Work in cybersecurity long enough, and you’ll notice how awash this space is with F.U.D. Fear, Uncertainty, and Death. It’s a natural enough place for the industry to gravitate towards– there’s a lot of fear out there and it’s an easy way to market security. But sometimes events in a point in time warrant some F.U.D. If you’re worried about cybersecurity, now would be one of those times.
Unfortunately, this week diplomatic efforts failed and Russia has invaded Ukraine. Aside from the tragic loss of life and political consequences for Ukrainians, Russia has also unleashed its cyber warfare capabilities, crippling critical infrastructure in Ukraine and bringing the necessities of everyday life to a standstill. Russia has also vowed to retaliate against any sanctions and interference from the West.
Most news outlets and talking heads have been focused on Russia’s ability to attack and disrupt essential systems like the American power grid and other utilities—which would no doubt be devastating. The thing is though…systems like that are obvious targets, which is why it may be unlikely that they’ll be attacked. First, any attack on the power grid or banks—even by a technically non-state actor like the Russian-affiliated Fancy Bear organization—would almost surely be considered an act of war. And while it might disrupt American life, it would also almost certainly galvanize the American public into demanding action. Political inaction and hand wringing would simply not be an option, and it would risk a dangerous military escalation that could easily spiral out of control. And secondly, American defenders are well aware of the vulnerabilities in these systems, and are likely taking steps to harden them.
So what should we be worried about?
Think about it this way. Why put the time and effort into trying to crack some of the most hardened and observed systems in the world when there are literally hundreds of thousands of small- and medium-businesses powering the consumer economy running unpatched endpoints and out of date operating systems, offering unprotected WiFi open to all and any, and for whom security is not their first priority.
In military parlance, these businesses are called targets of opportunity. Individually they aren’t catastrophic and almost nobody would notice. But if enough of them go down, it starts to add up. The fear among cybersecurity experts is that we could see a repeat of the NotPetya malware that was unleashed against Ukrainian targets (likely by Russia) in 2017 but then spread globally.
Thing one: It's not just Ukraine. Symantec has recovered samples from Latvia and Lithuania.— Joe Uchill (@JoeUchill) February 23, 2022
That could mean spillover from Ukraine (which is how we get NotPetya) or targeting outside Ukraine (which goes against Russia's flimsy 'peacekeeper' narrative, if this is Russia).
Just because your business might be small or in a non-essential industry doesn’t mean it’s safe. Everything from a regional paper company in Pennsylvania to a neighborhood coffee shop in California could be a target. Organizations of this size typically don’t have the resources, budget or perceived need to invest huge sums of money and time into best-of-breed security programs. Even medium-sized companies often underinvest in security unless they’re in a heavily-regulated industry or there’s a perceived need for it. Realistically, for most companies security isn’t top of mind when you’re just trying to clear operating expenses. So unless it’s vital to securing new business, most small or medium businesses typically rely on safety in anonymity and a faith that the digital vendors they use are secure and prioritizing security.
And the malware against the west to worry about isn't going to be a bit of "spillover" from what happens in Ukraine, it's going to be directed, large scale, on purpose, and part of countersanctions— Pwn All The Things (@pwnallthethings) February 23, 2022
There’s a certain logic to this, but it’s also potentially a recipe for disaster in the modern era when the battlefield extends into the digital realm. So are we saying that every coffee shop or small business with a WiFi router and a Square terminal needs to go out and hire a security expert? Or that medium-sized businesses need to immediately invest their entire operating budget into building a full Security Operations Center?
No. Not at all.
But there are simple and relatively easy things that every business owner or mid-market security team can do that will drastically reduce their risk, especially if it’s made part of a regular routine. For additional guidance, see theShields Up guidance from the U.S. Cybersecurity Infrastructure & Security Agency (CISA).
7 Tips For Small Businesses
- Get an asset inventory, including software assets. You should know all the computers, laptops, tablets and phones that are associated with your business, who owns or uses them, and when they were last updated. If you need to run updates or patches in the future, this list will make it much easier to keep track.
- Update all your computers, laptops, tablets and phones. 70% of all breaches originate from endpoints. Make sure all the operating systems and apps are up to date. Unsure how to check? Apple, Microsoft and Android make it easy by simply going to settings. If you see a system update is available, go ahead and install it. Of course, it’s impossible to update everything, but prioritize systems that touch the internet, that transact or store sensitive data, or are critical to your business operation. It would be a good idea to prioritize your Windows servers and software. If your business relies on WordPress, it’s a good idea to update your WordPress software and plug-ins.
- Change your passwords. If it’s been a while since you changed them or they’re short and easily guessed, go ahead and change them. Make sure they’re adequately complex to prevent a program from brute-forcing it by guessing. Try using the password manager available through your browser or on your phone. Don’t trust that? Then try using a passphrase instead.
- Update WiFi firmware and settings. WiFi routers often need to be updated just like computers. Most routers will do this automatically, but not always. You can check by looking on the router for a web address you can go to to check.
- Update your WiFi password. Are you still using the default WiFi router name and password that came with it when it was set up? Then it’s time to change it. Again, that web address on the router can be used to change the router name and password.
- Segregate your business and guest WiFi. Letting any laptop that wanders in off the street connect to the same router you connect your business machines to is like allowing your child to lick the floor of a New York subway. You have no idea where it’s been, what’s on it, or who’s using it. Even if your router claims to offer two networks off one modem, it’s time to get a second router for guests.This is especially true if you accept and process payments on-site with a Square or Toast terminal.
- Conduct employee training. Aim to create a culture where your employees are partners in defending the business against cyber attackers. Conduct training on spotting phishing emails, social engineering scams, and other tactics used by hackers. Establish clear guidelines on how management will ask for things like financial information and how to share passwords for shared accounts with other employees. If it seems suspicious, it probably is.
- Be vigilant. If you or your staff notices strange behavior like machines running slower, unusual apps running, etc… turn off the machine and disconnect it from the internet until you can have a professional assessment done.
Check out this guide from CISA for more information.
Tips For Medium Businesses
- Get an asset inventory, including software assets.
- Update all your computers, laptops, tablets and phones.
- Change your passwords.
- Conduct employee training.
- Conduct vendor assessments. If you’re trusting your vendors are safe to do business with, you may be putting yourself at risk. You should regularly seek to understand how vendors handle customer data, financial information, and how secure their own systems are. Do not ever allow an unassessed vendor to connect directly to your own systems or house proprietary IP or financial information.
Have a response plan. If you’re the unfortunate instance of a cybersecurity incident, does your organization have a response plan in place? If so, excellent. Now is the time to review it and make any adjustments necessary. If not, now is the time to think about how you’ll respond. Who needs to be notified? What actions need to be taken? Should customers be notified and who will handle that? How will you determine what?
Check out this guide from CERT for small and medium businesses for more information.
If you need to know more about the latest security threats, read our latest Threat Research Bulletin.