Your organization needs to be vigilant at all times, but now you have additional reason to take cybersecurity seriously: the Russians are coming.
The White House recently issued a warning to companies that Russia is likely to launch cyberattacks against critical U.S. infrastructure — and to use U.S. businesses in those attacks. Infrastructure targets could include the power grid, water and sewer systems, communications, and gas pipelines.
Russian cyberattacks would be in retaliation for U.S. sanctions against Russia over its invasion of Ukraine.
Will Russia Attack U.S. Infrastructure?
This wouldn’t be the first time Russia has attacked the U.S. in this way. Russian criminals have targeted the U.S. several times already, including a ransomware attack on Colonial Pipeline, which led to gas shortages on the East Coast.
It’s reasonable to expect a technologically advanced world power to inflict damage on its adversaries, especially when those adversaries are hurting its economy. Russia doesn’t have to go to war with the United States to inflict real and consequential damage to our country’s infrastructure. Just as the U.S. is able to impose sanctions on Russia, Russia is able to initiate its own attacks on the United States.
In the process, small and medium size U.S. businesses are likely to get caught in the crossfire. They may even be unwitting instruments in Russia’s attacks.
You Aren’t Too Small for Russia to Target
I often hear leaders at small and medium size organizations say that they don’t believe their company could possibly be the target of a cyber attack. “Why would they mess with me? I’m just an insurance company,” they say. Or, “We’re just an HVAC company. We’re too small to be of any value to an attacker.”
You can test that theory in just a couple of minutes. Look at your system logs, and you’ll see that you’re already receiving five to ten attacks on any given day. You’ve been a target for years. And that’s just on one attack channel. There’s also phone/text phishing and email phishing, where someone tries to trick your employees into giving up sensitive information.
You’ve seen the cryptic text messages with those odd looking URLs, or vague emails that might or might not be from someone you actually know. There’s also those phone calls purportedly from the IRS or a debt collector, demanding your bank account information.
If you, as a single private individual, are being targeted by bad actors, why wouldn’t your company be the target of a cyber attack?
The reality is, cyber attacks are indiscriminate and random. The bad guys are looking for any system that will let them in. Sensitive data is sensitive data. Just because you’ve been lucky so far isn’t reason to think you have the protection you need from Russia’s bad actors.
When you’re dealing with an entity that has the technological prowess of Russia, they aren’t going to do the most obvious thing and attack the front gate with a battering ram. They’re smart. They’ll take back channels to sneak in when no one is looking. That means using small and medium size businesses.
Related reading: Your Small Business Isn’t Hiding from Cyberattackers
How Russia’s Cyberattacks Work
If your business does get attacked by Russian hackers, what could happen? You may not have any immediate value to them, but your customers or vendors might.
If you’ve ever played the Kevin Bacon game, you know how easy it is to connect the dots between any two people in the world. No organization is an island, and Russian attackers are happy to play the Kevin Bacon game with your company in order to access their ultimate targets.
For example, let’s say that among thousands of attacks, they hit a funeral home. They breach the records and acquire names and contact information of grieving relatives. Now they can initiate a directed phishing attack against those folks while they’re vulnerable.
If any of those people happen to work as a contractor for a water treatment plant or a hospital, the attackers can use that connection as an entry point for their targeted attack against critical infrastructure.
Or as another example, perhaps the attackers hit an accounting firm that has an HVAC business as a client. That HVAC company happens to serve a major gas pipeline company. Or the accountant shares a common vendor with New York City’s sewer system.
And so on.
What Should You Do?
I’ve said before that your company has a responsibility to your employees, customers, and vendors to invest in cybersecurity protection. Those people are depending on you to protect their data. You also owe it to your country to do your due diligence.
It’s one thing to be the victim of a bad actor — it’s another thing to unwittingly play a role in an attack against the U.S. from a foreign aggressor. No company wants to be known as the organization responsible for giving Russia access to the nation’s infrastructure.
Doing your part simply means securing your systems. Implement multifactor authentication, patch your systems against known vulnerabilities, and develop a robust security program at your company — one that leverages a prescriptive security / compliance standard.
Don’t assume your IT department already has it handled. IT experts are not cybersecurity experts — those are two different realms, and your rockstar IT staff don’t have the knowledge to protect your company against bad actors. It’s like assuming your healthcare general practitioner can handle brain surgery.
Likewise, generally speaking, your managed services provider isn’t equipped to protect your company either.
I am a strong proponent of the notion of “trust, but verify.” It’s good to have oversight of those responsible for your day by day IT operations personnel, regardless of whether they are internally staffed or an outsourced provider.
To protect your company — and to do your part as a responsible citizen — you’ll need to hire a compliance professional who can run full penetration tests and help you to develop a security program that validates your assumptions and gives you confident, proactive protection.
Don’t know where to start? TCT is connected to dozens of companies that we can recommend with confidence. Reach out today and we’ll help you find the right consultant or Assessor for your needs. We can also help you figure out your first steps towards security and compliance.