It was finals week at Neenah High School when families got the news that schools would be closed. Unexpected days off in January have been far from unusual given winter weather and the district’s COVID-19 strategy, and for most students and teachers a school closure typically means a temporary pivot to online learning. But on Jan. 11, school was canceled for an entirely different reason that left remote access — and, therefore, learning — unavailable: a districtwide ransomware attack.
Jim Strick, communications manager for the Neenah Joint School District, says that in many respects the district got off easy. Attorneys recognized the attack as part of a known, ongoing scheme. To date Strick says there is no evidence that student data was accessed. And, most importantly, because the district had a detailed cybersecurity plan in place, the schools were back up and running two days later.
“You’re always surprised when it happens, but we had done a lot of preparation,” Strick says. “If it could happen to us, it could happen anywhere.”
Indeed, Neenah is far from alone. “Anywhere” has already included school districts and municipalities across the state, small charities and companies alike.
Experts say it’s a misconception that small businesses, nonprofit organizations, school districts and municipalities aren’t targets for cybercrime because they aren’t sitting on piles of money or extensive lists of credit card numbers.
“This has nothing to do with credit cards, and that’s where people get a false sense of security,” says Jason Navarro, director of cybercrime insurance and risk management for Pewaukee-based R&R Insurance. “My goal [as a hacker] is just to get in first, and from there I’m going to figure out what kind of pain I am able to cause.”
Navarro says cybercriminals can utilize anything from a list of business email addresses to intellectual property to financial transactions to exact pain on their victims. Malware attacks often rely on a “spray and pray” approach, and phishing schemes are waiting for someone to bite on a scam.
“It’s important to remember that data is the currency of the internet. Just like regular criminals, these cybercriminals are looking for an easy target,” says Michael Patton, director and co-founder of the Cybersecurity Center of Excellence at the University of Wisconsin-Oshkosh. “I’m not looking to rob the bank; I am looking to mug the person walking down the street.”
“The bad guys aren’t picky,” says Steve Maliborski, general manager of commercial products for Sheboygan-based Acuity Insurance. “They’ll try to hit anybody where there’s a vulnerability.”
The best defense
While sophisticated cyber defense companies and advanced technologies are hard at work for many of the nation’s largest companies, Wisconsin-based experts agree smaller organizations can take several steps to shore up their defenses. It starts with educating the workforce.
“Have a discussion with your employees who use the computer systems and let them know about how people get scammed or tricked,” says Navarro, adding that training is the first pillar of cyber continuity planning his company recommends. Others include penetration testing, multifactor authentication, an authorization structure for financial transactions and insurance.
Joe Wetzel, chair of the information technology department at Fox Valley Technical College, further recommends using antivirus software, making sure other types of software programs — including even Microsoft Office, which can be a source of viruses — are up to date, and ensuring back-end networks are segmented so that a hack allows only limited access. It’s also best to make sure backup solutions are separated.
“If you’re a small business, even plugging in a small external hard drive for a backup and then unplugging it is a cheap solution,” Wetzel says. “Once it’s unplugged at least you have a backup that can’t be encrypted.”
While creating a cyber continuity plan is an involved endeavor, most organizations can make simple changes that make a difference, even overnight. Strick says that of all the lessons learned in the Neenah ransomware attack, the most important might have been “change your passwords constantly.”
“Every single one of us can make a difference,” Patton says. “Don’t assume you are too insignificant or that your knowledge can’t be elevated to the point where you can make a difference.”
The Cybersecurity Center of Excellence at UW-Oshkosh opened in January as just such a place for people and businesses to increase their knowledge. A partnership with the Wisconsin Cyber Threat Response Alliance, it provides both free and paid services with the goal of taking “everyone’s cybersecurity intelligence and hygiene up a level,” Patton says.
The CCOE pairs businesses with students to conduct threat assessments and simulations, helps with drafting cybersecurity policies, and goes out into the community to speak to groups. In fact, the CCOE recently completed a cybersecurity training for the Michigan National Guard that the group wasn’t able to find closer to home.
“We’re getting a good response, but we want more. We are happy to help organizations of any size,” Patton says. “We want to be the manifestation of the Wisconsin Idea and a resource people can come to.”
The coverage question
Despite any formal requirements or even guidance from the state, Strick says a forward-thinking NJSD employee purchased cybersecurity insurance in 2020 that proved critical in this year’s ransom attack. The district paid its deductible and some overtime salaries; the rest was covered by insurance.
Patton says the insurance industry has gone from being reluctant to provide cyber policies to issuing them freely to the point where it’s now settling in today: more specialized and responsive as well as starting to implement more coverage requirements. “There are some things that should be standard [to get a policy], like multifactor authentication and how you use the cloud,” Patton says.
Navarro, Maliborski and Matthew Prickette, who works with Navarro at R&R as a commercial sales executive based in Appleton, all say cyber insurance is experiencing exponential growth. “As word spreads, not only are people purchasing insurance, they’re purchasing a lot of insurance,” Prickette says.
Navarro says cyberthreats should be treated as seriously as active shooter, workplace violence, fire and tornado preparations — with one big difference: They’re far more likely to occur. “Give me five minutes and I can do more damage than if I actually burn the building down,” he says.
Insurance policies vary, Navarro says, but most cover three areas: liability, the “first party” (the organization that suffered the loss), and crime. Typically, individuals don’t sue companies that expose their information, but that possibility generally is covered as part of liability. Some claims are easy to calculate, like the price of a ransom, while others like reputation damage or the value of two days of learning in a school district are harder to quantify.
Maliborski says Acuity’s cyber insurance policies typically include coverage for notification to affected customers and constituents — including services like credit report monitoring and identity restoration; public relations costs; and coverage for cyberextortion, computer attacks and misdirected payment fraud. He says it’s important not only to choose a good policy but to work with an insurer that will be responsive and stay up to date on the latest threats and technologies.
“We talk a lot upfront about risk mitigation,” he says. “But when you’re unlucky enough that a claim does occur, does your carrier have dedicated cyber claims representatives, and how quickly can they get you up and running again?”
“We are one of very few agencies in the state that has a dedicated cyber division,” Navarro says of R&R. “We are pretty proud of that. You’ve got to live in the space. You don’t just put cyber in place and wash your hands and say you’re done.”
Looking ahead
To Navarro’s point, bad actors are constantly innovating, and everyone else struggles to keep up — including litigation and regulation. “It’s a cat-and-mouse game, always,” Wetzel says.
Patton says current events are big drivers — whether it’s the vulnerabilities exposed by the world’s pivot to remote work during the pandemic or the threat of cyber warfare tied to Russia’s invasion of Ukraine. He says his biggest concern right now is the vulnerability of public infrastructure. “It’s not just criminality; it’s a national security issue,” he says, referring to threats against the nation’s electrical grid, water supply and fuel pipelines.
“Now, versus a couple of years ago, the biggest difference is the level of sophistication by the threat actors,” Navarro says. “This is state sponsored, government sponsored … a professional organization, not kids in their basement.”
In response, Wetzel and Patton say American colleges and universities can’t produce cybersecurity professionals fast enough. At the CCOE, Patton says educators are working to respond directly to companies’ cyber needs — including improving the Linux literacy of students entering the workforce. Fox Valley Tech offers a two-year associate degree in cybersecurity, and Wetzel has been teaching an ethical hacking course that has identified real vulnerabilities and helped companies.
“Within our curriculum we’re definitely focusing on security across the board. Students who graduate today need a different skill set than those who graduated 10 years ago and even five years ago,” Wetzel says. “Security now affects every area of IT.”