JBS USA Holdings, Inc., the nation’s largest producer of meat products with a location in Green Bay, ground to a halt in early June when a ransomware attack hit the company.
During a ransomware attack, cybercriminals encrypt the company’s data and systems, making it nearly impossible to operate. Most companies need to pay a ransom — JBS paid $11 million — to have their systems unlocked.
While on the rise, ransomware is just one type of cyberattack. Businesses large and small are hit by attacks every day, whether it’s a criminal pretending to be a customer with an unpaid bill to get some cash or impersonating someone within the business to get funds moved to another bank account.
Though stories of cyberattacks and ransomware cases show up in the news, most businesses still are not paying enough attention to their own cybersecurity needs, says Cory Larson, a consultant in cybersecurity and automation for WMEP Manufacturing Solutions.
“Unfortunately, it’s down on the list of priorities,” he says. “There’s really not a culture of cybersecurity out there. People pass around TikToks that may have an unsecured link that could let someone grab your data or they don’t notice an email address is one character off and it’s not really from a company you work with.”
Cybersecurity must go beyond using an antivirus program and a firewall, says David Sun, cybersecurity principal for CLA.
“Hackers have gotten so sophisticated that cybersecurity needs to be ingrained into the DNA of an organization,” he says. “A cybersecurity mindset is critical in everything you do, everything you think about and everything you buy.”
Ransomware attacks are not limited to large corporations like JBS, says Tom Wojcinski, director of Wipfli’s cybersecurity and technology management practice. He says small businesses are even more in danger of having their data locked by a cyber thief.
“Small businesses are at a greater risk since they don’t normally have the staff dedicated to security or have the necessary software protections in place,” he says, adding the damage inflicted upon a company’s reputation and its financial impact forces some businesses to close permanently.
Cybercriminals also are becoming creative and using small businesses to cause damage to larger companies. That was the case with the hack of SolarWinds, a company that makes a network and applications monitoring platform, says Praneet Tiwari, a lecturer in data science and business statistics for the University of Wisconsin-Green Bay. Cybercriminals were able to get inside large companies and government agencies by hacking the smaller business.
“User training is the most crucial component of cybersecurity, and employees at all levels need to be educated about the dangers of cyber threats and potential ways to minimize their exposure,” he says. “Creating security awareness goes a long way in strengthening the overall cybersecurity for the business.”
Wojcinski says cyberattacks on small businesses often get less attention, so it’s difficult to find out just how many companies are affected each year.
While cybercriminals can attack a system in multiple ways, spear phishing seems to be the most effective method, he says. “People open a file they shouldn’t and the ransomware is installed into the system,” Wojcinski says. “It just needs that tiny entryway.”
Aging equipment, a lack of virus protection and software that hasn’t been updated or patched are other ways malware can get into a company’s computer system, Larson says.
The attack on JBS came shortly after cybercriminals attacked Colonial Pipeline, which transports gas to nearly half of the East Coast and triggered gas shortages and panic buying. The company paid the ransom to get its information and systems back.
To stay safe, Larson recommends businesses take a thorough look at their IT operations to see where the cracks may be. Companies can have an audit done of their systems to identify problems and receive some possible solutions.
“The audit can help provide you with a road map to what your business needs to do to stay safe,” he says.
Sun says businesses should think of a cyberattack in terms of when instead of if it will happen.
“Cyber resiliency goes beyond having an incident response plan and practicing it. It is designed to confirm you have all the necessary precautions in place for an attack,” he says. “Cyber resiliency also entails reviewing all of the data on your systems and taking unneeded data offline, so it cannot be exfiltrated.”
Wojcinski says businesses can take several steps to protect themselves, including making sure all programs are updated and patches have been applied where necessary, segmenting their network by separating low-value data versus high-value data, using multifactor authentication, and managing backups properly.
“Backing up info to a USB port left in your laptop is not an effective backup. You need to isolate that backup from the rest of the system. That way, if you do get hit, you can bring back data collected before the attack onto a clean computer,” he says.
If the worst happens and your company is hit by a ransomware attack, businesses have few options — paying the ransom or trying to restart from scratch, which mainly works for small businesses that may also have a paper trail of their data.
“I don’t believe in paying ransom. It’s complicated. You either need a lot of cash on hand or ransom insurance that you then need to change into cryptocurrency, with the whole process taking three days or more,” Wojcinski says. “I believe it’s better to be prepared from the beginning to keep criminals from (infiltrating) in the first place.”
Tiwari says all businesses should include a cyber component to their continuity plan or disaster recovery plan.
“When a cybersecurity incident does happen, the management team would now have guidelines on how to proceed,” he says. “This would go hand in hand with the business continuity plan in case of a ransomware attack or an attack which compromises business operations.”