While financial institutions might be in the cyber spotlight recently, considering the data breaches that impacted the European Central Bank, Capital One, and State Farm in past months, other targets of cyberattacks need to stay vigilant.
For one, news articles have pointed to school districts in the United States that are being targeted by hackers, including the Houston County School District in Alabama and Monroe-Woodbury Central School District in New York, the latter of which had to delay the start of its school year because of a ransomware attack.
“The industry class itself has always experienced a high frequency of cyber incidents. I would say that the changes really over the last couple years have been moving away from malware-based attacks to using more social engineering techniques to get into schools’ computer networks – using phishing emails, credential harvesting, and those types of tools are the most common ways that criminals are getting into schools’ computer networks,” said Paul Davis (pictured above), area assistant vice president for Gallagher in Chicago.
“In the past, one of the most common vulnerabilities for educational institutions was lost and stolen devices and more hardware vulnerabilities, but I would say that since the proliferation of social engineering techniques, the ability for criminals to move laterally through schools’ computer networks has increased dramatically, and they’re getting access to much more information.”
The Gallagher expert also noted that the attacks are becoming much more devastating, and the number of records, as well as individuals who are affected by these attacks, has increased significantly. Not to mention that every school system is a prime target, whether they’re large or small, have big budgets or are penny-pinching.
“Educational institutions have just a wealth of information and they have a high volume of users. A lot of their computer networks are higher bandwidth, so the ability for them to process information is greater than other types of industry classes,” said Davis. “What I’ve seen in my practice is that the ransomware infections have been much more sophisticated, and the criminals are in the computer network for a longer period of time, gaining intel about the network and trying to maximize the severity of the attack.”
Criminals are today often repurposing banking trojans, like TrickBot and Emotet, to harvest credentials, exfiltrate those credentials, and then use them to get up to the domain admin level. Once they’re in and they’ve sufficiently mapped their environment, they can deploy the malware.
“They make sure that when they deploy the malware, they’re doing their best to try to infect the backups as well,” added Davis. “In the past, if you were affected by malware and ransomware, you didn’t necessarily pay the ransom, you just restored from backup. We’re now advising clients that they make sure that their backup is fully segregated from the rest of their network.”
Other frequently unsuspecting victims of cyber warfare today are commercial transportation accounts.
“It’s something that a lot of people don’t really realize – transportation companies think that ‘we don’t have medical records, we don’t have credit card information, so what exposure do we really have,’ but the cyber world is so much different and more sophisticated now,” said Mike Mitchell (pictured below), area president – transportation for Risk Placement Services (RPS). “You have a lot of these big transportation risks that have the logistics of dispatching, and these cyber criminals can come in there and shut down the dispatch system. They can take these transportation risks off the grid for days if they want, until they’ve paid off the ransom.”
RPS has focused heavily on offering cyber insurance to these clients to ensure they’re protected, which is critical because margins are already thin in the commercial auto space.
“A lot of people do think that a small shop would be immune to it, but it’s not just the big transportation risks. Cyber criminals are going after the small mom-and-pop business,” said Mitchell. “That’s something that we’re trying to really educate our retailers and insureds on because it’s a true threat out there and the coverage is not that expensive.”
This education is important for – you guessed it – educational institutions as well, though some are ahead of the curve.
“Our clients invest in cybersecurity awareness training, not only when they onboard an employee, but throughout the year, educating their workforce and their users about if there’s a widespread phishing scam that is affecting the institution, broadcasting that widely among all their users and doing anti-phishing simulations,” said Davis, adding that some are also investing in better access controls, such as multi-factor authentication, as well as doing a better job of vetting their IT vendors and installing encryption on the laptops used within a school.
“But, it’s an ongoing battle because a lot of these educational systems have unfettered control, and there’s a lot of independence that various departments within an institution or within a school system have over information technology. So, it’s often hard to push down some of these policies, procedures, and controls across the entire institution. That’s a unique challenge that I think maybe other institutions don’t have, but the education sector does.”