This article was originally written for Alaska Contractor Magazine.
In Alaska, cyber attacks are becoming more and more prevalent. In 2018 alone, there has been an alarming number of cyber attacks in the state. In June, the Alaska Department of Health and Social Services was hacked, compromising over 500 Alaskans’ sensitive information. A month later, the Matanuska-Susitna Borough’s computers was riddled with multiple viruses, ransomwares and malwares. In August, the City of Valdez’s electronic data was infected by crypto-ware, a virus that encrypts the data so it becomes inaccessible.
Eric Wyatt, director of the Information Technology department for the Matanuska-Susitna Borough, was in the thick of the malware attack on the borough this summer through an email phishing scam. Wyatt says the IT department is still dealing with the aftermath. They are installing additional security measures and software, but those come with a learning curve.
“The staff needs to learn these new systems and how to maintain and operate a very different environment,” Wyatt said in an email. “We put in place security measures that are commonly used by much larger and better-funded organizations. These measures are necessary, and we will be doing the difficult work of making them work for us for the next (three) to (six) months.”
The attack infected 510 workstations and 150 servers. Because the attack was so sophisticated, each system was completely rebuilt, and every IT system in the borough was affected.
“These attackers will commonly attack and gain control of smaller organizations, then use their email systems and accounts to send very official and expected emails to their next victims,” Wyatt said. “This type of email will then be from someone we are used to doing business with, and it will contain attached files we are expecting and have asked for. It is almost impossible that a user would not open the email and attachment.”
Wyatt and his team believe it isn’t a matter of if but when another attack will occur.
“We have already seen continued threats attacking our network, and although none have gotten in since we have come back online, we know that at some point one will get in,” Wyatt said.
Many businesses today are seeing the value in investing in anti-virus and anti-malware software and additional training. Mike Mason is the assistant vice-president of the E-Payments Solution Department and the Electronic Funds Section head for First National Bank Alaska. He has presented to several hundred Alaskans in the past three years at almost two dozen events about cyber threats and how to avoid them.
Mason said the biggest flaw at most organizations is not patching every operating system.
“You have the unaware employee who is opening attachments or clicking links in emails, and that’s often the No. 1 way that malware will get into a computer network,” Mason said.
Mason says that the growth of the business email compromise scam, also known as BEC, has grown exponentially over the last five years. From October 2013 to May 2018, the scam has reported a total loss of over $12 billion dollars, according to the FBI’s Internet Crime and Complaint Center.
Mason isn’t the only local cyber security expert. Benjamin Craig is the executive vice president and chief information officer at Northrim Bank. In October, Craig participated in an Associated General Contractors of Alaska Lunch and Learn program. Northrim Bank presented on physical, regulatory, internal, business-to-business, external and force majeure threats common to business customers.
Craig suggested patching and updates and to use automatic updating every chance you can.
“Having backups of your critical data may make the difference. Identify those functions critical to your operations … and don’t just back it up, restore it periodically to make sure it’s valid,” Craig said.
And in case something goes wrong, make sure to tell someone.
“The most dire security incident is the unreported one. The sooner you can alert your information technology department or financial institution, the better,” Craig said.
Craig works alongside Kathleen Bates, senior vice president and director of electronic channels at Northrim Bank. Bates said everyone should be using an encrypted password manager with unique credentials for every site they visit so that if one site is compromised the attackers can’t use those credentials anywhere else.
Bates recommends taking advantage of dual-authentication when possible, a method of confirming your identity with a second device, such as a smartphone, and setting limits and alerts in case of an attack.
“Define the average, not peak, thresholds for financial transactions. You can always call your bank to have those limits temporarily raised,” Bates said. “Create alerts for transactions that are uncommon or that exceed your normal thresholds.”
Hackers often premeditate their attacks, so it is important to be aware of how much information you’re sharing on social media platforms, such as Facebook and LinkedIn.
“The more you put out there, the more likely it is that some adversary or unsavory (individual) will see it,” Mason said.
Mason suggests uninstalling programs that you don’t use and keeping everything you have in your computer up to date. Additionally, make sure you have different passwords for each service you use and provide training for all employees in the office.
“It always comes back down to training your employees, equipping them with the knowledge they need and telling them it’s OK to say, ‘Let’s wait for a second and verify this before we jump and act,’ ” Mason said. “Don’t be the low-hanging fruit.”