The Unfortunate Example of Riviera Beach
Riviera Beach, a small Florida city of approximately 35,000, is the most recent unfortunate example of what can happen when a municipality, business or organization is the victim of a ransomware attack.
In this case, a city police department employee unwittingly opened an infected email attachment sent by hackers, which immediately paralyzed the city’s email, phones, utilities, payment applications, etc. After struggling for a month to restore and repair the systems, Riviera Beach ultimately agreed in June of 2019 to pay the ransom of 65 Bitcoin (about $592,000 at the time) being demanded by the hackers. All indications, however, are that the ultimate cost of this event will be far greater.
Larger municipalities and companies have experienced even costlier ransomware attacks recently, including the city of Baltimore, which recently paid $18 million to repair a similar breach. What’s worse, there’s never a guarantee that hackers will release data or unlock systems in these kinds of cases, even when a ransom is paid.
Three Lessons Learned for Small Businesses and Organizations
So, what are the lessons to be learned from this recent ransomware attack?
It can happen anywhere, at any time, to anyone
Keep in mind that 40% of cyberattacks target small businesses (less than 250 employees) and that more than half (53%) of U.S. businesses have experienced a cyberattack in the past year. Even news of larger breaches – such as the Riviera Beach or Baltimore attacks – should be a reminder that cyber risks are risks for all of us.
Phishing is one of the most significant risks to address
Any time hackers disguise their identity and motives to lure an individual or organization into giving them confidential information, computer access, or even money, that’s something called social engineering.
Phishing – typically done via email – is one of the oldest forms of social engineering, but increased more than 500% in 2018 alone, making it one of today’s most significant cyber risks. The Riviera Beach attack was initiated through a phishing email.
Why is phishing a particular problem? Mainly because it’s simple and increasingly lucrative for hackers, and because it relies on human trust and error – both in plentiful supply.
Effective training is the first and best defense against a phishing attack
Employees of a business, company or organization need to be trained on understanding, recognizing and avoiding phishing attacks. This training should be comprehensive, consistent and ongoing.
Here are some good steps and best practices:
1. Teach employees that a successful phishing attack can debilitate and even cause a business to completely fail. Examples like the Riviera Beach attack and similar cases are very helpful in this regard.
2. Teach employees how to spot a phishing attack. There are many tools and methods to help with this task.
3. Teach employees to avoid attacks through cybersecurity best practices. Examples include:
Making the Complex Simple
Even with these lessons learned and acted upon, cyber risks will continue to be an issue for any company, business or organization. Knowledge and prevention is key, but inevitably the right advisor and the right insurance coverage is still a necessity.