As Justin Snell tells it, his company didn’t see the ransomware attack coming.
“We never thought we would be a target.”
Snell is vice-president of technology at E.R. Snell contractor Inc., a family-owned heavy construction company based in Snellville, Ga., with 700 employees across several divisions in the state. Like many mid-sized firms in the industry, the company has been integrating new technologies into their processes for years.
However, by Snell’s own admission, the company’s security protocols had not kept pace.
“We got trapped by being so into new technology without understanding the security issues,” he recently told a Viewpoint software webinar. For example, little ongoing attention was paid to passwords. What few security protocols were in place were rarely tested.
The ransomware attack on E.R. Snell was initiated on a Labour Day Sunday, although later investigation revealed the company’s server had, in fact, been penetrated a week or so prior. Day one saw a fully encrypted system lockout. On day two, the ransom demand arrived.
Intervention by Viewpoint’s security professionals involved moving E.R. Snell’s data to the Cloud, which took nine days. The remaining recovery efforts implemented by E.R. Snell itself took 90 days total.
In this instance federal law enforcement did provide help in some ways.
“I wouldn’t say they were super helpful, but they did help us…understanding what these threat actors do, and who they are, and what they want, and them, alongside our attorneys, with the incident response firm, helped us walk through that,” explained Snell. “And I’m thankful that they were able to. They’re in the business of doing this, so they were able to help us, the Monday, Labour Day.”
While the company scrambled to inform and assure employees and suppliers, it reverted to handwritten cheques for payroll and accounts payable. And although E.R. Snell refused the ransom demand itself, the company still paid a high price, approximately $800,000 including the required data remediation.
Mike Dooley, information security officer for Viewpoint, calls ransomware “easy money,” very profitable, and growing fast. Attacks on construction companies in particular are on the rise, representing over 13 per cent of all ransomware attacks reported in North America during 2020.
One reason is the vulnerability of the industry itself. Employees are scattered between field offices and worksites, often working fragmented hours. Add to that multiple vendors, subcontractors and employees now working from home, sometimes without appropriate VPN (Virtual Personal network) protection. Information and documents once exchanged in-person or by physical delivery have been replaced by emails, texts and electronic transfers.
According to data compiled by Viewpoint and others, human behaviour is the main challenge to corporate cyber security. Spam and phishing attacks are by far the most common gateways for ransomware infections. It’s what Dooley calls “taking the bait.”
For example, Dan Blum, managing partner and principal consultant at Security Architect Partners, told CIO Dive’s Trendline about an employee who received a message saying their VPN had been deactivated.
“The message was a phishing test sent by the individual’s IT department to every employee, and everyone clicked on it,” Blum said. “The test confirmed that employees, despite their best efforts, are susceptible to fraudulent and potentially dangerous emails that can compromise passwords.”
E.R. Snell’s experience is not uncommon among companies across all industrial and commercial sectors. Neither was their response after the attack. Internal servers were replaced by cloud-based hosts offering ongoing security monitoring; passwords were revisited, using Viewpoint’s recommendation of pass phrases rather than single words; VPN controls were tightened; and outside professionals were contracted to aid with ongoing employee training and protocol assessment.
“Technology evolves so fast that you have to stay ahead of the threats,” says Snell.
Even so, it’s interesting to note that even the cloud is not attack-proof. According to network security firm Netskope, nearly two-thirds of malware is now delivered through the cloud, compared to traditional web malware. Microsoft Office 365 One Drive for Business, SharePoint, Box, Google Drive and Amazon S3 are the most common targets.
Dooley says corporate cyber security solutions must be bespoke — that is to say, each company has individual weaknesses concerning their key data that are best addressed with customized protocols.
Data experts agree new security measures must evolve as quickly as methods of attack. They must track all data movements while at the same time not blocking people from accessing and sharing files needed to do their jobs.
John Bleasby is a Coldwater, Ont.-based freelance writer. Send comments and Inside Innovation column ideas to email@example.com.