Do America’s Businesses Have a Cybersecurity Problem?
July 12, 2021
Remember the quaint old days when businesses had to only worry about in-person crime? Now, while stores still get robbed, the worst dangers come from digital criminals who have all sorts of ways to steal data or even lock companies out of their own sites.
The problem — and it’s a big one — is that many small-to-midsize businesses lack the proper protection against these attacks. Steve Symington joined Dan Kline on the July 7 “7investing Now” to look at the depth of the problem and the many solutions that are out there.
A full transcript follows the video.
Dan Kline: We’re gonna move to what we’re watching. So if you’re new to this program, on most shows, not every show we changed the format up, but on most shows, we let each of the guests appearing on the show bring a topic, sometimes I bring a topic if there’s something in my space. But in this case, Steve, you call these massive ransomware attacks underscores the importance of cybersecurity. Can you explain what ransomware is before you get into what actually happened here?
Steve Symington: Yeah, so let’s take this, this latest situation, for example, they’re up to 15. I think it was between 800 and 1500 small, medium-sized businesses that a dozen countries that were struck by ransomware attack from Russia linked hackers. Now, this is similar to the solar winds thing that shut down the oil pipeline. What’s happening, in this case, is they hijacked a software tool from an IT outsourcing company called Cassia. And that software tool was sort of hijacked and on the systems of these various small and medium-sized businesses, it encrypts every single stinking file on your computer, all of them and then displays a message and says, hey, we’ve got your files, if you want a back pass, you know, they they’re basically asking all of these businesses collectively to pay them like as much as $70 million. And they’re talking about Yeah, we’ll bring it down to 50 million if that’s all right with you guys, you know.
But ransomware is literally just that they take your files, they encrypt them, and they say if you want to back pay this much for the tool, and it’s funny because the solar winds hack, they gave him the tool and it still didn’t work. And they ended up having to use backup systems to bring up everything back in line. And then you know, there was some recourse because they want a payment in Bitcoin and the government ended up collecting a lot of that money back they traced it back to bad password storage habits by the hackers which was sort of ironic in itself, but yeah.
Dan Kline: That’s why your password hacker one is not the way to go.
Steve Symington: Yeah.
Dan Kline: What the White House is involved here, so obviously on one end are governed should be working to protect us. But let’s talk about this from an investing point of view. There are some companies that you should be a customer of, if you’re a smaller midsize business, we should probably be a customer or maybe we are, I don’t know, you would know more than I do. Have some of these companies, where can you put your money if you want to invest in stopping this type of attack?
Steve Symington: Right, there’s, and this really underscores the importance of cybersecurity companies in today’s world as its increasingly digitized, but, but from our perspective, obviously, it underscores the importance of identifying and potentially investing in cybersecurity companies and, and you know, you’re thinking things like CrowdStrike (NASDAQ: CRWD) Falcon platform, which specifically has mechanisms in place to prevent ransomware attacks. Or, you know, CloudFlare Okta, Ping identity, all these companies that sort of prevent cybersecurity tax from happening are proving increasingly important. And if you actually look at these companies, as a group, their stocks have climbed even as some of the other high growth stocks have pulled back in recent days, and and people are realizing maybe we should be putting money to work here. And so yeah, there’s, those are some of the great companies I think people should be considering.
Dan Kline: Is this the case of while those companies might not be impregnable? If you’re a hacker, you’re just gonna go after the low hanging fruit, like it’s kind of like putting, you know, getting ADT and their security might not be great, but just the fact that it you have it, they’re going to rob the guy next to you that doesn’t, and the guy next to me, doesn’t rob him. Yeah, and his stuff looks nicer than mine. Now.
Steve Symington: A lot of criminals in general are lazy, however industrious they are with being creative, I guess, in their criminality, but cybersecurity is no different than I would argue, maybe even more extreme. I was a computer scientist by trade, a software engineer, we like to take the – we as computer scientists, in general, not criminals in computer science. Like to take the easy path, right? And if you can subvert a software tool and allow the IT company to put your put you onto someone’s system, then all the better, obviously. You know, you’d hate to hack into systems individually.
And that’s part of the way that they’ve actually been able to, it’s kind of a genius, actually, it’s a one to many kind of style attack. And super frustrating, obviously, but they’re able to, in fact, up to 1500 people, 1500 businesses, small and medium-sized businesses in a dozen countries. And it was sort of a lazy way to get into these systems, but also something that could have been prevented if these small medium-sized businesses were also customers of someone like CrowdStrike, implementing Endpoint Protection, being able to pick up things like this as part of that tool. So yeah, kind of a kind of a tough go. But yeah, it’s, it’s something you should become a customer of. So
Dan Kline: If you own a business, be skeptical. If you are an individual, make sure you have good password security. I know it can be tricky. Use a third-party platform, you know, make sure you’re on you’re using products that have good encryption. Look, we had our Netflix hacks, hacked once, we have no idea how it had a pretty complicated password. And Netflix was really great about it. Other places, Twitter can be very, very difficult. Yeah, if your account gets hacked, go ahead Steve.
Steve Symington: What was interesting about and when I mentioned lazy password security, on the part of the hackers for the Solar Winds thing. It was actually the FBI traced it back to a bitcoin wallet, the passwords for which were stored on a server that was relatively unsecure. So they’re able to step in and be like, and you’re like, this is ours now. And it was pretty impressive on the FBI as part to basically follow the money and encouraging to that, and actually that caused a crash in Bitcoin prices, because people were concerned about, Oh, my God, that government can take my Bitcoin.
Well, that’s a good thing if you’re a criminal, and trying to pursue criminal activities. And it wasn’t necessarily a problem with the inherent insecurity of Bitcoins blockchain. It was a problem with the way that they stored their passwords for the Bitcoin wallet. And again, yeah, password. So if you have a server and you’re performing criminal activity, and you’re storing your Bitcoin wallet, passwords on the server, maybe do a better job of security against the FBI.