CHICAGO — Small-to-medium businesses, like some laundry operations, most likely don’t worry about cybercriminals hacking into their computer systems.
Besides, laundries don’t have anything a criminal would want to steal from them, right?
Wrong. Cybercriminals are looking for access to all kinds of data, and with more employees working remotely due to the pandemic, these criminals have more opportunities to gain access to computer systems, information and other items they can use to their advantage.
Joe Danaher, senior security analyst for The Ame Group shared about how these thieves can get into laundry computers at the Association for Linen Management’s (ALM) IMPACT conference in November during the session, “Yes, Cyber Crooks Can Get to More Than Dirty Laundry.”
“What we’re seeing is cybercrime has become profitable enough that it’s really become organized,” Danaher says. “By that I mean these are syndicates of well-funded people who, just like we go to work nine-to-five, they go to work nine-to-five trying to break into computer systems all over the world.”
He says that most of the attackers are based outside the reach of traditional law enforcement, and they look for targets to achieve their financial goals. And there are many small-to-medium businesses in the United States, so that’s where these criminals attack.
“And the investment in security is less in a small-medium business than it is in IBM, for example,” Danaher points out. “That’s where they know that maybe you don’t have as much money to spend on security, so your security is a little bit easier and they might have an easier time breaking in.”
The criminals also prey on businesses that don’t think they have much worthwhile data for them to steal, like in the laundry/linen services industry.
“However, if you think about how much you use data and rely on computer systems to run your business to manage your employees and manage your customers, it’s a key aspect of your business,” Danaher points out.
“They count on you not spending a lot of time training your staff on how to recognize, say, a phishing e-mail. Or how to recognize that somebody is calling and claiming to be it support when they’re really not.
“Their motivation is money, and they don’t care if you’re providing laundry services to a hospital and it’s going to be a huge impact of those laundry services go down.”
The popular tool that most businesses use some form of today is e-mail. Danaher says that makes it an easy, vulnerable attack vector for cybercriminals.
“Business relies more and more on e-mail not only for communication but really if you admit it for file sharing, right?” he says. “You don’t get a lot of e-mails that don’t have some type of attachments or links in them.”
So, the criminals use what is known as phishing e-mails where they may be trying to get credentials and trick an employee into giving away his/her username and password or to deliver malware as an attachment.
“They’re preying on people not really recognizing these bogus e-mails and actually clicking on things or going to websites that are linked in the e-mail and providing their credentials,” says Danaher. “They’ve got very sophisticated attacks that can make these phishing e-mails look more and more realistic, and we’re seeing a rise in that.
“We’re also seeing a rise in these e-mails containing malicious attachments, and that is how most breaches begin, with a malicious e-mail that some unsuspecting employee clicks on.”
Another way cybercriminals can gain access to a laundry’s information is through third-parties, says Danaher.
“I’m sure you have business partners that provide you with services or supplies that you need that have access into your network,” he says. “Any connection from the outside into your network provides an avenue not only for your third-party vendors but potentially for attackers.”
Such access could leave a laundry open to a ransomware attack, says Danaher. Ransomware is malware that encrypts all of a business’ data, and the criminal demands a ransom to release it. If the business doesn’t have a backup that’s disconnected from the network, it will either lose the data or pay the ransom.
The laundry operation could have controls in place, but a third party could get breached, providing criminals a way into the laundry’s system.
“It’s a caution on third-party risk when they’re in your network or even maybe you send data to them,” points out Danaher. “They may be providing you some cloud service where you have to upload data, very common with your HR Solutions. You need to know that data is your employees’ or your customers’ data you’re sending in that they’re holding for you.
“You’re still responsible to your customers and your employees. That doesn’t absolve you of the responsibility. You need to know what these third parties are doing to secure the data or secure the connection into your network. And then if they are breached, what are their responsibilities to you?”
LINES OF DEFENSE
How can a laundry operation better secure the “cyber” side of its business? Danaher has five simple ways to help defend against these attacks.
Danaher says a laundry might have all of the technical controls in place, but it may not have trained its employees, and they get tricked.
“How can you expect (employees) to really be your first line of defense if you’ve never provided them with any information?” he asks.
“So, providing your staff cyber-security awareness training and having that training be emphasized from the top down is really one of the best things you can do, and it’s not that expensive, too.”
Another inexpensive tool to help prevent cybercrimes, according to Danaher, is the use of strong passwords.
The National Institute of Standards and Technology did a study a few years ago about what makes a strong password, and the No. 1 characteristic was length.
“That’s what made it strong, not that you have to reset it every three months,” he says. “Not that you had all different kinds of characters in it and didn’t use any words. It was the length.
“So, we’ve come to refer to passwords more as a passphrase because of that, and we like to see phrases that are at least 10 characters or longer.”
An example, Danaher shares, is “Hawksurfsail.” It meets the length characteristic, and it does have a capital letter and lowercase.
“It is not really related words, but something I can remember,” he says. “It’s my favorite bird and a couple of favorite things I like to do when I’m at the ocean, so things like that can help you remember them because the average person has a hundred passwords. And it’s not a crime to use a password manager.”
Why is length the key to a strong password? Danaher says the tools cybercriminals use are called password spraying attacks and password cracking tools, and the longer the password, the more difficult it is to crack.
With 10 characters, upper and lower case, it would take a criminal a month to crack the password, and the time needed goes up exponentially for every character added.
“Cybercriminals are not going to sit around for a month trying to break your password unless you’re maybe the president of the United States or something like that, but they’re not going to spend that time,” he says. “The likelihood your password can be what’s called ëbrute force’ cracked is very low as that length increases.”
Also, it’s a bad idea to use the same password across many sites and programs because if a password is potentially breached, criminals could potentially have access to many other sites.
Two-factor, or multi-factor, authentication goes beyond traditional username and password, adding another layer of protection.
“One of the most common things is using it in conjunction with Office 365 e-mail and an app for your phone called Microsoft Authenticator,” says Danaher. “Essentially once you link that to your e-mail account, it will generate a six-digit number every 60 seconds on that application.
“So, when you go in to log into your Office 365 over the web, you’re remote and you’re just logging into your web browser, you’re prompted not only for your username and password, but you have to enter this second factor of authentication this number from your Authenticator.”
That generated code goes a long way to protecting information.
“If I can get your username and password to your e-mail, I can do some damage with that,” shares Danaher. “I can maybe make some money with that.
“Two-factor authentication stops that in its tracks because if I’m the hacker, I might get your username and password, but it’s pretty unlikely I’m going to have your phone. I’m not going to have that second factor of authentication then.
“It’s not perfect, but it is much better than just a username and password. We strongly recommend it for any e-mail, and what we’ve come to recommend is any system that has sensitive data offer two-factor authentication.”
Danaher points out that many businesses believe that because their computers have antivirus programs on them they are fully protected.
“What we’re seeing is traditionally known antivirus is not keeping up with the malware threats that are out there,” he says. “There are so many variants of malware, so many different coded types of malware that traditional antivirus miss.
“The people write the malware to just change a couple lines of code, and it will still do the same thing, but antivirus won’t recognize this malware, won’t stop it. Ransomware is a great example where antivirus really does not do much to stop it. That’s why you see ransomware attacks in the news being successful.”
Danaher says a new product is coming, unfortunately more expensive, but more effective. It’s called endpoint detection and response (EDR) or next-generation antivirus (NGAV).
“What they do is they take the best of what antivirus was, the signature-based detection, but they actually use machine learning and they use behavioral-based detection because malware, even if I can change the code, I cannot change how it functions on the computer because it’s doing things to a computer operating system that are kind of hard-coded and don’t change a lot.
“Essentially what it does is detect the behavior of malware to stop it, and it has the capability to automatically end processes that malware tries to run. And it does a tremendously better job at stopping ransomware than the antivirus does.”
Finally, Danaher recommends being diligent about patch management.
“We all know log on the second Tuesday of the month and Microsoft’s going to release a bunch of patches, or the web browser patches a lot of us use on Google Chrome,” he says. “You probably have the automatic caches turned on and it manages some of the patches for you.
“But what a lot of people forget about that require patches that may be on your network are things like printers, like your backup appliance switches, routers, some of that hardware that’s not a computer or a server that’s on your network.”
These pieces of equipment also have what’s called third-party operating systems. Danaher also says that a laundry operation may have software on its servers used for virtualization or even remote access.
“And your router’s firewalls, those type of things,” he shares. “They all have their own operating systems that need patches.
“Laundries may be more familiar with that because you probably have a lot of machines and others that are run by computers. These devices are connected to a network that has access to the Internet. They now become a potential attack point for the bad guys to get it.”
Third-party applications, business applications that are on every computer, also require patches, and many businesses don’t think about this, shares Danaher.
“That’s what the cybercriminals exploit because they know these things are on your computer,” he says. “So, web browsers, Adobe PDF reader is another one, and then Java is another program that runs on most modern computers.
“Those are some just some patches to think about that maybe you don’t have covered as well as you think you do, something to keep in mind.”
Danaher says that he presented just some of the threats that are out there for laundry businesses in their computers and the data that they contain in relation to cybercriminals.
“These are some things that we are seeing in our day-to-day work that are threats to small-medium businesses that you may or may not take very seriously currently,” he says.
“And these are some things to do to make your data and your network a little bit more secure, and some of these things are very easy to do and very cost-effective for you.”