You are here

Despite at least four instances, industry is not a ransomware target, expert says

Published June 11, 2021
But we need to be on guard.

ASHBURN, Va. (BRAIN) — Ransomware attacks that shut down operations at a major oil pipeline in May and the world's largest meat processor in June refocused the nation's attention on the importance of cybersecurity. Less known nationally, four bicycle companies also have been targeted in the past year.

While a cybersecurity expert whose company has trained and equipped businesses for more than 30 years said the bike industry is no more likely to be a target than others, cybercriminals look primarily for vulnerability.

"The biggest mistake that companies make is that they don't think they are a target and ignore cybersecurity," said Dr. Eric Cole, CEO and founder of Secure Anchor, which also provides consulting. "Many people say we are a small company in the biking sector, who would target us? And that is the exact reason they would be targeted. Adversaries don't often target big companies that invest a lot in cybersecurity. They go after the companies that ignore it."

In the past year, Raymond Lanctôt LTD and its NRG Enterprises division, JBI, Garmin, and KHS Bicycles have each had their operations shut down because of system attacks. Each of the bicycle companies shut down their systems before customer data was accessed.  Garmin declined to comment but Sky News reported that the company paid "millions of dollars" to hackers last year. 

Dr. Eric ColeRecently, Colonial Pipeline paid $4.4 million to recover its data, and meat processor JBS paid $11 million in bitcoin.

"Cybercriminal groups that launch ransomware attacks have commercialized cybercrime in which the revenue for the company is based off of ransom payments," said Cole, who holds a doctorate in Information Technology and whose latest book Cyber Crisis Protecting Your Business from Real Threats in the Virtual World was released June 1. "Therefore, being more specific, any entity that needs timely access to information is going to be a target of attacks, which makes the bike industry a target. Also, while the bigger companies make the news, it is often smaller to medium-size companies that are more likely to pay the ransom because otherwise they go out of business."

Cole said cyber criminals either instigate a direct attack — targeting a specific company like Colonial Pipeline — or an indirect attack — obtaining a bunch of emails and sending malicious code out and hoping to get clicks.

Direct attacks "don't happen as often, but when they do happen make the news such as Colonial," he said. "Most likely, this would not happen to a bike company because they are not in one of the typical business sectors that is targeted.

"It is very likely that employees or contractors of bike companies would be indirectly targeted. If someone clicks, the ransomware would infect the system, and the attackers would demand a ransom."

While Cole said awareness is an important first step in minimizing the impact of ransomware attack, that will not in itself be enough. Training your staff the right way is more critical.

"In selecting training for a company, the most important component is the effectiveness of the training," Cole said. "Cartoons and quizzes do not get the job done. It is all about how the message comes across to the individual. Does the training drive home the key points that an individual will take action?"

Furthermore, he said software that removes or minimizes attachments and embedded email links that ransomware uses are a necessary complement to training. And Cole cautions that cybersecurity insurance can give businesses a false sense of security.

"It is important to remember that insurance companies go out of business if they have to pay out on a majority or policies," he said. "Since ransomware is so prevalent in the last year, and especially in the last few months, obtaining insurance is very difficult if not so expensive that it is not a viable option."

Cole advises reading any cyber insurance policy closely.

"Look for exemptions in which they won't pay. In my experience, it is better to invest the money in effective security because most policies are either not going to pay or are too expensive."

Watch for more on the ransomware topic in the July issue of Bicycle Retailer & Industry News.

Getty Image