached, and the possibility that your clients’ information is compromised are things that your business can live with. If not, then it forces the company into paying the ransom.
Insider threat
As the last step in building a good defense, businesses must consider and prepare for “insider” threats. This is one key piece of advice that security professionals deliver that is often met with opposition.
Businesses want to be seen by their employees as trusting, but the reality is that data-security professionals aren’t looking at personnel; they’re looking at credentials. When they warn of insider threats, they are monitoring the credentials that are used. Once you get into the digital realm, it’s all virtual. This means that a hacker can access a system by posing as an employee, use their personal information and act as an insider to the heist.
Once these credentials are compromised, they can be misused. You have to start thinking about whether everyone needs access to this data. How do you prevent people from gaining unauthorized access, and are you monitoring the people who are accessing the information? Do you have a way to respond to unauthorized data access?
These steps are the start of a thoughtful process for figuring out how to best segment your network and put the stuff that is most important in the most secure area. Once you’ve done that, the next step is to determine who has access to this information and how to monitor the people who have legitimate access. ●
