Cybersecurity threats to businesses are seemingly everywhere.
Hackers try to break into computer systems and grab sensitive data. Sometimes the hackers hold the data hostage in "ransomware attacks," demanding businesses pay up to reclaim their data.
Randy Glenn has developed a specialty in these threats, as a cyber risk manager with the Evans Agency, the insurance agency subsidiary of Evans Bank. And Glenn is among 40 people from across North America who are in the inaugural class of a cyber insurance certification program launched by Chubb and Carnegie Mellon University.
Glenn, 36, was hired by the Evans Agency in 2014. Since joining, he has recognized a growing need for cyberinsurance, to help companies cope with cyberattacks. But the South Wales resident says businesses can also strengthen their defenses against digital break-ins.
It's not only big businesses that are the targets, he said. Hackers are equal opportunity attackers, eager to snatch any data someone might be willing to pay to retrieve.
"It's not necessarily the data they're after, it's how much is it worth to you?" Glenn said.
Glenn talked about the scope of cyberattacks and how businesses are reacting:
Q: Are many companies buying cyberinsurance?
A: It's hit and miss. A lot of small businesses still struggle with the affordability factor. I spoke to a small business owner not too long ago and she said, "Randy, with all the exposures that my business faces, I know this is an exposure, I know this is an area that I should be paying attention to, but at what point do I prioritize this? I cover my building, my autos, my employees."
It really comes down to understanding your assets and what you've got at risk, and then weighing out the cost and how much it would affect you if you really did have a breach. Larger organizations, I think, are taking it much faster than smaller ones. But I would say on a grand scale, we're seeing a lot more smaller businesses want to purchase the coverage as well, because it's affordable.
Q: What are the biggest threats out there?
A: Right now, ransomware attacks are clearly the lead runner. When we see ransomware attacks, it's hard to determine the level of cost associated with the actual attack.
What we really focus on with the ransomware attacks is communication. You have to really communicate with your employees what a ransomware attack looks like. When you get an email that just doesn't look right, don't click on a link that's contained in that email. Don't open up a file that's contained within that email.
Q: Which industries are prime targets?
A: In terms of claims, I would say health care is experiencing a high influx of claims, and manufacturing.
Q: Is health care a target because of sensitive patient information?
A: Yes, but I think from the hackers' standpoint, a lot of times they don't know the information they're targeting.
I interviewed a (chief information security officer) for a large organization and I asked him a question on the application, "How many attacks or attempts have you had on your network?" And he looked at me and said, "Today?" and I said, "Yeah, I guess today." And he says, "Thousands."
They jiggle the handle every few seconds to see if the door is unlocked. And they don't necessarily know what information is there.
But once they get in, then they kind of take a look around and do an inventory and say, "OK, what have we got here?" And they may not understand what to do with that information, but there's someone on the dark web that does, and they can sell that information off and someone's going to use it to do whatever they do, whether it's hold the client ransom, sell that information to a third party that's going to do something else with that information.
Q: Why manufacturers?
A: Manufacturers are targets just because, not necessarily the information on file, but if their systems are automated through a computer system, they can shut your computers down for any period of time and hold you ransom, essentially. … For manufacturers that don't have heavy security up front, that's a pretty easy target for a lot of hackers.
Q: Do businesses tend to pay the hackers when they suffer ransomware attacks?
A: It's a business decision, but right now, it's trending toward paying the ransom, and the data is unlocked. Sometimes, in a few cases, we've run into where they've paid the ransom, but the data was unable to be unencrypted.
A lot of times that's probably because an amateur purchased that data on the dark web and didn't really know what they were doing, saw that there's other criminals making money doing this, they tried to do it, couldn't unencrypt it and went on to the next thing.
But for the most part, I think the data is being given back once the ransom is paid, because it's a criminal enterprise. It's a business. They want to make a quick hit and move on to the next one.
Q: Do you find some businesses believe they're not at risk?
A: I can promise you, every business has data somewhere that's going to be held against them, if somebody gets in.
The trouble is, a lot of businesses will take the stance, "Well, I have a really good IT department." At (Evans Bank), we have a top-notch IT department. But the fact of the matter is, 25 percent of breaches occur from insider involvement. Not necessarily malicious insider involvement, but your employees. It's people driven. An employee gets an email, they click on a link, you just opened your network up to a world of hurt, from that one email link. So communication is key.
On top of it, I tell business owners all the time, you can have the best IT department in the world, your (chief information security officer) can have the longest resume out there, but guess what? Cybercriminals are former IT people that got really, really good at what they do. And they make money doing it.
Q: How can businesses prepare for these kinds of attacks?
A: I would say communication is No. 1, communicating with your employees. A lot of times communication comes when you have a level of experience in what the things look like. Maybe the first step would be to work with an attorney to get an incident-response plan in place.
It has to be tailored to your business. … Your incident response plan should be going home with you at night, if you're the owner of that company. Because when you get that phone call at 4 o'clock in the morning that your systems are being rocked, you want to be in a position to follow that incident response plan to a T.