Atlantic Hurricane Season, which runs from June 1 through Nov. 30, had a slow start this year but has begun ramping up as Hurricane Fiona made its way across the Atlantic last week and brought with it damage across Puerto Rico, the Dominican Republic, and Turks and Caicos.
Hurricane Fiona is classified as the first major storm of the season, meaning it is a category 3 storm or above. With the National Oceanic and Atmospheric Administration forecasting a likely range of 14 to 21 named storms with winds of 39 mph or higher this year, including three to six major hurricanes, experts are advising individuals, businesses and their insurers not to let their guards down, even when it comes to disaster-related ransomware attacks.
“The reason for this is many companies are sitting ducks,” said Dean Mechlowitz, co-founder of cybersecurity firm TEKRiSQ, on this episode of The Insuring Cyber Podcast. “They’re just easy to breach. They’re low-hanging fruit.”
Guests on this episode say that spikes in ransomware attacks are typically seen after disasters occur as some cyber criminals tend to take advantage of communities, businesses and individuals while they’re most vulnerable. Mechlowitz said as businesses prepare for the rest of Atlantic Hurricane Season, they should also factor cyber preparedness into the equation.
“It starts with company leaders,” he said. “They need to educate their teams and make real efforts to prepare for this activity.”
He said disaster-related ransomware attacks are a “crime of opportunity,” creating a sense of urgency and tricking victims into giving cyber criminals access to steal company money or data, or install ransomware on a company’s system.
“Thinking you know where you stand is not the same as knowing. Anytime I hear a client say, ‘We think we know,’ that means no. They don’t know. Usually there are significant issues,” he said. “When your hair is on fire during a disaster, you’ve got to make sure you have the appropriate business continuity plans, disaster recovery plans and incident response plans in place.”
However, one big challenge with these types of incidents is the ability to actually determine their cause. This is because when a system, such as an electrical grid or water system, goes down during a natural disaster, it can be easy to attribute the cause to the disaster itself rather than to cyber criminals.
“It is difficult to determine, certainly from an IT perspective,” said John Simek, vice president of IT service provider Sensei Enterprises, later in this episode. “How you combat those attacks might be a little bit different if it’s a cyber criminal versus something that happens naturally where the network goes down.”
To exacerbate these challenges, Simek said that many times, cyber criminals know this can create a sense of ambiguity.
“The cyber criminals know this as well, and so when there is a natural disaster or something, they try to take advantage of it,” he said. “They know that people’s weaknesses are down.”
He gave the example of an Internet service provider that may have outages during a storm, such as a hurricane.
“What’s the tendency? Well, your tendency is that you’re going to turn [your virtual private network] off if it’s getting in the way,” he said. “The cyber criminals know that, and now you become more vulnerable to attack. It’s kind of a downward spiral. Things can go south very quickly.”
This can create additional challenges around insurance coverage, Mechlowitz said.
“Even though initially, [insurers] might give you coverage, they’re going to look at the forensics and determine was it due to ransomware. Does your policy cover that? There are going to be some issues around that,” he said. “What the business can do to try to mitigate that is to put the appropriate controls in place so that they’re more likely to be able to determine it’s a ransomware attack more immediately and have those controls in place up front. A lot of times, small or medium-sized businesses don’t have that. They’re sitting ducks out there.”
With this in mind, Simek cautioned individuals and businesses to “do the simple things” when it comes to cybersecurity.
“There are a lot of things that you can do that are very low cost or even free that we’re not doing,” he said. “One of the very, very important things that we need to be aware of is backups. You should have multiple backups. They should be encrypted so that no one can gain access to the information except you. There should be one in the cloud. There should be one local. They should be all over the place, so that should you run into a disaster—whether it’s a ransomware attack or something like that, or a natural event—then you have a way to recover. Your data is safe, and you can come back.”
He also emphasized the importance of multifactor authentication, or the addition of a second factor to determine a user’s identity before granting access to a system, whether it’s through text messaging, biometrics or a hardware key.
“I mean, that just stops so, so much of what the cyber criminals are trying to do,” he said. “And it’s relatively inexpensive, if not free, in most cases.”
As infrastructure systems become more tech-enabled and interconnected, Mechlowitz cautioned that extra preparation will go a long way in getting ahead of a likely growth in disaster-related ransomware attacks.
“These attacks aren’t going away for a good reason,” he said. “It’s a growth business, and it’s profitable for the criminals. The frequency’s going up. Severity’s going up. All the statistics show that’s the case.”
To hear what else Dean and John had to say, check out the rest of this episode and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.