In a meeting with President Joe Biden last week, business leaders from major technology and insurance firms committed billions of dollars to beefing up cybersecurity defenses desperately needed after several high profile hacks into major infrastructure and technology platforms this year. This is long overdue given the lax approach taken over the past several years by most major firms.
On May 7, 2021, the Colonial Pipeline, which carries almost half of the East Coast’s fuel supply from Texas to New Jersey, shut down operations in response to a ransomware attack. A ransomware attack is where a hacker latches on to your computer or network, locks you out and threatens to delete or make your data public if you don’t pay a ransom (see below). Colonial paid a $4.4 million ransom not long after discovering the attack, and the pipeline was reopened within a week. While there was enough stored fuel to weather the outage, panic buying caused gasoline shortages on the East Coast and pushed the national average price of gasoline over $3.00 per gallon for the first time since 2014.(1)
Ransomware is not new, but the Colonial Pipeline incident demonstrated the risk to critical infrastructure and elicited strong response from the federal government. Remarkably, the Department of Justice recovered most of the ransom, and the syndicate behind the attack, known as DarkSide, announced it was shutting down operations.(2)
The Department of Homeland Security issued new regulations requiring owners and operators of critical pipelines to report cybersecurity threats within 12 hours of discovery, and to review cybersecurity practices and report the results within 30 days.(3) On a broader level, the incident increased focus on government initiatives to strengthen the nation’s cybersecurity and create a global coalition to hold countries that shelter cyber criminals accountable.(4)
Ransomware is malicious code (malware) that infects the victim’s computer system, allowing the perpetrator to lock the files and demand a ransom in return for a digital key to restore access. Some attackers may also threaten to reveal sensitive data. There were an estimated 305 million ransomware attacks globally in 2020, a 62% increase over 2019. More than 200 million of them were in the United States.(5)
The recent surge in high-profile ransomware attacks represents a shift by cyber-criminal syndicates from stealing data from “data-rich” targets such as retailers, insurers, and financial companies to locking data of businesses and other organizations that are essential to public welfare. A week after the Colonial Pipeline attack, JBS USA Holdings, which processes one-fifth of the U.S. meat supply, paid an $11 million ransom. (6) Health-care systems, which spend relatively little on cybersecurity, are a prime target, jeopardizing patient care.(7) Other common targets include state and local governments, school systems, and private companies of all sizes.(8)
Ransomware gangs, mostly located in Russia and other Eastern European countries, typically set ransom demands in relation to their perception of the victim’s ability to pay, and high-dollar attacks may be resolved through negotiations by a middleman and a cyber insurance company. Although the FBI discourages ransom payments, essential businesses and organizations may not have time to reconstruct their computer systems, and reconstruction can be more expensive than paying the ransom.(9)
Protecting Your Data
While major ransomware syndicates focus on more lucrative targets, plenty of cyber-criminals prey on individual consumers, whether locking data for ransom, gaining access to financial accounts, or stealing and selling personal information.
Most people don’t know that before becoming a full time financial planner, I spent about twelve years working for major consulting firms helping with deployment of software, hardware and networking equipment, so I know a few things about data security (where do you think the “geek” came from in my moniker?)
Here are some tips to help make your data more secure: (10)
Use strong passwords and protect them. An analysis of the Colonial Pipeline attack revealed that the attackers gained access through a leaked password to an old account with remote server access.(11) Strong passwords are your first line of defense. Use at least 8 to 12 characters with a mix of upper- and lower-case letters, numbers, and symbols. Longer and more complex passwords are better. Do not use personal information or dictionary words and use different passwords for different web sites.
One technique is to use a passphrase that you can remember and adapt. For example, Jack and Jill went up the hill to fetch a pail of water could be J&jwuth!!2faPow (please don’t use this example as your password!). Though it’s tempting to reuse a strong password, it is safer to use different passwords for different accounts. Consider a password manager program that generates random passwords, which you can access through a strong master password. My personal favorite that I’ve been using for over 15 years is RoboForm, but most well-known password managers do a good job (if you click on the link and subscribe to RoboForm, we’ll both get an extra six months added to our subscriptions). Whatever you do, don’t share or write down your passwords.
There are no easy answers. Be careful when establishing security questions that can be used for password recovery. It may be better to use fictional answers that you can remember. If a criminal can guess your answer through available information (such as an online profile), he or she can reset your password and gain access to your account.
Take two steps. Two-step authentication, typically a text or email code sent to your mobile device, provides a second line of defense even if a hacker has access to your password. If your device is lost or stolen, immediately call your carrier and lock or wipe your device before they can hijack your accounts. Most devices can be wiped remotely or be set to automatically erase themselves after a set number of failed attempts.
Think before you click. Ransomware and other malicious code are often transferred to the infected computer through a “phishing” email that tricks the reader into clicking on a link. Data thieves have become adept at creating fake e-mails that look 100% legitimate, so you must be vigilant.
If you hover with your mouse over most internet links, you’ll see exactly where they’ll take you, and it’s not necessarily the site that’s displayed in the text. Never click on a link in an email or text (or a photo) unless you know the sender, are expecting it, and have a clear idea where the link will take you. Even then, you can’t be sure your friend’s or relative’s e-mail account has not been hacked and a seemingly innocent attachment or link is laced with malware.
Install security software. Install antivirus/anti-malware software, a firewall, and an email filter — and keep them updated. Old outdated antivirus software won’t stop new viruses. If your computer, laptop or other devices don’t have extra security software, you shouldn’t be online. Period. And no, in my opinion, Microsoft Defender is not sufficient to protect your PC. The old thought that Apple Mac devices are safe from vulnerability is no longer true; though safer than PC’s, they are prime targets for malicious attacks as well.
Back up your data. Back up regularly to an external hard drive. For added security, disconnect the drive from your computer between backups. Backing up to an online service is a great idea, but your backup might also be infected or affected by malware or ransomware. Only an offline backup, when disconnected at the time of infection, is safe. Never attach the external drive to restore data until you’re sure the threat or malware is 100% removed and the device is safe.
Keep your system up-to-date. Use the most recent operating system that can run on your computer and download security updates. Most ransomware attacks target vulnerable operating systems and applications. Fortunately, for better or worse, Microsoft Windows has made is nearly impossible to avoid installing periodic security patches.
Avoid Public Networks for Sensitive or Financial Transactions. Using public Wi-Fi networks is a prime gateway for malware and ransomware attacks. Networks with names like “Free Public WiFi” are meant to lure you in and install Trojan horses onto your device. If you have to type in a password to access an online resource, then you probably don’t want to do this on a public network (or at least use a password manager to log you in so your keystrokes aren’t tracked). Virtual private network software/services are also a help here.
Secure your entry points. This month alone, my home network router blocked over 4 million port scans and thwarted 75 live threats. If you don’t know what this means, then you need a home network security geek or the help of your internet service provider to help you beef up the security of your home network.
Your home network router/switch probably came with a factory set password which is widely known and easily accessed. Changing the default device password is the easiest way to reduce your vulnerability to an outside attack. Most modern day routers come with more user friendly instructions and software on how to disable your guest network and beef up home security. There’s no need to broadcast your WiFi network name to your neighbors, so that should be turned off, or you might as well call your home WiFi network “HACKERSWELCOME”.
If you see a notice on your computer that you have been infected by a virus or that your data is being held for ransom, it’s more likely to be a fake pop-up window than an actual attack. These pop-ups typically have a phone number to call for “technical support” or to make a payment. Do not call the number and do not click on the window or any links. Instead, try exiting your browser and restarting your computer. If you continue to receive a notice or your data is really locked, contact a legitimate technical support provider, but definitely not the one listed in the pop-up window.
For more information and other tips, visit the Cybersecurity & Infrastructure Security Agency website at us-cert.cisa.gov/ncas/tips.
If you would like to review your current investment portfolio or discuss any other financial planning matters, please don’t hesitate to contact us or visit our website at http://www.ydfs.com. We are a fee-only fiduciary financial planning firm that always puts your interests first. If you are not a client yet, an initial consultation is complimentary and there is never any pressure or hidden sales pitch. We start with a specific assessment of your personal situation. There is no rush and no cookie-cutter approach. Each client is different, and so is your financial plan and investment objectives.
(1) (2) (11) Vox, June 8, 2021
(3) U.S. Department of Homeland Security, May 27, 2021
(4) The Washington Post, June 4, 2021
(5) 2021 SonicWall Cyber Threat Report
(6) The Wall Street Journal, June 9, 2021
(7) Fortune, December 5, 2020
(8) Institute for Security and Technology, 2021
(9) The New Yorker, June 7, 2021
(10) Cybersecurity & Infrastructure Security Agency, 2021