What the Latest Cybersecurity Breaches Can Teach Us

cybersecurity breachesIn the field of cybersecurity, there are always opportunities to learn. It’s a dynamic ecosystem that’s always changing in terms of threats. There’s also no shortage of cybersecurity breaches, with fear-inducing headlines that can make any company shutter. But I’d also argue there is much to learn in these situations.

In a perfect world, breaches and attacks wouldn’t happen. Everything would be top-notch secure, and cyber criminals would be foiled at every turn. Unfortunately, that’s not the reality. In fact, breaches are rising, and hackers are getting smarter and more sophisticated. Data breaches exposed 22 billion records in 2021, and ransomware attacks increased by 92.7% from 2020 to 2021.

Even with the most robust tools and processes, you can’t guarantee your organization won’t be a victim. Aside from these components, the human element is the most important. Who you put in charge of protecting data and securing your infrastructure is most often the differentiator. And those people need more than just technical aptitude. They need to be communicators and collaborators. They need to be flexible and open to change and growth.

With that in mind, let’s consider what the latest cybersecurity breaches can teach us.

U-Haul Data Breach Exposes Customer Information

The moving and storage company U-Haul reported a data breach to customers in September 2022. The attack enabled cyber criminals to access rental contracts between November 2021 and April 2022. As a result, over 2 million customers had sensitive data exposed, including names, driver’s licenses, and state identification numbers.

The hack was successful because of the ability to compromise unique passwords that enabled access to customer contract search tools. The company didn’t disclose anything further about the password compromise.

In this scenario, a few things come to mind as learnings. First, it highlights the need for multifactor authentication across the entire enterprise. Second, it’s possible zero trust architecture could have prevented this. Third, perhaps there wasn’t visibility or transparency across the digital infrastructure, which left this database vulnerable. They could have averted such a breach not with better tools but with better communication.

OakBend Medical Center Suffers Ransomware Attack

Ransomware in healthcare has become a serious issue, with over 55 of these attacks this year alone. Due to a ransomware attack, the Oakbend hospital had communication and IT issues. They announced they were working under “electronic health downtime procedures.”

The standard response was to take everything offline and rebuild their systems. Healthcare is a key target for hackers, as they know this is a mission-critical industry that will often pay the ransom.

We can learn from this incident that the need for updated and practiced cyber incident response procedures is critical. Additionally, questions about redundancy and backups are relevant. We don’t know the details, but with healthcare, the weak link is often legacy systems. Human error and apathy are brewing in hospital IT offices.

Healthcare data is a serious business. I would advise any healthcare organization to modernize its approach to cybersecurity, which requires removing legacy systems, updating infrastructure, and driving change in the hearts and minds of the professionals responsible for it. Until these things happen, healthcare will always be an easy target.

Aon Data Breach Exposes Sensitive Customer Data

Aon first noted the breach in its Securities & Exchange Commission filing in February 2022. However, the global financial company didn’t advise customers until May. The breach’s root cause was access by an unauthorized third party. The company’s investigation reported no evidence that the stolen data was misused and that they had enacted new controls.

It makes you wonder if these controls were so robust, why weren’t they already in place? And why did third parties have the opportunity to steal customer information?

Aon, like any other financial institution, certainly has a sophisticated cybersecurity footprint with teams of professionals that are experts. Yet, there’s always a way in! Would zero-trust architecture have saved the day? Would all those smart cyber folks have noticed this access vulnerability sooner if they worked more like a team rather than individual contributors? Without more details, it’s hard to know. As someone who’s been in this industry a long time, I know that human blindsides are the worst.

Social Engineering Scam Exposes Marriott Customers’ Credit Card Information

Marriott reported that an employee was a social engineering victim, leading him to turn over credentials. The hackers then tried to extort money, contacting the company boasting of their access. The hotel chain stated that the hacker didn’t reach its core network, but customer data related to the specific location was part of the breach. Marriott refused to pay the cyber criminals and contacted law enforcement.

The obvious learning is around constant and consistent training for employees on cybersecurity. However, even if that’s in place, employees may not give it much credence if it’s not a top-down philosophy that’s part of the company culture. Other points to consider are again about access — who has it, how they get it, and who is trustworthy.

If you take away anything from these cases, the most important thing is going back to your people. How are they protecting your data? What are their misconceptions or flawed reasonings?

The most secure companies don’t get that way because they spend the most money or have all the latest and greatest tools. They don’t end up in the headlines because their people work proactively and are agile in collaborating and communicating. If you can do anything right now to strengthen your company’s defense posture, it’s about getting your technical teams aligned, motivated, and growing their mindset. Without this, everyone stays in the same place, and the hackers will keep succeeding.

Ransomware – Should You Pay?

cybersecurity certificationsLast night I watched an episode of Chicago Med (Season 2, Episode 19). It happened to be about ransomware. Chicago Med was infected with ransomware, rendering all computer systems (doctor’s tablets, MRI machines, patient history systems, diagnostic systems, etc.) useless. The staff of Chicago Med had to resort to “manually” doing everything – filling out paper lab requests, using a whiteboard for patient status, using old school methods to diagnose patients, etc.

A debate ensued about whether Chicago Med should just pay the ransom, which was around $30k. The staff had differing opinions in the episode.

This is a debate worth discussing, as I do not see a clear answer to the question “should I pay the ransom”, other than “it depends”.

Ransomware Attack - Manual method

The reliance on medical technology makes manually processes like this prone to mistakes

I tend to look at everything from a risk perspective. Sure, it’s easy to say “our policy is we do not pay the ransom”, but at what cost? Many people have polarizing opinions on just about everything, including this topic. It’s easy to make recommendations from afar. What if your spouse was in a hospital and needed immediate emergency treatment, but treatment was delayed because of ransomware? Every second in this delay increased the risk that your spouse might die. Would you still support the policy “we do not pay the ransom”, even if it meant your spouse may die? Is $30k worth more than your spouse?

Also, the rationale for the “we do not pay the ransom” policy goes something like this – “if the hackers know we do not pay the ransom, they won’t attack us”. This is flawed logic because many cybercriminals release ransomware into the “wild”, non-directed, to spread to as many systems as possible, so they can maximize odds of success and returns.

The Chicago Med hospital administrator was adamant about not paying the ransom, but one of the doctors paid the ransom himself. After the ransom was paid, all the systems came back online and everything went back to “normal”. The doctor that paid the ransom simply stated that the risk was too great and that he had calculated the ROI and it was an easy decision.

But, wait…what if you pay the ransom and the hackers just take your money and don’t decrypt your systems? 

This is certainly a possibility, although it is almost never the case. Most cybercriminals are in the business of making money, so their business models support this objective. Cybercriminals probably analyze risk in greater depth than most IT Staff of Cybersecurity Staff.

Risk is a real issue that is almost always overlooked. Sure, screw paying the ransom if:

  • Your IT/Cybersecurity Staff has an up-to-date and rehearsed Incident Response Plan
  • Your IT/Cybersecurity Staff has current, up-to-date backups that can be restored quickly
  • Your IT/Cybersecurity Staff can source the ransomware infection and prevent it from occurring again after the backup restoration
  • Your IT/Cybersecurity Staff knows which vulnerability the ransomware exploited
  • Your IT/Cybersecurity Staff knows the extent of the infection – did the infection hit the backup systems?

In the Chicago Med episode, they had to end up diverting patients to other hospitals because of the ransomware. The Chicago Med IT Staff seemingly did not have a plan, at least a timely one, to restore the hospital systems.

I’m certainly not advocating people pay the ransom, but blindly making blanket policies without understanding risk is a huge problem, especially at places where time is of the essence, such as hospitals.

So, what can you do to help with RANSOMWARE? I recommend 3 things to start:

  1. Perform a risk assessment against your environment – identify your critical assets (data and systems). Not everything is critical. Narrowing your focus to what is critical, then prioritizing accordingly allows you to better protect these systems and restore them in a prioritized manner. Too many organizations try to equally protect everything. This is a huge mistake, as everything is half-ass protected, which doesn’t cut it. It’s better to protect your 10 critical assets 100% and leave the 90 noncritical assets at 50%. This is better than all 100 assets being protected at 60%, which is a common mistake.

  2. Once you know your critical systems, make sure those systems (and the applications installed on them) are patched routinely and that they are backed up (the system itself as well as the data on the system) as frequently as needed.

  3. Critical system backups security and testing. Make sure the backup system is secure. If the ransomware hits the backup system, the backups are no good. Also, make sure you know how to restore from backups. This seems simple, yet it is often overlooked. I’ve seen many organizations back up their data routinely and religiously and never once test the restoration procedures. During an incident, they found out that the restoration procedures did not work at all or only partially worked.

If you’re unclear on how to perform the risk assessment or need help with a cybersecurity plan, Alpine Security can help you with our CISO-as-a-Service.

70% of Cyber Attacks Will Be Against Small Businesses in 2020

cybersecurity certifications


In 2020 it is estimated the percentage of cyber attacks against small businesses will be close to 70%. It’s also estimated that in 2020 the cost of cyber attacks is going to be around $5 trillion. That’s trillion with a T. And if 70% of the attacks are against small businesses, then obviously the small businesses are going to be paying for a lot of that $5 trillion. Cyber attacks affect small businesses in a few ways. This post discusses how cyber attacks affect small businesses and what can be done about it.

The Effect of Ransomware and Stolen Data on Small Business

One way cyberattacks affect a small business is if a small business is attacked with something such as ransomware. The ransomware can render systems useless for maybe one week or two weeks. So the small business can’t provide the service they need to provide to generate revenue or they can’t produce the product they need to produce to generate revenue. So basically they’re dead in the water for one or two weeks and they can’t produce anything to generate revenue. That alone can take a small business out of business.  

The other primary method or primary way that small businesses have to pay for a cyber attack is if a small business’s client data is stolen. Typically, for every record that’s stolen the small business has to pay for credit monitoring for all those records. There’s a clinic in Missouri that was put out of business. They had 20,000 patient records stolen by an attacker. They had to pay for credit monitoring for all 20,000 of those patients. The credit monitoring, I’m not exactly sure the price, but I think it was around $20 per person. So if you had 20,000 records stolen and you have to pay $20 per record, that’s $400,000 that that small business had to pay per year in credit monitoring fees. Most small businesses do not have a cash reserve of $400,000 so that took that clinic out of business.

Why Do Cybercriminals Attack Small Businesses?

You may ask yourself, “Why do attackers go after small businesses? Why is the percentage so high towards small businesses?” There are two main reasons. The first reason is most small businesses do not have a very mature cybersecurity program. They don’t have a dedicated staff to solely work on cybersecurity, it’s typically somebody’s additional duty. The attackers know this and they know that they can more easily get into a small business than a larger business because most large organizations have a dedicated cybersecurity staff and a mature cybersecurity program.

The second reason is attackers will attack a small business and use that business as a foothold to attack a larger business. Small businesses typically have relationships with larger businesses. If the large business is fairly secure but the small business is not, the attacker’s going to go after the small business and then leverage that relationship from the small business to attack the larger business.

An example of this is Target. Target’s a large store. Obviously, they’re all over the place, but Target wasn’t attacked directly because they have a fairly mature cybersecurity program. The HVAC vendor or heating, ventilation and air conditioning vendor was attacked. The HVAC vendor for Target was a small business. So the attackers attacked the HVAC vendor and then from there, they leveraged the HVAC vendor’s relationship with Target. The attackers rode the trusted connection from the HVAC vendor to attack Target and compromise Target’s point of sale machines which stole everyone’s credit card numbers.

As a recap, the two reasons small businesses are attacked:

  1. They are typically not very mature in the cybersecurity maturity process
  2. They are often leveraged to attack the larger business

What Can You Do?

My company, Alpine Security believes small businesses are vital to the economy. We’re a small business and we want to support other small businesses. So we’ve come up with our fractional virtual CISO service – that offers an affordable means for small businesses to develop cybersecurity capabilities in alignment with risk tolerance, industry, and business objectives. To learn more about our CISO service, you can call us at (844) 925-7463, email us at info@alpinesecurity.com, or visit: https://alpinesecurity.com/services/ciso-as-a-service/

It is in our interest to help small business owners protect your environment from being attacked.