From the Dry Cleaner to the Defense Industrial Base
By Kurtis Minder, CEO, GroupSense
“How can they ask for that much? We only have 9 computers!”
“It isn’t the computer count, it is the data…”
While my team and I field some of the largest ransomware response cases at GroupSense, I spend my weekends and evenings helping those who cannot afford a professional response program. As a result, I see a broad spectrum of attacks and victims. While it is always disheartening when any company gets hit, it is particularly impactful to small operations. Many of these victims are family-owned generational businesses, forced into a situation that could end the legacy.
Unfortunately, the national impact of the attacks on SMBs (Small to Medium Businesses) has yet to be experienced by most of us. Washington’s continued focus on offensive tactics and protection of critical infrastructure may be missing the point. Cyber attacks on the lower and middle markets pose a grave threat to the economy and the national security of the United States. Let me explain…
SMBs are the backbone of our economy
When a large, publicly traded enterprise is hit by a devastating cyber attack, it's a costly endeavor. Whether that organization elects to engage the threat actor and pay a ransom, or recover and rebuild, it can cost millions of dollars. Nevertheless, most of these companies, if covered by cyber insurance, and with tremendous resources can and do recover. Often, the impact is meaningful but relatively mitigatable. Notification letters go out, subsidized credit monitoring is initiated, and the PR machine goes to work to save the tarnished brand. They live to fight another day, hopefully with better cybersecurity programs, budgets, and basic hygiene.
When a small business gets hit, it often goes unreported. These companies typically do not have the resources to pay or recover if they are not covered by cyber insurance. It is a business-ending event. Due to the relatively small size of these attacks and the fact that many victims do not report, the Justice Department doesn’t have a good inventory of the macro level problem, relegated to estimation and guesswork. Even when the attacks are reported, the IC3/FBI can be unresponsive. This is likely due to the fact that they are overrun with larger attacks and feel the need to prioritize.
For the US economy, though, it will be death by a thousand silent cuts. While thousands of SMBs around the country grasp for life, millions of dollars of economic damage, recovery costs, lost jobs, and ransom payments are draining us from the inside out.
Small and Medium Business makes up over half the jobs and nearly half of our GDP. Collectively, they are critical infrastructure.
And they took our data….
If you are working in the Federal security realm you are familiar with the Defense Industrial Base (DIB). You are also aware of the frenzy around third-party risk, CMMC (Cybersecurity Maturity Model Certification), and other similar programs. Considering that threat actors often use exfiltrated data sets to pivot to new victims, all involved should be concerned at the treasure trove of exabytes of stolen data these cyber attacks are fueling. As you know, state actors and ransomware actors make exfil a priority with different motivations. Regardless, they are good at it and they have been successfully siphoning this data from our digital shores for more than a decade. They take the data from the small ones, too.
I cannot tell you how many times a victim excuses themselves from the extortion threat with “…our data isn’t that important…” “…there is nothing of real value in there…” Perhaps not in a vacuum. MOST data is useless on its own. It is when you combine that data with other data, correlate, and find implicit connections and value that it becomes weaponized. So no, the lawn care customer data seems benign. It is when you combine that data with the OMB breach, US Marshall’s data, or the recent D.C. Health Marketplace data to triangulate a senior member of the US military’s (perhaps with nuclear facility privileges) private property in Louisville, TN that it becomes material. Triangulate that data with a fitness wearable breach, a local HOA forum breach, or similar and you might be able to follow that guy to the gym on Tuesday. And our adversaries have the data and the compute power to do that, at scale.
Every. breach. matters.
We are under attack and it is worse than you think
Think carefully about what is occurring here. We have foreign adversaries from unfriendly countries attacking our way of life, our businesses, non-profits, etc. They are disrupting those operations, they are causing 100s of millions, if not billions in damage. They are taking our data over the ocean to use as they see fit in future operations against us. And many times, they are profiting from all of this through ransom payments.
We can and will do better.
So what do we do?
We all have an individual responsibility as citizens of the United States to do what we can to protect our own and our employer’s data. We can do this by practicing basic cyber hygiene, taking this mission seriously, and making it focus. Hold each other accountable.
Download my cyber hygiene primer below, and download the Cybersecurity Awareness Month infographic here to learn more about what you can do today.
