The malware attack against a Grand Rapids-based medical supplier serves as a reminder of the constant cyber threats businesses of all sizes face.
Airway Oxygen Inc. reported to customers last month that it had been hit in mid-April by a ransomware attack that encrypted its data. The attackers accessed patient data on about 550,000 past and present customers and some 1,160 current and former employees.
The Airway Oxygen incident demonstrates that threats and potential attacks have become commonplace and are growing in volume and sophistication, said John Hey, chief operating officer at I.T. firm Trivalent Group.
“It is as dicey as it’s ever been,” he said. “The threats that are out there are growing in numbers exponentially and they are delivered in more and more effective ways.”
Trivalent Group generally works once or twice a quarter with a business that has been hit by a cyberattack. The effects range from “caught it quick” and quickly restored the data to the client being “down for two or three days,” Hey said.
The most common threat right now is malware and ransomware, where a hacker gains access to a company’s system, encrypts the data, and demands payment.
In the case of Airway Oxygen, hackers detected and exploited security vulnerabilities and bypassed security measures, according to information on the company’s website. In a statement, executives said customers cited “no reports of any adverse consequences” from the attack.
“We are deeply distressed by whatever anxiety or inconvenience this data breach may cause for our customers and employees,” President Stephen Nyhuis said in a statement. “Airway Oxygen has developed a strong reputation for the care and service we’ve provided for more than 40 years. This criminal act against our companies, our customers and our employees is something we must now work hard to overcome.”
HUMAN ERROR OFTEN TO BLAME
The most frequent entry for an attacker is a phishing email, in which a hacker attempts to obtain sensitive information needed to access a system — such as usernames and passwords — by sending what looks like a legitimate email, Hey said.
Such attacks are becoming increasingly sophisticated, he said. The “WannaCry” attack in May that infected thousands of computers worldwide did not even require a person to click on a link or open an attachment on the phishing email to execute it, Hey said.
“That was a little bit of a game-changer,” he said.
An annual report by IBM Security and the Traverse City-based Ponemon Institute placed the average cost to a business for a data breach at $7.35 million in the U.S. That’s the highest among 13 nations where IBM and the Ponemon Institute interviewed more than 1,900 people at 419 companies that experienced a breach.
The annual study found that nearly half of all breaches were the result of malicious or criminal attacks. Many more occur from negligence or human error, in which an employee inadvertently does something.
“It happens all of the time by well-meaning, well-intentioned people who don’t understand the risk out there,” said Sheila Eddy, an associate attorney at Smith Haughey Rice & Roegge PC in Grand Rapids.
Experts say businesses of any size need to have their vulnerability assessed and they must address any weaknesses accordingly.
TRAINING IS KEY
Perhaps the best defense is not technology but constant staff training. For instance, all employees should know how to spot a phishing email and have an understanding of the threats that exist today, Hey said.
“It’s not all about throwing technology at it,” he said. “Really, it comes down to you have to have awareness right down to every fingertip of every person you have on your team. You have to just continually train them and hope for the best.”
Businesses also should have an “ironclad” data backup to use should they become the victims of an attack, according to Hey.
Eddy advises businesses to mitigate their risk by limiting the kind of data they store. If they don’t need it or are not legally required to keep it, “get rid of it,” Eddy said.
“That way, if it’s not there when somebody goes and hacks your system, then they’ve already reduced their liability before it even occurs,” Eddy said.
Businesses should encrypt the data they do retain, according to Eddy. They also should have internal policies on cybersecurity and keep them updated, and require ongoing training for all employees, she said.
When a breach occurs, businesses have a “whole patchwork of laws” they need to follow to respond and notify customers that their information was accessed. If the company is in health care, federal privacy laws also apply, Eddy said.
INSURANCE AS PROTECTION
To protect themselves from losses, business can also look to cyber insurance that can cover the costs of response, recovery, interruptions to the company, and civil liability — depending on the coverage.
“That’s really a question everybody should bring up with their insurance agent and ask for a risk assessment,” said Eddy, who likens cyber coverage to having insurance in case of a fire.
Business owners may not like paying for the coverage, “but then when that fire takes place, it’s really nice when you have insurance,” she said.
Eddy has seen cyber risk and liability become a subject in business contracts between companies and their suppliers and vendors. Whenever she’s dealing with a client’s highly sensitive data in a contract, “I’m going to push in that contact to say, ‘OK, if you’re going to have all that access to my client’s data, you need to name us as an insured (party) on your cyber liability policy.’”
Questions also arise more frequently about where a client stores data and the details of their security practices and policies, she said.
“This is becoming part of negotiation practices of attorneys who are aware of these potential risks for their clients,” Eddy said. “If people are going to be accessing or hosting your data, you want some assurances.”
For companies that do business with the federal government, a new mandate takes effect Dec. 31 that requires suppliers to adopt cybersecurity best practices, countermeasures and reporting standards to continue to qualify for contracts. The mandates apply to contractors for the Department of Defense, National Aeronautics and Space Administration and the General Services Administration.
ASSESSING THE THREAT
Businesses can buy insurance to cover losses associated with a data breach, although a report this spring by Aon Risk Solutions and the Ponemon Institute said many remain reluctant to carry cyber coverage, despite the growing threat.
Nearly nine out of 10 risk management professionals Aon and Ponemon surveyed ranked cyber liability as a top 10 risk to their business, and 64 percent believe the risk will increase over the next two years, according to the report. However, just 30 percent of U.S. companies responding to the survey had coverage.
As a percentage of assets, the property, plant and equipment among the businesses surveyed had nearly four times the insurance coverage compared to information assets, according to Aon.
“What companies are still working through is how these threats impact their business,” said Christian Hoffman, leader of Aon’s cyber security practice.
The cost of cyber coverage hinges on the depth and scope of a policy and the industry involved. Questions remain about how cyber coverage works and fits with other insurance coverages companies carry and whether the threat justifies the cost, he said.
NOT JUST BIG BIZ
Hoffman and others say businesses are becoming more aware of the threats they face, although Hey at Trivalent Group wonders whether enough companies have that understanding, especially small businesses whose owners may think they are not large enough to become a target. Quite the opposite is true, experts say, since small businesses may not have the sophistication, staff and expertise to stay on top of the threats.
“As a rule, most employee bases of your average small business don’t quite understand the gravity of how many threats are knocking on your door all of the time,” he said. “There needs to be a huge leap forward in the overall mentality of technology users.”
For more than a year and a half, the Michigan Small Business Development Center at Grand Valley State University has offered cybersecurity assessments and training for small businesses through the website smallbusinessbigthreat.com.
More than 13,000 individuals have used the site and 850 of them did a cyber awareness assessment, said SBDC Director Keith Brophy. Of those, 72 percent rated as a low to moderate risk for a breach, 15 percent were a moderate to high risk, and 13 percent were a very high risk.
Since Brophy took over as director more than two years ago, the SBDC has made awareness of cyber threats to small businesses a part of its mission. Threats are growing and awareness is growing, “and we want awareness to grow faster than the threat” Brophy said.
“Right now the race is on,” he said.
Experts offer cybersecurity tips, advice
SBDC Director Keith Brophy said his organization developed the Small Business, Big Threat program to raise awareness of cybersecurity threats that small businesses face. Over 13,000 individuals have benefited from the program by visiting smallbusinessbigthreat.com and taking advantage of resources and expertise. Here are his dos and don’ts:
Top to-dos to increase cyber resilience:
- Create long passwords including lower and upper case letters, number and characters
- Install passcode on your mobile devices
- Use VPN
- Back up your data offsite daily
- Use anti-virus software
- Install automatic updates to devices promptly
- Use two-factor authentication whenever possible
- Top don’ts for staying cyber safe:
- Do NOT use the same password for multiple accounts
- Do NOT share your password with anyone
- Do NOT store your password on a post-it note near your computer
- Do NOT use free open Wi-Fi for financial transactions or to transfer sensitive data
- Do NOT click on links in suspicious emails
- Do NOT leave your devices unattended
5 ‘musts’ to ensure cybersecurity
Sheila Eddy, an associate in the office of law firm Smith Haughey Rice & Roegge, said organizations that perform these five steps can increase their cybersecurity.
- Delete what you don’t need or aren’t legally required to keep, and encrypt the data that you do keep
- Implement an internal security policy, enforce it, keep it updated, and require ongoing training for all employees
- Look into (and obtain) cyber-liability insurance
- Designate high-level staff to serve as a rapid response team for when a data breach occurs (an I.T. person, a public relations/marketing person, a member from the legal team, top-level decision makers)
- Retain outside experts to assist with the aftermath of a breach (outside legal counsel, outside PR firm, third-party I.T. company, third-party forensic experts, etc.)
Editor’s Note: The print version of this story included an incorrect web address for the SBDC’s “Small Business, Big Threat” cybersecurity program, which can be found at smallbusinessbigthreat.com.