Colonial Pipeline likely got hacked because of these two simple, and avoidable reasons
(This article originally appeared in the Washington Times)
By now we’re aware of the enormous ransomware attack on the oil pipeline operated by Colonial Pipeline that reportedly transports as much as 45% of the fuel consumed on the east coast. We know that the attack was perpetuated by a Russian hacking group. We know that — out of caution — the pipeline operator shut down its systems and is now feverishly working to restore the flow of oil.
We know all of this. But we still don’t know how the actual attack occurred. The Biden administration has expressed it’s frustration with the company’s “weak security.” What was so weak?
According to reports from most security experts like this one and this one, ransomware attacks on businesses happen because of people. Either a) an employee clicks on a malicious link contained in an email or fake website (this is known as “phishing”) or b) a device on a network was compromised because it was running an out-of-date operating system.
I’d bet heavily that this is what investigators will find. And sadly, the whole situation could have been avoided if the people in charge of the technology at Colonial Pipeline had done these three things.
For starters, and most importantly, businesses need to make sure that all of the devices used by their employees are running the most current versions of Microsoft Windows, Apple iOS or Google Android.
It’s very possible that an intrusion happened on an employee’s personal device. Why? Because, according to the FBI, ransomware attacks have increased an astonishing 69 percent in 2020 compared to 2019 and have costed businesses more than $4 billion mainly because of so many people were working from home using less secure, out-of-date devices running older operating systems to get access to their companies’ networks.
Now that work-from-home is here to stay, the problem will only get worse. This is like an open door for hackers. Updating operating systems closes that door.
Next, businesses have to commit to ongoing training. That means regular interactions with an outside security or IT firm and the implementation of training software like KnowBe4 and Infosec. These applications can be configured to send out “simulation” emails that test an employee’s ability to recognize phishing, identity theft, social engineering and other strategies used by hackers that entice people to click on links in an email or on a website that downloads malicious software on to their device, and then their networks.
Finally, all businesses have to make sure that their systems can only be accessed using multi-factor authentication (MFA) software while also forcing their users to regularly change and use passwords that require alpha numeric entries with symbols. MFA requires users to enter a code that’s emailed or texted to them and provides another level of security that can prevent entry into a system.
None of these actions are foolproof and smart hackers can still find their way around them. But they are strong deterrents. The bad guys who make ransomware are out to make money and they’re looking for systems that can be more easily compromised in order to achieve these goals quickly and profitably. Companies that have been attacked rarely say publicly how the intrusion occurred. But we know why. Recent studies from security firms Coveware, Proofpoint and Blackfog all point to the same culprits: people.
Too many large companies are still not taking the simple steps they should be taking to protect their data and because of these lapses millions of people potentially suffer the consequences. These are the cases we hear about. What’s less newsworthy, however, is the implication for small businesses.
According to a recent survey from security firm Infrascale 46 percent of all small businesses have been the targets of a ransomware attack, with almost three-quarters of them (73 percent) paying a ransom. Forty-three percent of small businesses paid between $10,000 and $50,000 to ransomware attackers. Thirteen percent paid more than $100,000. Of those who paid, however, 17% recovered only some of the company’s data.
Ransomware attacks can’t be eliminated. But for most businesses they can be avoided. In the end, it’s about keeping your systems up to date and training your employees. The public will never know for sure, but I’ll bet if the technology managers at Colonial Pipeline did these two things then the oil would still be flowing.
* Gene Marks is a CPA and owner of The Marks Group, a technology and financial management consulting firm that specializes in small- and medium-sized companies.
Originally published at https://www.washingtontimes.com on May 13, 3600.