Ransomware continues to be an ever-expanding threat to ERP systems around the world, especially when organizations fail to educate employees on behaviors leaving their information more susceptible to malicious software. While better practices can lessen ERP vulnerability, the structure of an ERP system, whether on-premises or in the cloud, can also impact the effectiveness of ransomware in capturing sensitive data. In this episode of The ERP Advisor, special guest, Security Awareness Advocate James McQuiggan, returns to join Shawn Windle in educating ERP users on protecting their software from the devastating effects of ransomware.
How Ransomware Can Hold Your ERP Hostage
What is Ransomware & How Does it Impact ERP?
Ransomware is malicious software designed to make your data unavailable. Data under the grip of ransomware is at risk of being unusable, deleted, or released to the public, putting businesses at significant risk. Hackers write code specifically designed to encrypt data files, specifically header files. Any data or text file is susceptible to a ransomware attack.
Ransomware attacks can be detrimental to ERP systems because the malicious code restricts data access, rendering the system useless. Lack of proper prevention of a ransomware attack can have a devastating effect on a business because it can leave them completely unable to access its data or use its ERP.
The two biggest risks are 1) you don’t have any reliable backup of your data and thus your operating data is being held “ransom,” forcing you to pay the hacker to get your ERP data back, or 2) the hacker threatens to release your sensitive data, including customer lists, onto the dark web which could leave you at risk of confidentiality issues with your clients or cause a competitive disadvantage. Therefore, simply having a disaster recovery solution to replace your data set will not necessarily prevent all ill effects of an attack.
How Do Hackers Get In?
While human capital can be an organization's greatest asset, it can also be its greatest downfall. Although many businesses have cybersecurity measures in place, human error can often put the integrity of a system at risk and leave data vulnerable to cyberattacks. Evil intent or a lack of education can dictate the risk an employee poses to their business, either of which can take down even the largest of organizations.
People are constantly in a rush, especially when it comes to work schedules where employees have meetings and deadlines, one after another. In the chaos of everyday tasks, it can be easy for people to mindlessly click through emails and complete requests without taking the time to verify the information. This careless behavior is a way in which hackers find gaps in an organization. Clicking on links from hackers or providing personal information enables them to download malicious viruses or use credentials to break into a system. Uneducated employees are much more likely to mistakenly allow hackers into the system.
Unfortunately, disgruntled employees can also pose a risk to an organization's cybersecurity because hackers will seek out these individuals to orchestrate attacks. This could be as easy as providing the employee with a flash drive housing malicious software and instructing them to plug it into the system. The code can quickly infect the ERP and destroy the system through the actions of a single employee.
Regardless of employee actions or cybersecurity protocols, hackers are constantly evolving to find ways into ERP systems outside of recognized channels.
Security On-Premises vs. In the Cloud
The on-premises versus cloud security debate is a never-ending argument encompassing the ERP world. While each option can come with hiccups, cloud ERP solutions tend to be more user-friendly due to the vendor carrying the brunt of the security concerns.
On-premises solutions require robust cybersecurity mitigations to protect the company from malicious actors. This is a tremendous task and takes multiple technical people to protect the application. When a system is on-premises, it is even more important to educate employees on proper security standards because individuals have greater access to the system as a whole.
Hosting providers maintain and monitor cloud-based applications to ensure ongoing security compliance. However, this does not remove all responsibility from the customer. There are still risks associated with storing data within “someone else’s” computer. Hackers can still access your data through security gaps and the carelessness of employees; although, it is less common.
It is still essential for cloud-based customers to remain current on the precautions vendors take to mitigate security risks. A good practice is to set up a yearly meeting with your software provider to review their security enhancements and receive clarification on their current cybersecurity protocols.
How To Mitigate a Ransomware Attack Once It Has Happened
When cyberattacks occur, businesses need to know what to do. If ransomware manages to take your data hostage, the hacker will first indicate their intentions and negotiation terms to either provide the encryption key or delete the data to prevent them from releasing it to the public. These negotiations typically occur in two parts, with two separate payments as settlements.
Hackers will conduct negotiations through the dark web, requiring bitcoin for payment and the use of a Tor browser, preventing authorities from tracking interactions or apprehending the hackers.
Some businesses will find themselves needing to involve the Federal Bureau of Investigation (FBI) depending on data sensitivity, business type, ransom set, and more. The FBI cannot guarantee successful negotiations or the apprehension of hackers, but they can assist businesses through the negotiation process.
The final step to managing a ransomware attack, or any other cyberattack for that matter, is to step back and assess the damage to the system and data. Security teams must mitigate problems caused by taking inventory of the compromised data and assessing the overall damage. Executives must also evaluate the cause of the attack and work to prevent future burdens on the organization.
Planning & Educating to Reduce the Risk of Cybersecurity Attacks
The most important step in combatting cybersecurity risks is to be proactive, not reactive. An incident response plan will prepare an organization in the event of a cyber security attack. To create an incident response plan, security teams must gather leaders within the organization and meticulously evaluate the role of each person during a cybersecurity breach. Run-throughs can then be conducted to ensure that employees can effectively uphold their roles.
The next step will be to increase the security culture at the company through training and education of the workforce. Employees cannot act in the best interest of the company if they are unaware of the scams that can plague ERP systems or how to detect the malicious actions of hackers. Companies like KnowBe4 will come into an organization and test the security knowledge of users by sending them spam emails and determining who and how often employees fall for the scam, along with other scenarios. These simulations reveal the shortcomings across the workforce and assist leaders in pinpointing the focus for education while building awareness around the importance of cybersecurity.
To prevent hackers from infiltrating the system, organizations should create policies surrounding cybersecurity and business practices. By implementing the Principle of Least Privilege, companies can limit who has access to what across the entire enterprise. The segmentation of information across the ERP system mitigates risk to the business if a single team or department gets hit. Ensure that employees are prioritizing cybersecurity by using private, secure networks, regardless of their working location, through the development of remote work protocols.
At an advanced level, organizations can seek out the implementation of non-phishable multi-factor authorization (MFA) to further protect their system. This form of MFA comes as a “key” given to each individual. MFA keys authorize a user when plugged into a system to maximize security efforts.
Cybersecurity can be well managed with thorough incident response plans and the education of your workforce. Without proper planning and preparation, businesses will be left fearing the possibility of their next attack.
Cybersecurity insurance is another way in which businesses are combatting cyberattacks because it can help cover ransomware and overhead costs associated with attacks. Unfortunately, in recent years, the cost of cybersecurity insurance has skyrocketed due to the sheer number of cyberattacks occurring every year. If your business can afford the costs of insurance, it is something that can pay out in the end and save a business from disaster.
Conclusion
The threat of ransomware and other cybersecurity attacks can leave businesses paralyzed in fear. With the significant number of cybersecurity attacks per year, it can be easy to believe that efforts to mitigate the risk of attacks are futile; however, this is simply not true. Detailed planning and preparation help reduce the odds that an employee will be scammed and increase the possibility of recovery once an attack has occurred.
Announcer 1: This is The ERP Advisor.
Announcer 2: Today's episode, How Ransomware Can Hold Your ERP Hostage.
Juliette: Thank you everyone for joining us for today's webinar. How ransomware can hold your ERP hostage. Shawn Windle is one of our speakers for today. Shawn is the founder and managing principal of ERP Advisors Group based in Denver, Co. Shawn has over 25 years of experience in the enterprise software industry helping hundreds of clients across many industries with selecting and implementing a wide variety of enterprises. His podcast, The ERP Advisor, has dozens of episodes with thousands of downloads and is featured on prominent podcast platforms such as Apple and Spotify.
James McQuiggan is our special guest joining us today. James is a 20-year security veteran and security awareness advocate for KnowBe4, as well as a part-time faculty professor at Valencia College. James has achieved many certifications identifying him as an expert in the fields of cybersecurity and security awareness. He's previously worked as a product and solution security officer, information security analyst, and network security engineer for Siemens. There he consulted and supported various corporate divisions on cyber security standards, information security awareness, and securing product networks. On today's call, James and Shawn will help educate ERP users on protecting their software from the devastating effects of ransomware. James, thank you for joining me today.
James: Oh, my pleasure. Thanks for having me back.
Juliette: Yes, absolutely. Shawn is going to join us here shortly. He'll pop in, he's finishing up another meeting. October is cyber security month, and this is your third year joining us for this call, which we really appreciate.
James: Well, that's interesting because I just had my third-year anniversary with KnowBe4.
Juliette: Oh, nice very good. Well, we will have you back as many years as you will join us because you have so much great information to share with everyone.
James: Oh sure.
Juliette: Like I say, it's a little scary, well actually a lot scary, but very informative and a lot of good information, so thank you again.
James: Oh, my pleasure. Yeah, I mean the topic of ransomware is very scary. It does frighten a lot of folks. I've had many conversations with security practitioners and leaders and organizations, and they’re scared of trying to figure out what they do in the event of an attack and how to make sure they are protected. Essentially everybody is going to deal with it at some point in one way or another, so it's important to be prepared. It is a scary scenario, but when it comes to these kinds of things, I always try to steer it away from doom and gloom, and fear, uncertainty, and doubt. I always like to keep the atmosphere light. We all deal with vulnerabilities in life and with our systems and everything else, but I'm curious if your audience knows how you deal with the vulnerability with your Jacko Lynch.
Juliette: I don't. I don't know if they know. Do you want to tell us?
James: You would apply the pumpkin patch.
Juliette: *Laughs* and that would solve it all right?
James: We wish, if only it was that easy. We've said for years “patch your systems, patch your systems,” but we know that is easier said than done.
Juliette: Without a doubt, without a doubt. So, let me ask you, James, because I'm sure there are people on this call that think they know what ransomware is, could you just give us a good explanation of what it exactly is?
James: Essentially, ransomware is malicious software that is designed to make your data unavailable. It goes through a process where the cybercriminals have written this malicious software, this code, and they varied it over the years. You've got different groups that are out there that are making their own, and they're essentially encrypting the data files. Not to get too down in the weeds of the bits and bytes of it, but what they're doing is they're encrypting what's called the header file in each of the data files, and that's why they're able to do it very very quickly. When they get inside a system or work their way into a network, and they do their reconnaissance, they're finding the systems and they're stealing the data and passwords and everything else. They're also looking to see what they can encrypt, and what value that would have, and then plan on holding that data essentially for ransom.
When they launch the encryption software, it leaves a nice little note behind saying “hi, your data has been encrypted. Here's the dark web or the onion website you've got to go visit. You need to use a Tor browser, and you're going to pay us in Bitcoin.” At which point you have to get the Tor browser and some Bitcoin which is a very extensive process to go through. But the cybercriminals want to get paid and that's why they do what they do. It's all about the money they want; they want to make their millions of dollars.
By encrypting data files of course you're unable to use it. It's not available to you, and you're stuck in a position where either you're going to pay or you're not. And the whole process goes by very, very quickly. One of the things I do with my students at the college I teach at every semester, is, I give a lecture on ransomware. I actually demonstrate the ransomware attack on a system I have. I've downloaded ransomware samples from a variety of different groups over the years, and have found through the dark web, and I launched one of them against my own virtual machine system. It's isolated, off my network, but it's running. I launched the encryption and the data that I have on there is about 40 gigabytes, and it only takes like 10 seconds to fully encrypt all 40 gigabytes. It takes about a minute for it to finish its whole process and everything else. So, it's very, very quickly when they go to encrypt a particular system. So, it's hard to stop it unless it starts spreading, and you can stop it from spreading to other systems, but when it goes to just attack one system, it's very difficult to stop.
Juliette: Yeah, but how would you even know? Would you be sitting in front of your computer and know that it was happening? Doesn't it happen when you least expect that kind of thing? Or you try to open your computer in the morning when you get to work, right or not?
James: It's going to happen when the cybercriminals are ready for it to happen. When they launch the malware, they've done everything they want to do with the system, then they launch the code, but they're going to do it at a time when they know people would be watching. Even if they launched it at three in the morning and you came in at eight or nine that morning, you would see the servers are inaccessible. You can still get to the server because the operating system is running, but any data you try, and access will no longer be available because it’s encrypted. In every folder where you have data and, on the desktop, they leave you that nice little text file that says “hi, we've made your data unavailable. This is where you need to visit. This is how much money we want and use this key to communicate with us.”
Juliette: Right?
James: The way they do it is funny, funny weird not funny haha, but some of the groups out there have their own chat capability when you go visit their website it pops up and says “hi, are you here to pay a ransom? If you have any questions, let me know and you can converse on a web chat platform to negotiate.” Whether you're going to say, “look, you're asking for $40 million, we don't have that. We can pay you this,” so it's interesting that you can negotiate or try to negotiate with them. Which is because they want to get paid, and they're going to leave it, so you know you've been attacked and how you need to respond.
Juliette: Wow, and I mean we can ask this maybe later, but let me ask this now just quickly, do most people pay?
James: Depends, people that do pay because of one or two reasons. One, they don't have any other recourse, or two they don't want their data put out on the Internet. Nowadays what cybercriminals are doing is they're extorting organizations through various ways. They're extorting them by saying “we've got your data. If you want the decryption key, send us the money,” and they pay because they want to be able to decrypt the data. If they don't have backups or any way to recover from that, they're at the mercy of the cyber criminals to give them the decryption key.
They're now adding in additional levels of extortion, where they say “you're going to pay us to give you the decryption key, and then you're going to pay us so that we delete it. So that way we don't release it to the public and for everybody to see,” and that's another reason why the organizations, the victims, are going to pay up because they're being extorted. If it's data they don't want leaked out for the whole world to see and available for anybody to download, they end up paying.
Juliette: Wow, Oh my gosh. Scary for sure. Yeah, Shawn, I see that you joined. Are you there with us?
Shawn: I sure am. Hi everybody.
James: Hey Shawn.
Juliette: Hi, hi welcome.
Shawn: Good to see you, James.
James: Always a pleasure to see you.
Juliette: So, Shawn, let me ask you quickly what's the significance of ransomware and how it relates to a company's ERP system. Can you talk to us a little bit about that?
Shawn: I can, unfortunately, through some experiences that we've seen in the last year or so. James, I had to update you on some of these things. I mean you probably get lots of updates from all your friends. They're like, “hey James, guess what happened?” You're like “don't tell me all the bad news. Tell me good news,” but I know it's good. Part of it is like we get all the calls on the failed implementations. People are like, “oh hey, that didn't go well.” I'm like, “well, you know.” Anyway, I think what we have seen, Juliette is on a couple of ransomware attacks where basically somebody downloads whatever they download or whatever they do. I think James and KnowBe4, congratulations by the way, from before with that little purchase. But so, a ransomware virus gets released or sort of attacks the network, right? And on that network or on the servers in the network is the ERP. And the ERP is just another app that can get encrypted and held hostage, just like James was literally just talking about if the system is on-premises.
I mean that did happen to a client of ours and it was really, really bad. Really bad like they did pay the ransom, and they tried to rebuild and everything else, and they could barely, barely, barely do it. It took a long time, and it was a nightmare. We had another client that got hit with ransomware who had their PeopleSoft instance on their local servers, which I think were their servers and their data center, and again same thing, ransomware came in. But there are these devices on the exterior parts of the network that James knows a lot more about than I do, where they were sensing “whoa, there's all this crazy activity! Shut things down!” They start shutting off and partitioning out the network where the app was actually saved so it didn't get hit with that particular virus.
That was good in that at least the app itself didn't have to get rebuilt. Of course, the rest of the network did, and for that one, I think they even called the FBI. They called the FBI because it was a utility company which brings in a whole other level of issue because of protection and government stuff. But then the third client that we just implemented NetSuite with, they were coming off an on-premises version of SAP Business One and they were in NetSuite. They got hit, no effects to the ERP at all. Therefore, one could say “oh my gosh it's better to be in the cloud,” and there are certain aspects certainly in this world around an individual organization getting hit with ransomware, right? They're going to be more susceptible to it than say Oracle or Microsoft where our software runs in their network. So those are just some 3 instances I can think of Juliette.
Juliette: OK, well, let me ask you this, you mentioned on-prem, if everything is in the cloud, do they still have to worry about a ransomware attack? Or even if they have a newer ERP system versus an older ERP system, can you talk to us a little bit about that?
Shawn: Yeah definitely, and James can probably add some thoughts here too, but the cloud, and again what is ransomware, especially with how it starts off, James is the expert here, but I've seen this phishing attempt or even heard about a guy. Maybe you told us this a couple of years ago, James, but there was a story about a guy who worked at a large electric car manufacturer, who was being courted by some cyber…
James: By Russian operatives.
Shawn: Russian operatives.
James: It was a worker that worked on the floor that manufactured Tesla batteries. They were a third-party vendor, and he was approached by a Russian agent to take the thumb drive and plug it into the computer on the shop floor. The flash drive would then access the computer and establish a connection back to wherever the guy’s agency was. So, then they could gain access to that system, and from there look to steal information off the system or network that was all part of the plant. And they approach the person because he was a disgruntled employee.
They had seen on social media he wasn't happy where he was working, and the rate of pay or whatever it was. They approached him, and they leveraged social media to find this person. But apparently, he wasn't that disgruntled because he turned in the drive and information to his security team, who then contacted the FBI and they set up a sting and arrested him. That is the insider threat aspect in another way the cyber criminals like to try and get in. Whether nation-state or criminal groups that will reach out, they'll go online and look at LinkedIn, social media, Reddit, forums, and wherever else. If they come across somebody that's disgruntled, they'll reach out and go, “hey, we'll give you the software and you plant it for us,” because that's a lot easier than trying to hack in through the technology and get in through social engineering. They got somebody that's ready and willing and able and they do it. We've heard, and I've seen the information in the stories regarding the attempts; I haven't seen that it's actually been successful yet.
Shawn: Well and you never would too. It's one of those things where if it happened, and that's where I was going, is you think about everything that that particular cybercriminal was willing to go through. Go to the AP clerk, who's upset, just like you said disgruntled or whatever it is, and go “hey, can you download this for me?” “Oh no, no.” Well, maybe there's no money in it for you or whatever.” So, there is this human perspective of ERP security, right? And we're not just talking about multi-factor authentication, but like people; and that's the hard part.
But we're on-site in Charlottesville, VA--it's actually quite pretty out the window today, hence why I was a little late--and we're talking with lots of employees here. All of our clients, we talk with folks across the board for all the companies we work with, organizations, nonprofits, etc. And sometimes you can see the people that maybe aren't very happy and that might be more inclined to do some things, and you kind of know it, but you kind of don't want to confront it. But then you hear the stories that James, unfortunately, has to bear, and you start to realize, "whoa, it's not just this ransomware and these attacks that come in through the network, but it's through my people that I just have to be aware of.” So definitely training, keeping a keen eye on what's happening with people, making sure satisfaction is good. Grant, who's sitting here with me, don’t get any ideas.
James: Yeah, insider threat is a whole other can of worms. I've talked about it many times and being able to look at your HR records, looking at your own network and system logs can lead you on a path to see where your insider threats are. Policies help as well. Having those HR policies so folks are aware of what they should and shouldn't be doing, and what the implication could be because if you’re caught stealing information just because you're leaving to work for another company, there are legal issues; cease and desist. You could be charged with IP theft and everything else.
Shawn: Yeah, but it does go back to what you said Juliette about cloud versus on-prem and you've got people everywhere, but there are the technical aspects that I do think, from my own experiences like the three I just said, the cloud systems have just implicit, I'm just going to say it, more security. Because those guys are in the business of keeping apps secure, whereas our clients are in the business of manufacturing whatever they manufacture. When you have software vendors that are dealing with billions and billions of attacks each minute; these are bots that come in, and maybe it's only millions. They know what they're doing, whereas none of my clients have that kind of resource. None of our clients can actually put up those kinds of defenses, that being said, there are peripheral devices on the network that can sense these different types of activities happening. But going back to training the employees so they know what they're doing, I think that's super key. The other thing I think about too, even with our own systems, “does anybody care about my customer list?” Not mine necessarily; we mostly put our customers up on our website already. But especially the closer to whichever government you're doing business with, it does become super sensitive information.
James: Yeah, and if you're an organization that provides a lot of services to thousands of other organizations, you become a target. We look at solar winds; they got into the code, were able to pass along, and gain access to a whole slew of other organizations like Fire and Microsoft and so forth. I want to add on to what you're talking about the cloud. The running joke with me is the cloud is just somebody else's computer. So, if you have your own instances of cloud setups, like you’re using Microsoft, or Azure, AWS, or Google, they aren't going to help you with security; they are going to provide you with the infrastructure. You have to still make sure that you're securing your access rights, and who logs in. You want to make sure you're still securing and backing up the data. Those organizations are going to provide the infrastructure for you to run your application or have your data or whatever it may be.
It's up to you, as the owner of that system, to make sure that you're locking it down, you're restricting access, multi-factor authentication. You've got your backups when you start looking at organizations that provide software as a service, or x as a service, their infrastructures like Microsoft, Azure, Oracle, Salesforce, or whoever, have their own security programs in place to protect your data. And so, if you're utilizing those software services, they're going to have security programs. But then for you, if they are impacted by any type of breach or attack, that's going to have an impact on your organization as well. So, it’s important to consider that along with your supply chain and third-party vendor risk management programs.
Shawn: You know, actually on that point, Juliette, if I may too, James, there was a major enterprise application vendor who did get hit with ransomware within the last couple of years. And I mentioned that story to a group of CFOs when we were speaking at Financial Executives International, FEI, and a person from the audience said “so, what do we do about this?” And I'm like, “well, I mean, you can get the sock one, the sock two report. You should talk to the vendor; you know they really want to talk to you during the sales process. Afterward, good luck trying to find somebody that knows what they're doing,” but she said, “you know I think I should just talk to him once a year.” And I just thought that was such a great idea, right? Because these enterprise applications become this mammoth, like such an important part of the business, everybody's accessing these systems, they're running the business, they're automating processes, yadda yadda, and all the normal stuff we talk about. Shouldn't you know what they're really doing? And the answer is yes. So, it's almost like, “oh gosh, I can't believe I haven't been doing that.” That's how I always feel on our calls James; oh God what have I not been doing?
James: Well, I mean when you look at this from your third-party risk management program, you've got your ERP. This should be a part of that risk register when you've got remote connections you're connecting to and they're connecting to you. You need to have that as part of your risk register that you're reviewing and having conversations about. Whether it's asking for an update or providing the latest SoC one, SoC two, ISO, or other certifications. If you're in medical, your credit card transactions, PCI, those kinds of things. You're also dealing with GDPR, so you want to make sure within that third-party risk management program you're going through and monitoring, auditing, and reviewing it on a yearly basis. And if there's any kind of incident that impacts your data, you need to know about it, and that's going to go into contracts. I flashback to my years at Siemens where I dealt with a lot of remote access and made a lot of the contracts with regards to cybersecurity for compliance reasons, and there were always those requirements of making sure there was an audit, there was a review, there was continuous monitoring going on, and everything else. That has to go into your contracts, and then a part of your TPRM.
Shawn: Yep, yeah. I mean at the end of the day you’ve got to set it up where you know the vendor is contractually obligated to provide the appropriate level of security. And then I think what I would add, based on that conversation we had with that CFO, is just have a very general conversation. Reach out to your account representatives, your account management organizations, whatever they're called for your key apps, even if they're in the cloud, and say “I want to talk to your security people about what you guys are really doing.” Don't let that person have that conversation with you; it's not going to go very deep. You specifically say, “I want to talk to your security organization about what's really happening.” “Ok, well, we'll give you the Soc one, the Soc two.” “I understand. Now I'd like to have a 15-minute conversation to hear more of what it is beyond what you're contractually obligated to do.”
James: It builds that rapport in that relationship too.
Shawn: Exactly, yeah. I think that's the whole thing this is about James is like are you ever safe? If you walk outside the building, and boom something falls on you whatever. You think crazy things happen, right? Especially around ERP systems. But the more proactive--I mean Juliette you always have key points as we go through this--the more you know what you need, the more you're out there talking to these people about what's really happening, stuff still happens, but at least you know.
James: For sure.
Juliette: Right, right. Well along those same lines of talking to your vendor and knowing what's available for your system, should you do that once a year? check in with your team of employees and do specific training, or is it recommended to maybe just test them and send them emails, and see if they fall for anything, or could it be both? What are your thoughts on that James?
James: So, with regards to ransom or regards to your third party, your connections, everything you're doing, incident response plans are key, and I'm going to kind of come out of this from 2 perspectives. One, dealing with incidents, and then two, educating your team. Your incident response, and again this goes back into your risk register and your ERP, is looking at what the biggest threats are to your organization. What are we susceptible to? Are we susceptible to ransom or tax? Are we susceptible to social engineering? Are we susceptible to our internet-facing systems being exploited because we're not patching fast enough? Whatever it may be, you're going through and then looking at those incidents that can occur and you're doing threat modeling exercises. You’re figuring out “ok if they attack us, how are they going to do it?” So, you can plan what your response is going to be. If your organization, your ERP system, or your on-prem file servers get hit with ransomware, what is the first thing you do? What's the second thing? What's the third? Whom do you call? Don't say Ghostbusters; who do you end up calling?
Who is the first person that's called who's the 2nd? What does that tree look like then? Are you shutting down the system? Are you disconnecting the network? Having that play-by-play, and knowing what everybody's got to do, and how you figure that out is you all get together in a room and you go through and do what we call a tabletop exercise. You go through as if it's real. You put everybody in the room with their computer, and you go “ok, go. We've just discovered the SoC, Security Operations Center, just called us, 4 servers, have just been hit with ransomware. Our website is gone, our social media presence is dwindling, we've lost our file servers. What do we do?” And you basically go through, and everybody learns or reviews what their role is and what they're supposed to do. That way when it actually happens you know what to do.
I may have said it before on this call this one, I know I've said it before on another presentation, there's a reason when you get on the airplane there's a reason they go “the exits are here, here, here, and here. In the event of a water landing--which always cracks me up. A water landing: you crash--but anyway, in that event you put on the life vest. This is how you blow it up. This is how you wear it.” They go through that so you know when it actually happens, you can kind of remember and go "oh right. I’ve got to get my life vest, tear it open, throw it over my head, wrap it around, and off we go.” That's the same thing you want to do with your teams, and that's your Infosec team, your IT team, your businesses, your C-Suite, your communications, your legal team, all of them. Anybody that you need, you get in that room. But you go through those scenarios, whether it's a ransomware attack, or a data breach, or a loss of a particular system; you're going to have different people, different times that are going to go through that exercise. And then you document it, and you learn from that, so when it does happen nobody's freaking out going "ok, whom do I call? What’s the next thing we had to do?” It's all documented, and while we hate planning for the worst, you've got to do what you’ve got to do.
I live in Florida, and we get hurricanes that come through every now and again, and we have that Hurricane prep plan. It goes “ok, this is what we're going to do. This is how we do it,” and being prepared takes care of a lot of that. Now from the training perspective of your users, you want to assess how well they're going to react to a phishing e-mail because that's the common way; a majority of the attacks we see are done through social engineering and you want to train everybody in the organization. Everybody from the boardroom, down to the mailroom; and everybody has to have that training.
There are different styles and perspectives on it, but everyone has to be doing it, and everybody has to have those assessments going through. Doctors, lawyers, rocket scientists, CEOs, board room members, security people, IT people, we've all clicked on those links. We've all fallen victim to it, and a lot of the time people end up doing it because they're rushed. We know that “I’ve got to hover over the link and check,” but it's because you are rushed. You're in a situation where you’re trying to get the e-mail out and another comes in, you're like “what the heck is this? Benefits changing? Let me have a look,” and you end up clicking on it.
Juliette: Oh boy.
James: It was a Wednesday, at about 11:59, I was waiting on a customer on a zoom call, and I had an e-mail pop up that said, “your customer is waiting on your zoom call.” I'm sitting there going “no, I'm already in the zoom call,” and I'm like, “am I in the wrong call? Are they in the wrong call?” 10 minutes ago we were about to start this meeting; I close it out, go into the e-mail, bring it up, and there it is, “click on the link to join the meeting,” fine, I click on the link, and up popped the KnowBe4 log in box.
Shawn: Ohhh no. Gotcha!
Juliette: Oh, oh no.
James: Cold sweat just ran down my back because I was sitting there going “no, uh-uh, no way this couldn't have happened,” and I closed out the box.
Juliette: You of all people James.
James: And I go back, and I hover over, and sure enough it is one of our phishing assessments. So, at this point, I am like shocked. I'm denying it going “no, no, can't be that bad. I closed out the window and didn't give them their credentials. Yeah, I clicked on the link, but I closed it out pretty quickly.”
Shawn: Right exactly
James: And then I get angry at myself because I fell victim to the scam. I get angry because now I’ve got to do the training.
Shawn: *Laughs*.
James: And then I'm angry at them for sending me this e-mail right at a point where I'm about to start a meeting. I was rushed. I rushed myself into that situation and didn’t take the time to check.
Shawn: Yeah.
James: I eventually accepted it and went “ok, from now on, I'm going to always check the link. I'm going to look at it and go “am I expecting the e-mail? Do I know the person sending it? Are they asking me to do something in a hurried manner or do I feel hurried that I have to react to it?” And if any of those are meeting a certain criterion, then I am stopping and slowing down and checking that link. I am checking whom it's coming from. I have to then take that opportunity to learn from the mistake I made. And it wasn’t a gotcha moment, it was a teaching moment, as much as I hated that. But it was important to be able to accept that, and essentially, I went through the stages of phishing grief as you compare it to grief in general. There's one I didn't cover and that was bargaining, and you can't bargain with the IT folks.
Shawn and Juliette: *Laughing*.
James: But you experience it and it’s frustrating, you get angry and you're going to have angry users when you do those assessments. It's important they learn because we've had these old habits we've done with e-mail for years, and we have to create new habits, and changing habits is not easy because we try to do it on December 31st every year, right? Everybody knows what I'm talking about. Changing those habits requires frequency; you’ve got to do it often and regularly and you've got to work at it. So, in the same sense, you’ve got to have your instant response plans and run your team through them.
You’ve also got to do these phishing assessments and make sure you know people understand the reason behind it and that you're not doing this to trick them. You're not doing this to go “haha we got you!” no, this is so that we can educate you and learn. Yes, you are going to be upset because you clicked on that link. It's a fact of life because you feel that you've been scammed, you've been had. We all consider ourselves smart, intelligent people because a guy walking down the street in New York City opens up his coat and goes “hi you want to buy a Rolex?” Yeah, you know that's not a real one, or a Gucci bag, or whatever it may be. And you're not falling for that scam, but when you're in a rush and you're hurried, and you come back over and click on that link and then you go “oh shoot,” you know?
Juliette: Oh boy.
Shawn: *Laughs* it hurts, it hurts.
Juliette: If you could be fooled James, that means anyone can, right?
James: You're right, anybody can.
Shawn: I bet Juliette hasn’t though. You are so good about just being careful and aware of stuff. Do you know if you’ve hit something like that before?
Juliette: Me? Oh, I don't know, how would I know?
Shawn: Well, you know cause after you do it, you're like “oh my God I can't believe I just did that.” You actually do know, I think.
Juliette: Do you?
Shawn: Yeah, I did something six months ago because I was rushed; the bank says blah I and I clicked on. I'm like "ok, this is phishing,” but I'm like, “oh no it's whatever,” click it go to the site like “oh this is phishing, oh no, this is the site,” mocked up, and then start doing stuff. I did it and like “oh it's fine whatever,” and I zoomed on to the next thing, and then I like bolted out of bed at 2 o’clock in the morning like “oh my God, I think that was phishing,” and so I went back into it and I started clicking stuff. There's the home page for the bank and I start going over all the other stuff and nothing's working, it should be showing links and whatever to go to other parts of the bank. It is not working. Like good news is--I mean I don't know about that one.
Juliette: Oh no.
Shawn: That one James would have had me in a heartbeat, what you did. But usually, these things have weird capitalization, or there's something that makes you think “are you guys like even speaking English?” You can usually figure that stuff out like Eric has talked about that, but yeah, that one got me, and like you just knew. I just knew later, it took me a bit and I had that lag, but it was the same.
James: Usually when you get an e-mail and it's coming from your bank or it's coming from an organization that you work with social media, financial, don't rely on the link in the e-mail; go visit the website.
Shawn: Well, it was a text. It was even worse because I was doing stuff in the bank earlier.
James: OK.
Shawn: It's like, “hey, send me the code” and I'm like “how do I know who you are? Oh, you're my wife, I guess that's ok,” but then anyway, I think Juliette's going to be the model citizen because she's calm, cool and collected.
Juliette: Mmm, not so much. Wouldn't that be nice?
James: I'll take that as a challenge.
Shawn: Oh!
Juliette: Oh James!
Everybody: *Laughing*.
Juliette: Oh Gee, thanks a lot.
Shawn: You are so screwed, Juliette.
Everybody: *More laughing*.
Juliette: I’m not opening any more emails.
Shawn: Don't give them the quick fix.
James: And that's funny you say that Juliette because that’s a typical reaction/ response when you have people fall victim to the phishing assessments. They go “that's it, I'm never opening another e-mail. Forget it. I'm going to send everything to IT.” What it comes down to is “ok, you know that there are dangers in e-mail, we just need to kind of polish it a little bit. You're there, we just kind of need to firm up some things.” It's like, yeah, you'll get your e-mail you'll open it up and it'll be saying "you just want a new car, click on the link.” Well, yeah, we know that's bogus. But then it could be an e-mail that Shawn sends you going “hey, we want to get them some gift cards for the clients I just met with today.”
Shawn: That happened. We have had three people in our business get a text, a text from me.
James: Got a text, yep.
Shawn: Yeah, yeah, one of the guys was like “I'm not so sure.” It was kind of, not funny; but it was five! Erica says five people.
Juliette: Oh boy oh boy.
Shawn: They were like targeting people.
James: But the other thing they'll do is just send you an e-mail. So, it'll be an e-mail that appears to come from Shawn to you Juliette, and goes “are you in the office today?” and you go, “yeah, I'm here today, what's up?” And that's how they hook you.
Juliette: Oh boy.
James: And now because you think it's Shawn, they're sitting on the other end going “ha ha, we got her,” and then they'll do something else that will continue to build rapport. No links, no attachments, no requests, just carrying on the conversation and it'll be like two or three things down the line, but very quickly, within half an hour, the ask will come in. And you'll be like, “oh yeah, sure, no problem,” boom. Or it'll be a link going “hey, I got the new contract from company X. Can you just give a quick review,” or whatever might be in line with what your response was. I got Bruce Schneider to be on the podcast next month, here check it out. “Oh great. Bruce Schneider top security guy.” Click on the link, and that’s kind of how they get you.
Juliette: Oh man.
James: Even then, you have to be aware if the e-mail comes in and goes “hey, are you in the office today?” or with a request that doesn’t have a link or an attachment or anything else? It's just always important to have your Spidey sense because I'm going “something’s not right about this,” and then when you hover to check the e-mail address, you'll see that that’s not Shawn’s e-mail address.
Juliette: Oh right.
James: It'll say his name, but it won't be his e-mail, it'll just pretend to look like it’s coming from him.
Shawn: I actually think Juliette will probably never be in her e-mail again after this call. That was me last time we did this call, James.
Juliette: It's any of our calls with James.
Shawn: I have tremors, I know. But it's so good to talk about this now, right? And even from an ERP perspective, this is why you’ve got to have users in certain roles. We don't talk about this that much, but if you're limiting the access that people have, if something does occur, God forbid, at least they don't have access to everything.
James: So that principle of least privilege.
Shawn: Yeah, there you go so. So, there are things to do. I mean it's so it's easy to feel like a victim in all this stuff, but I think, like you said, getting a plan together makes a ton of sense. And I do think talking to the vendors is huge; I think just demanding that kind of relationship with them is good anyway. Definitely, password protection, multi-factor authentication, all the typical stuff, but I think the biggest thing you said James is we’ve just got to be aware of what the heck we're doing. If you're not, go take a walk or something, don't try to keep working.
James: Right, right. And when we talk about MFA, we have to start considering non-phishable MFA. Now I know that's probably going to have some folks go “huh?” A non-phishable MFA is when you get a code from your app. They're looking for ways where, say if you've got an SMS code coming in, they can intercept it. There are ways they can intercept that; there are ways that they can hack MFA when you log in, even to what appears to be a legitimate site. They can, if they're on your system, steal what's called the session from your system and use that to get to gain access into the system.
One of the ways they're doing a non-phishable MFA is you have a hardware token in your computer, and that has to validate as well. It's what we've gone to at KnowBe4 for our systems when we log in every day; we have to use the hardware token to be able to log in. It's not getting a code from Google Authentication or whatever, and so it's kind of starting to step the game up a little more.
So you want to start looking at non-phishable MFA to really, truly protect it. MFA with the SMS and Google Authenticator, or the app is fine, but if you've got really sensitive systems, and you really need to secure them, you want to have hardware tokens or non-visual MFAs. That way somebody can't try and send some other code and get you to log in to another site where they try to steal that session. Now I really freaked everybody out.
Shawn: I was going to say, I was fine. I kind of got over it, but now I’m like “we're screwed.”
Juliette: *laughs* oh my gosh, that’s right. Well, we could continue this conversation. I'm going to ask one more question, and then we might have to wrap up, but is there insurance that companies can buy to help protect them if they're hit by ransomware?
James: If you'd asked me that question a year ago, I would have said “yeah, definitely; go for it.” The problem is cyber insurance, the premiums have skyrocketed in the last year. They have gone up so much, not only because they've been attacked, but so many organizations have been hit that had insurance. The cybercriminals knew that organization they were targeting had cyber insurance, so they knew they'd get their money because the insurance company would pay. You had certain cases where you were insured, as well as for the amount of money you were being ransomed. Usually, the ransomware policy would cover your overhead work. What you've got to do, your operational work, you've got to bring in a third party and pay your folks over time. You've got to get new servers, you got to do this and that, etc. That's what that insurance covers, but then you still have riders that could cover the actual cost of the ransom. So, if you had to pay $1,000,000 or $500,000 or whatever, that way the insurance was there to help, but because there have been so many issues the cost of insurance has gone up tremendously, and it's been extremely problematic for a lot of organizations.
Juliette: If a company was willing to pay the premiums, does it pay out in the end if you needed it?
James: It can, but the funny thing is, and this is always interesting, when it comes to ransomware attacks if you've got to pay out millions of dollars, if you take 10% of that and put it back into the organization for additional training, code development, security code development, back into your users, etc. it would go a lot further than giving 1.8 million or $100 million to cyber criminals because now they're just going to buy the new Ferrari and Lamborghini; and a lot of organizations look at it as reactive, not as proactive. But if you can have the security awareness training and phishing assessments and try to get your users to essentially become a human detection and response system that’s what you want.
We've heard of EDR systems and XDR, what we need here are HDR systems, and that's our humans. Our human detection and response systems. We need to have the security culture growing within organizations and in our lives. It's not easy, it's way easier said than done, but we want to start increasing the security culture within organizations, so folks are keeping security at the top of their minds. That they are going through and checking their e-mail and not being worried that "well I'm not going to open up my e-mails anymore,” but knowing they can have the confidence to go through, find, and spot phishing emails. If you kind of took more of that and put it into training and did more to grow the culture in the organization, that would certainly make the organization more secure. And along with the tech paralleling the technology.
Juliette: Wow, oh my gosh. Well, I think we are almost at the end of our time so I'm just going to ask one last question. Do you have any parting words for our listeners related to ransomware and ERP, anything to protect their business, their employees, their data, what have you?
James: “Don't click on,” oh wait, never mind. I’ll kind of reemphasize what I talked about. You've got this technology in your organization. You want to make sure you're using multi-factor authentication, what we've talked about to protect those critical systems. You want the principle of least privilege. Make sure you're doing tabletop exercises; you have your incident response. That way people know what they're doing ahead of time. Keep your systems, especially the internet-facing ones, patched and up to date. Make sure that you don't have the remote desktop protocol exposed to the Internet; cybercriminals can now use that to get into the organization and train your users. Getting those users educated, they're not going to like it because “great, now I’ve got to learn something else,” but again, it goes back to that culture. Speaking of the patches, I don't know if anybody knows how to fix the jack-o-lanterns.
Juliette: Oh yes.
James: You apply a pumpkin patch.
Shawn: I love that.
James: Did I say that one already? Sorry.
Juliette: I love it.
Shawn: I would say Juliet--I mean, James is the expert and it's always a pleasure. It's always a little spooky. That's why we do it in cyber security around Halloween. But I would say that we spent a lot of time talking about legacy ERP applications over the last year. I'm just going to kind of say it, a legacy application is a bit of an indicator of the investment in IT we do as an organization. You say, “we're running on an old software solution,” oh ok, fine, you know. And usually, people call us when they're like, “oh yeah, the person that wrote it just hit the lottery,” hopefully right? Usually, they want to retire, very rarely are they dead, but sometimes that does happen, I hate to say that, but it does happen.
Grant and I were a client recently when the guy who didn't write it but was there and we met him and we're like “oh my God. Is this guy like going to go cuckoo or what?” And your whole $500 million business is running on this whole thing. It's sort of like the ERP application, the patching, the upgrades, there's a reason why we need to upgrade these applications. It's not just to pay our implementation partners more money for an upgrade, it's that there are security patches. There are vulnerabilities in these apps that over time you and other people pay maintenance for. Then they figure this stuff out and you really do have to take advantage of it. I would say it's not, I choose my words wisely here, but it's just a little bit of negligence to be on an older product, not just because it doesn't meet our needs for our business, or we've outgrown it or it's their functionality, but especially in talking here to James, it's because it leaves us more vulnerable to security risks. So that's the last piece I would end with on my end. I always try to make it up tone at the end.
Juliette: *Laughs* that’s right, if possible.
Shawn: But the legacy ERP, I think I've seen this over and over and over, it's just yet another reason why organizations have to say, “you know what we cannot do this anymore. Not just because of the normal reasons but also the security risks.” So just watch out for that, the good news is lots of good apps, the cloud does help, but like James said, there are still some risks there. Even on Prem systems, there are things to do for sure. Nobody has to be a victim of all this. There are things we can all do, including praying, and then we're fine.
Juliette: All right, well thank you guys so much for joining me today and then James same time, same place next year?
James: I’ll put it on my calendar.
Juliette: Alright, we'd love to have you. Very good, well thanks everyone for joining us for today's webinar. Please let us know if you have any questions. We're happy to help in any way we can, and I can get you in touch with James if you have any other further questions, he’d be happy to help too. Be sure to join us for our next webinar scheduled for Thursday, November 10th ERP Customization Conundrum: Best Practices for Implementing Your ERP System. We will discuss how to prevent the downfall of your ERP system through the application of best practices. Please go to our website erpadvisorsgroup.com for more details and to register.
ERP Advisors Group is one of the country's top independent enterprise software advisory firms. ERP Advisors Group advises mid to large-sized businesses on selecting and implementing business applications from enterprise resource planning, customer relationship management, human capital management, business intelligence, and other enterprise applications which equate to millions of dollars in software deals each year across many industries. This has been The ERP Advisor, thank you again for joining us.