It’s late July and I haven’t a clue when I’ll see my car again. When I dropped it off 10 days ago for minor repairs, the service advisor said the dealership was recovering from a cyberattack that had knocked out the software system it uses to manage everything from car sales to service and parts. “We’ve been doing everything on pen and paper, and it’s a mess,” he lamented. When I asked for his best guess of when they’d get to repairing my car, he pointed to a rear parking lot stuffed with about 200 vehicles. “When we get through that backlog,” he replied.
The CDK Global ransomware attack — so named for the software vendor infected with the malware — paralyzed 15,000 dealerships across North America, including my local Ford dealer. Fort Lauderdale-based AutoNation, the biggest U.S. auto retailer, said in a regulatory filing that the attack shaved $1.50 per share off its quarterly earnings. Nationwide, car dealers lost more than $1 billion from the attack, according to estimates from the Anderson Economic Group — and that tab doesn’t even include the $25-million ransom CDK reportedly paid.
Those costs pale in comparison, though, to the impact of a cyberattack on Change Healthcare. The UnitedHealth Group unit processes about 40% of all U.S. medical claims, but business ground to a halt in February when a Russia-based ransomware gang encrypted its systems and demanded $22 million in bitcoin. UnitedHealth paid the ransom, but patient data still landed on the dark web. The incident caused headaches for patients, who couldn’t get prescriptions processed, and it triggered a cash crunch for health care providers, who couldn’t get reimbursed. UnitedHealth projects its costs from the incident will exceed $2.3 billion.
In the time it takes you to read this column, more than a dozen organizations will fall victim to a ransomware event, according to government and industry data, and $57 million in cybercrime damages will accrue globally. In the time it took me to write this column, meanwhile, I’ve received a half-dozen phishing emails and one “smish” — a fraudulent text message about a fictitious package from someone pretending be the U.S. Postal Service. Welcome to the era of cyber insecurity.
To its credit, Florida isn’t just wringing its hands over the problem. As Associate Editor Michael Fechter reported in his August story “Cyber Storm Brewing,” the state’s been plowing funds into training public and private sector employees on how to better detect and respond to cyberattacks on critical infrastructure. The Florida Center for Cybersecurity at the University of South Florida, the University of West Florida and Florida International University each operate immersive training facilities known as cyber ranges that provide simulations of real-word systems and cyberattacks. And the schools are doing their part to chip away at a shortage of 14,000 cybersecurity professionals that’s expected to increase 32% over the next decade.
Truly moving the needle, though, will require a collective mindset shift. “Most people think it takes a highly sophisticated, hard-to-understand skill set to hack into a system. That’s not true. Most successful hacks, even the big ones, are the result of human error or complacency,” says Jackie Bytell, the executive director of cybersecurity at Northwest Florida State College.
Indeed, the Change Healthcare attack stemmed from the company’s failure to turn on multifactor authentication, a second verification step — such as a code sent to one’s mobile phone — that ensures the person logging in is the actual user. Nine out of 10 attacks today, meanwhile, start with a phishing email — and hackers are upping their game. With artificial intelligence, they’re crafting more convincing messages, devoid of the spelling and grammar errors that might have once tipped us off that they’re phony. Our dependence on social media, meanwhile, has provided a window into our personal lives that makes us easier prey.
Remote work also is contributing to cracks in our digital armor. A U.S. investigation into the Volt Typhoon cyber espionage campaign, an effort by China to infiltrate electric grids and other critical infrastructure, found the hackers had gained entry to systems during the pandemic through vulnerable home-office routers that were no longer getting regular security updates. And over the summer, the Clearwater-based cybersecurity firm KnowBe4 revealed in a blog post that it had unwittingly hired a “fake IT worker from North Korea,” who used an AI-manipulated photo and a stolen U.S. identity to get the job. “We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” KnowBe4 CEO Stu Sjouwerman wrote.
Fortunately, KnowBe4’s software detected the threat immediately and no data was compromised, but the incident came as a wake-up call that the company hopes others can learn from. “That’s the whole goal of the company, to raise awareness, whether that’s being socially engineered through the hiring process, or being socially engineered through a phone call or through an email to get you to click on something,” says Brian Jack, KnowBe4’s chief information security officer. “Humans are a big risk, and the more that we train them on the various threats that are out there, then the better we’ll be.”
— Amy Keller, Executive Editor akeller@floridatrend.com