Through working with a number of banks and credit unions, Randy Brinks is fully aware of the giant target that the financial services industry has had for years concerning cybersecurity threats.
Brinks is CEO of Grand Rapids-based RedRock Information Security LLC, a 24-employee operation that specializes in working with financial institutions and businesses throughout a number of industries.
RedRock works with its clients to keep them in compliance with federal and industry regulations while maintaining a strong posture that a member of an oft-targeted industry should have.
“Health care and finance have been targeted for years now because they have private information that can be sold on the open market,” Brinks said. “Attacks like ransomware are a great opportunity for that.”
Still, while industries like finance, health care and defense might offer the most bountiful payload of sensitive information, cyber attacks have grown to become fairly industry-agnostic, which should make businesses of all sizes and industries take notice.
Keeping a guard up
Regulated industries like finance and health care gain the advantage of third-party audits and a general blueprint for what strong cybersecurity should look like.
Brinks, whose firm is audited by the FDIC just like the banks it serves, said that the standards are written in a way where they also give each individual institution flexibility to implement best practices.
However, not all industries operate in these closely regulated spaces.
“I would argue that because most organizations are not regulated … they’re like swiss cheese. No one is looking over their shoulder, no one is telling them what they should and shouldn’t be doing and how to prioritize their security controls.”
Facing a full spectrum of potential cybersecurity threats that range from espionage conducted by nation states to hacktivists looking to make a statement or earn credibility, Brian Minick, chief information security officer (CISO) for Fifth Third Bank, said that his institution mostly sees attacks that stem from organized crime.
“You see things like people trying to trick our customers into handing over their user ID and passwords,” Minick said. “We see a lot of credential validation attacks — you read about all these companies that were breached and lose user IDs and passwords. The bad guys bring those … and try those (on online bank accounts) to see if they’re the same.”
While regulations certainly help guide institutions like Fifth Third, Minick said each bank needs to take measures to address its own unique, individualized threats.
“The challenge is that (regulations) work very well for most threats,” Minick said. “When you get into the area of targeted threats — folks who are trying to break into your organization and actively trying different things — you need a very nimble, intelligence-driven approach to that, not necessarily a purely risk- and controls-driven approach.”
A ‘team sport’
Health care is another long-targeted, regulated industry and the COVID-19 pandemic has only made matters worse by ushering in a new wave of attacks.
Data from CheckPoint Research — a research arm of California-based Check Point Software Technologies — revealed that with ransomware alone the worldwide health care industry saw a 45-percent increase in attacks in November and December of 2020 compared to the previous two months.
Not only do hospitals and other health care providers have to manage vulnerabilities inside their own buildings, but every time they use a new vendor, they inherit the risks that come with those companies.
“There is cyber supply chain risk and that translates into every time we buy or hire a vendor, we’ve extended our risk to include them,” said John Weller, CISO at Metro Health — University of Michigan Health. “As we’ve expanded into telehealth technology, we have to ask: Are they secure?”
The emphasis is on “speed to market, and security oftentimes comes last,” Waller added, referring to how companies work to address emerging needs in health care. “They’re trying to fill the need and get market share quickly, and security is not their No. 1 concern.”
Weller stressed that cybersecurity should be treated as a “team sport,” and Metro Health has walked that line by joining the Michigan Healthcare Security Operations Centers, which was established in 2018 and brought together I.T. security experts from Michigan Medicine, Beaumont Health, Munson Healthcare, the Michigan Health & Hospital Association and security company CyberForce|Q.
The group shares information on threats and best practices.
“(Cybersecurity) is too big for a single company to take on themselves,” Weller said. “We acknowledge that. We have to be a team player and share what we’re seeing and other hospitals are sharing what they’re seeing and we get the benefits of it.”
Small, medium-sized businesses vulnerable
The growing number of successful cyber breaches are not necessarily tied to lax security, according to John Rolecki, partner and data security attorney at Varnum LLP.
Threats continue to grow in their sophistication and many small- and medium-sized businesses are struggling to keep up.
“More and more highly sophisticated criminals are targeting these mid-size businesses and it’s so important to have a plan and something in place before calling the lawyers” after a breach occurs, Rolecki said.
In 2019, public relations firm Truscott Rossman, which has an office in Grand Rapids, formed a coalition to work with small- and medium-sized businesses to help them prepare for and prevent cyber attacks but also to effectively work through them if they fall victim.
Truscott Rossman joined with Lansing-based Providence Consulting and law firm Fraser Trebilcock to form “Defeat The Breach,” which also utilizes additional services from Canadian digital forensics firm DFI Forensics.
The “Defeat The Breach” coalition estimates that 71 percent of all cyberattacks are committed against small businesses, and that 60 percent of small businesses that are breached will end up shutting down as a result.
Truscott Rossman CEO John Truscott emphasized the importance of training for all employees, but especially during the COVID-19 pandemic when cyber attacks have surged by 400 percent, according to the FBI.
“What we’ve found in instances of breaches or hacks or malware, so many people are working from home,” Truscott said. “They’re not thinking like they would in the office. They’re not as cautious when they see that email from a person and they don’t know who it is.”
The consensus with virtually any cybersecurity expert is clear: In this digital era, cybersecurity is now a cost of doing business — not a luxury line item.
“I strongly advocate that (small businesses) talk to an I.T. consultant,” Truscott said. “It may not happen this year or next year but it’s going to happen some time and you have to be prepared because it could be devastating to your business.”