3 Lessons SMBs Can Learn from the Colonial Pipeline Ransomware Attack
Whether you keep up with current events or not, chances are you’ve heard of a company large or small getting hit with ransomware. And unless you work or have involvement with that company many consumers don’t think twice about those businesses becoming ransomware victims since it doesn’t impact their lives….until it does.
Cue the gas shortages and even outages at some gas stations from the recent ransomware attack on the Colonial Pipeline. Because of a ransomware attack, many people in the Southeast were left scrambling to get gas for a week, talk about real-life ramifications. So, what can your SMB learn from the Colonial Pipeline ransomware attack? Grab your notebook, and let’s get into it!
3 Lessons SMBs Can Learn from the Colonial Pipeline Ransomware Attack
What Happened?
You have likely heard about the ransomware attack that shut down one of the largest pipeline operators in the United States causing a gas shortage for some states in the south (To name a few: Kentucky, Georgia, Florida). If not, on May 7th, the Colonial Pipeline Company was the latest victim of a ransomware attack by a group of hackers known as DarkSide. Colonial Pipeline shut down its operations for a week to resolve the issue which led to the gas shortages. The company did end up paying a near 5-million-dollar ransom to restore their network.
How did this happen?
The hackers use software to encrypt and steal their victim’s data. Victims are notified of the attack through a message on their computer screens indicating they need to pay a certain amount, or their data will be leaked. Included is a link to a page that has the information the hackers are ready to leak to the public if the ransom is not paid such as confidential employee information, accounting data, tax information, reports, and any other sensitive data found on the network.
Lesson #1 - No one or business is safe from a cyberattack.
No one or business thinks (and hopes!) they will be a victim of a cyberattack like ransomware. However, that is not the reality anymore. If you have ever heard the statement “It’s not if, but when” in regards to getting hit with ransomware, a phishing attack, and any other cyberattack, well those saying it aren’t wrong. Especially for smaller businesses that:
a) Don’t have the staff or knowledge
b) Don’t have the time
c) Don’t have the money
d) Don’t care
about cybersecurity and protecting their data. Hackers know how much easier and more successful they are when it comes to targeting SMBs simply because of their lack of protection.
Aside from smaller businesses, even a large organization that one would assume would have heightened cybersecurity defenses, like the Colonial Pipeline, wasn’t safe from an attack.
Here’s how DarkSide hackers got into their network and successfully launched the ransomware attack:
Hackers gained entry through a VPN that was no longer in use at the time of entry. The password to said VPN was found through a batch of leaked passwords on the dark web. Meaning, the employee previously used the same work password on another account that got compromised. Not to mention, the VPN wasn’t using multi-factor authentication so all the hacker needed was the username and password to get into the account.
Too easy for the hackers!
Always remember that no one or business is safe from a cyberattack. It’s better to think you will be a victim of an attack, so how can you better prevent and recover quickly from one instead.
Lesson #2 - Cybersecurity is IMPORTANT.
If Colonial Pipeline would have taken their cybersecurity more seriously, they wouldn't have had to shut down operations for the first time in 57 years. Nor would they of had to pay $4.4 million ransom. There wouldn’t have been gas shortages and outages. People wouldn’t panic or worry about whether they could find gas to make it home, to work, or anywhere. Gas prices wouldn’t have increased. A whole lot of stress, worry, and panic could have been avoided.
The one bright side I can think of from this entire disaster is the awareness of cybersecurity importance that has been brought to light.
Here are a few more reasons why cybersecurity is important:
Prevents cyberattacks from being successful.
Protects sensitive employee, client, supply chain, and business information from being leaked.
Your reputation won’t be impacted. A damaged reputation from a cyberattack could result in a loss of customers, consumer trust, and make it more challenging to gain future clients.
Saves you money if you were attacked and had to pay a ransom, non-compliance fines, downtime expenses, etc.
Keeps your organization in compliance with certain laws.
Provides your staff and clients with more security that you are doing all you can to safeguard sensitive information such as social security numbers, billing and credit card details, addresses, usernames, passwords, and so on.
Lesson #3 - Use smart backup and disaster recovery practices in your organization.
After Colonial paid the almost five-million-dollar ransom, the hackers gave their victim a decrypting tool to restore their network. However, a source reported that the tool provided by the hackers was extremely slow at decrypting and that Colonial continued to use their own backups to help restore their network instead. Imagine if Colonial backed up their data once a week or worse not at all. Then they would have been in a worse spot, putting all their trust to get their data back efficiently in an organization that just hacked their system for a huge ransom. That is putting a lot of trust and responsibility in someone that just stole vastly from your business. And then what happens if you pay the ransom, and the attackers fail to provide a decryption key or restore your data? Now, your organization is out money for the hefty ransom and your data is still gone.
This is why utilizing smart and safe backup and disaster recovery practices are extremely important for every organization. Here are some best practices your SMB can implement:
Before you back up your data it is important to close the security gap. Not doing so could lead to re-infection by the same or other ransomware.
Back your data up on a regular schedule. This is different for organizations depending on their data needs. This can range from multiple backups a day, once a day, and so on. Find a schedule that works best for your organization that limits data loss in case of a ransomware attack or other data loss scenarios.
Back up your data in multiple locations. One backup on-site, one off-site (Like your MSP’s office), and one in the cloud.
Regularly test your backups to ensure they are working properly.
Have a disaster recovery plan and regularly test your plan as well.
How an MSP Can Help
Now, don’t think your organization is defenseless against hacker groups like DarkSide. Having the correct protection for your network is vital to staying clear of becoming a victim to a ransomware attack.
Without an MSP or an in-house I.T. professional, you most likely have no one monitoring your systems. Therefore, once a ransomware attack happens to your business then you respond. This is a reactive approach. An MSP takes a proactive approach, meaning your systems are constantly being monitored for potential threats. From there, the risk can be mitigated before the attack happens.
Along with that, an MSP will make sure your data is backed up regularly, and in multiple locations to ensure your data is protected at all costs. Backups and disaster recovery plans are tested to ensure they will not fail and to get your business back on its feet as soon as possible if the worst-case scenario does happen.