Three Florida cities reported having computer systems held hostage earlier this year, costing hundreds of thousands of dollars in ransom.
The activity became public knowledge because the victims were public entities and public funds had to be expended on a fix.
But a private business can often keep hacking secret and has every reason to, to avoid attracting other attempts, so a ransomware attack on it likely won't make the news.
That doesn't mean it's not happening. A lot.
"It happens every day, even in Sarasota County," Kelli Tarala said.
She's a consultant with and co-owner of Enclave Security LLC, whose mission is to "help empower organizations to defend the information assets that have been entrusted to them," according to its website.
She works with companies from sizes of mom-and-pops to Fortune 500. They're all at risk of a hacker wreaking havoc, she said.
"Old-style" hacking - stealing personal information on people - hasn't gone away. In fact, Tarala said, it's gotten more sophisticated. You can now buy a Social Security number that matches up to a specific profile of an identity you're trying to create.
It costs $1 or $2.
But the proliferation "ransomware" attacks in recent years presents the system owner the dilemma of either paying the ransom demand — the FBI advises against it — to regain access to it or rejecting it and trying to reconstruct lost files at unknowable cost in time and money.
"They always say don't pay the ransom but a business owner needs to make a business decision," Tarala said.
Insurance is a factor, she said, but bringing in an insurance company will mean turning over the response to it, which can add time due to red tape.
'Cyber hygiene'
The best approach to hacking is the obvious one: "You want to avoid it as much as possible," she said.
That means investing in good "cyber hygiene," she said: keeping software up to date; installing security patches promptly; backing up your files regularly to a computer that's offline; putting gateways and firewalls in the path of anyone who does find a way in.
Ideally, the company can put all of that in the hands of an information technology employee whose focus is security.
In reality, Tarala said, "generally, nobody has enough security personnel on staff," in part because "you can't fill the positions fast enough."
There is expense involved, Tarala said, but management has to keep it in perspective. Saving money by leaving a system vulnerable would be like deciding to forgo oil changes in company vehicles, she said.
"Security isn't an option anymore," she said. "The companies that invest in security thrive."
Fortress mentality
When they started their company, Tarala and husband Jamie named it "Enclave" to evoke the image of a medieval castle with layers of defenses, she said.
To get inside, invaders needed to evade archers who could take cover behind parapets; find a way to lower the drawbridge to cross the moat while boiling liquids were being poured on them; raise the portcullis and breach the door behind it; and then defeat the occupants.
"A company's network needs to be set up the same way," she said.
A virus-containing email remains one of the main lines of attack. Tarala said that one of the first lines of defense they use is to route all emails to a "sandbox," where they sit isolated until the recipient authorizes them to be released, one by one.
It can be set up not to release ones that appear particularly suspicious.
They had a client, she said, who called because she couldn't get an email from a friend to release. As she was taken through the protocol about releasing it, she realized that her friend rarely emailed, preferring to connect via text.
The email was infected.
"We need to heighten our human radar," Tarala said.
'De-app' yourself
Another preventive measure is to regularly back up your system — preferably by storing images of its contents in the "cloud."
By backing up your newest files, your somewhat older files and your oldest files in separate batches, if your system is hacked "it can be 100% restored in a week," she said.
There's free software online that can be used for backups. In fact, Tarala said, if you use a PC the security features built into it are good — they're free, they update automatically and they work.
"Microsoft knows best how to protect its systems," she said.
It's important to keep an eye on what you've added on to your computer or other tech, though. Apps can pose security concerns and even if they're safe, they can slow down operations.
"If you're not using an app, get rid of it," Tarala said.
She also recommends setting up a second account on your devices separate from the one you use as administrator. Access the device with the second account and a hacker won't have the administrator account to infiltrate anything you connect to.
"I'm not the administrator on any device I use," she said.
Let (mock) disaster strike
With bad actors worldwide conducting both random and targeted attacks, no amount of preventive measures is a guarantee against hacking. Having an incident response plan similar to a hurricane plan is critical to minimizing damage and a quicker recovery if there's an attack, she said.
There are free plans online, Tarala said. Use one of those or create your own, but make sure it calls for a team response, involving Human Resources and the public information officer as well as Information Technology.
A vendor list should be part of it as well. The best response to an attack may be just to replace everything as quickly as possible, she said.
The plan should be reviewed at least once a year — preferably twice — and tested through mock disaster drills. Lessons learned through the drills are used to refine the plan, she said.
If a red flag pops up, the first thing to do is determine whether there's been a security "incident" — a violation of your IT policies — or a data breach, which is far more serious.
A breach can trigger legal and contractual requirements that include notification to the persons whose data is affected, the government, regulatory agencies, credit agencies and the public.
By law, for example, an event that affects 500 or more records in the healthcare industry is considered a breach, she said.
After that it's a matter of implementing the response plan, and if it's a ransomware attack, weighing whether to pay the ransom.
Tarala said she's seen a demand as low as $100. Paying that is an easy business decision, but one based on the company's ability to implement sufficient security measures to prevent the hacker from coming back with a second, bigger one.
Because there will almost certainly be another one, whether it's a hacker figuratively knocking on hundreds of computer "doors" to find one that's unlocked or an effort to unlock a specific one.
"We can't stop these phishing attacks," Tarala said.
