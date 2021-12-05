PORT CHARLOTTE — In August, federal authorities issued a report on the risk of ransomware attacks during weekends and holidays.
While no specific threat was raised by federal authorities in the August paper, they highlighted several attacks that took place in the first half of the year — particularly the ransomware attack against the Texas-based Colonial Pipeline company in May.
While federal level threats and big business are the most visible threats, Kelli Tarala of Enclave Security told the Daily Sun on Friday that insidious threats to community life can happen much closer to home.
"Do not click the links," said Tarala. "That few seconds of self-discipline will save you hours of heartache."
Tarala, one of the principals and co-founders of the Venice-based Enclave Security company, has worked in the technology sector since the late 90s. It was a critical time for business, as more companies moved from small, closed networks to having an Internet presence and sending communication through email.
"We needed ways to protect information sent, protect the confidentiality," said Tarala.
Enclave Security has worked with companies like the SANS Institute and nonprofit groups like the Center for Internet Security (CIS) to craft policies and practices for companies and municipalities to protect their information from what she calls "malicious actors" — what popular culture might refer to as "hackers."
One such attack at a local level occurred in February of this year — months before Colonial, and right around the time of the Super Bowl — in the city of Oldsmar, just west of Tampa.
A malicious actor managed to gain control of the mouse for a computer that controlled the levels of a cleaning agent for Oldsmar's water treatment plant. An employee at the plant reported seeing the cursor move on its own and increase the cleaning agent to unsafe levels; he subsequently corrected the issue and reported the issue to his superior.
While such a scenario sounds like something out a comic book, Tarala noted that national security can come down to ordinary government functions that many Americans take for granted.
“If I don’t trust the water coming out of my faucet, my American lifestyle is jeopardized," said Tarala.
A similar dynamic plays out when it is a small business targeted for ransomware instead of a large corporation. Tarala gave the hypothetical example of a stationary shop, unable to process card payments, place orders for more material, or not even able to press a button to open the cash register.
If a shop owner is faced with the choice of a $2,000 ransom versus losing $5,000 worth of business on a typical day, said Tarala, they may very well make the cost-effective choice. However, she argued, that $2,000 is now out of the local economy and the problem still hangs over the business.
When asked about the best methods for preventing unauthorized access, Tarala cited two prioritized recommendations from CIS — accounting for every device connected to an organization's network and having a defined role for people within an organization to know which software is cleared for use.
"You can't manage it unless you know it's there," said Tarala.
Mark Odell, with Florida Gulf Coast University's Procurement Tech Assistance Center, noted that companies should be aware of which employees have access to what systems to vet access to sensitive data.
“It’s good to not have one person have access to everything,” Odell said in an interview with The Daily Sun in November.
And for IT to be fully prepared, Tarala added, businesses and municipalities will need to make sure their IT departments are adequately funded to match their responsibilities.
“If we are asking municipalities to protect our water supply, then we need to fund it properly,” Tarala said.
For those looking to learn more about how to enhance their own cybersecurity, Odell has recommended several federal-level resources for standard setting security. Such resources include Cybersecurity Maturity Model Certification Accreditation Body and the Federal Communications Commission's Cyberplanner.
