It’s not just pipeline companies, meat processing plants and ferry services that are targets of hackers, ransomware attacks and those looking to get information valuable to them.
The head of a Portsmouth, NH company that’s been on the front lines of cybersecurity for nearly 20 years says there is more to it than that.
Tim Golden, CTO of VITAL Tech Services, said the lack of email protocols led a small veterinary lab to lose $20,000 when an employee followed the instructions in an email that appeared to be from the owner to buy Amazon gift cards.
“No questions along the way because she got an email that looked like it came from the owner that said, ‘Hey, we want to keep this a secret. We want to give Christmas bonuses in the form of Amazon gift cards this year. Go buy 20 of them at $1,000 a piece for everybody.’ Poof. Gone,” Golden told Seacoast Current.
The employee didn’t think to ask the owner if the email was legitimate or not because there was no check and balance system in place about how to purchase things for the business.
“I’ve seen that exact thing happen dozens of times. Small little veterinary practice thinks, ‘I’m too small. No one’s going to come after me.’ Well, you know what they just did. You just lost $20,000 bucks you’ll never get back,” Golden said.
It’s only after there’s an issue do people call someone like Golden.
Golden says the key to a small business owner or someone working at home to be cyber secure is to keep up with maintenance just like with your car. Otherwise, it’s like not changing the oil.
“You change your oil every 7,000 miles, you rotate your car tires every 15,000 miles, no questions asked. Now your car will last 100,000 miles because you’re doing preventative maintenance. Same idea with technology,” Golden said. “You’re not patching your machines, you’re not keeping your anti-virus up to date, you’re not patching your firewall, you’re not putting in the safeguards, the seatbelts, the rear camera warnings. You’re not doing the preventative stuff. Probably around the 40,000-mile mark that engine’s going to seize.”
Having just an up to date anti-virus program installed on your computers or network is not enough and if a problem gets that far it’s probably too late, according to Golden, whose company uses an ongoing educational approach to teach workers to be aware and to think before opening an attachment or a link.
VITAL Tech teaches the employees of their clients to carefully look for signs of “phishing” in email before clicking links and downloading attachments. Phishing is a fraudulent email that appears to be real in order to get the receiver to reveal personal information.
Golden said one good sign of phishing is a request for the recipient to take some action but the sender’s address may not look right.
“A scammer will fake the email address. There will also be things in the body of an email address like misspellings or improperly worded English. And the links within the emails might be something like ‘microsoft.google.fakewebsite.com’ as opposed to ‘microsoft.com.,” Golden said.
Other things companies and individuals can do to protect themselves includes:
- Installing a spam filter
- Using trusted email systems like Microsoft’s Office 365 or Google’s suite of tools
- Having machines patched and updated
- Using a true anti-virus detection program on your computer
- Be careful what you’re clicking on. If there’s something suspect as a friend or co-worker. If you don’t know, delete it.
- Financial and health institutions will not collect credit card information via an email
- The best advice from Golden: “If something looks a little suspect it probably is.”
After the ransomware attack on the Colonial pipeline that left gas stations in the southeast United States without fuel, President Joe Biden signed an executive order to improve the nation’s cybersecurity and protect federal government networks.
The order aims to modernize cybersecurity defenses and strengthen the country’s ability to respond to incidents when they occur. But federal action is not enough, according to Biden.
“We encourage private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents,” Biden said.
Golden, who says he has been in the cybersecurity business since 2002, said it’s not enough and there need to be some actual consequences that eventually will be put into place.