Repelling A Ransomware Attack: Sai Huda of CyberCatch On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack
An Interview With Tyler Gallagher
Maintain backups offline, so the ransomware cannot find the backups and encrypt, and the business is able to quickly use the backups to resume operations.
Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Sai Huda.
Sai Huda is founder, chairman and CEO, CyberCatch. He is a globally recognized risk and cybersecurity expert, frequent keynote speaker and author of the best-selling book, Next Level Cybersecurity. CyberCatch is a cybersecurity software as a service (SaaS) company that helps businesses implement necessary controls and then automatically and continuously tests all the controls so there are no security holes for an attacker to exploit and steal data or infect ransomware. He is former GM, Risk, Information Security and Compliance, FIS, a Fortune 500 company. Under his leadership, FIS attained number one ranking in RiskTech 100. He is also former founder and CEO, Compliance Coach, a compliance risk management software as a service (SaaS) company, which was acquired by FIS. Sai has led training programs for federal and state examiners covering Privacy, Information Security, GLBA, FTC Safeguards Rule, and Consumer Protection. He also led the inaugural training program for the Consumer Financial Protection Bureau (CFPB) examiners. Sai is founding board member of the Cyber Center of Excellence (CCOE) and is an advisory board member at the CIO Strategy Council where he helped author Canada’s Baseline Cybersecurity Controls Standard for Small and Medium-Sized Organizations.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
First of all, thank you for having me, I am honored to be with you. I grew up in a very supportive and loving family environment. Also, my parents always emphasized the need for education and then using the education to make a difference. All of my family members have inspired me, especially the women in my life growing up. My mother inspired me immensely, so did my aunts. My aunts are simply amazing, for example, one was the first woman to earn a Phd in a very specialized area of nuclear physics and was awarded a gold medal for her ground-breaking research. So fortunately I had great role models and from early on was motivated to work hard and make a difference.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
A few years ago, I received a letter in the mail from the U.S Government that all of my security clearance data, including a copy of my fingerprints, had been stolen in a data breach. I was shocked, how could this happen? One of my clients was a large U.S. Government Agency and as the executive overseeing the relationship, I had to obtain a security clearance, and all of my information was stored at the U.S. Office of Personnel Management, which got hacked. I realized if this U.S. Government Agency could be hacked, no one was safe. This event got me even more focused in cybersecurity and I researched dozens of the world’s largest hacks to learn how these hacks are successfully executed and ended up writing the best-seller, Next Level Cybersecurity: Detect the Signals, Stop the Hack. Now, I’ve founded CyberCatch, dedicated to protecting businesses, especially small and medium-sized businesses (SMBs), who are the most vulnerable. CyberCatch is a platform for SMBs that finds and fixes security holes, so attackers are not able to exploit them and steal data or infect ransomware. The root cause is security holes. So, we are going to eliminate the root cause, transform cybersecurity and make a difference forever.
Can you share the most interesting story that happened to you since you began this fascinating career?
As a result of writing the book, Next Level Cybersecurity, I had the opportunity to meet a lot of very interesting and accomplished people. One day I had the honor to meet Tom Ridge, first Secretary of the U.S. Department of Homeland Security (DHS). He created the DHS after 9/11 and kept us safe and created a model for security for all other nations to follow. He had read my book and inspired me to start a company, that would go beyond the book to educate businesses about cyber risk, and instead to focus on the root cause of hacks and to create a company and a solution to address the root cause directly. I founded CyberCatch to create a transformational cybersecurity solution and assembled a world-class team of experts. Tom Ridge is on the CyberCatch team as an advisory board member, and we are honored to have his wisdom and guidance.
You are a successful leader. Which three-character traits do you think were most instrumental to your success? Can you please share a story or example for each?
The three-character traits of a successful leader are to first always think of how you can serve others, second to always appreciate every day and third to never give up. First, one must always think of how best to serve others, because that is the primary role of a leader. One must ask each and every day, what can I do to serve the team, so they succeed? Because the team’s success will be the leader’s success. Second, one must understand that the journey is equally as important as the destination, so one must lead by example and coach the team to appreciate every single day, to enjoy the ride working together and celebrate accomplishments. This creates an immutable experience for the team and will result in joy and professional fulfillment, and lead to over and beyond call of duty performance and results. Third, one must realize that there will be challenges on the road ahead. This is life. One must always be prepared to do what it takes to overcome a challenge, learn from it and bounce back stronger from the experience and teach the team how to be resilient. One must never give up and instead keep learning from each experience, keep improving and keep going no matter the roadblocks and demonstrate to the team the will and inner strength and they will follow your lead, become resilient, overcome any challenge, and attain amazing accomplishments.
Are you working on any exciting new projects now? How do you think that will help people?
At CyberCatch our mission is to protect small and medium-sized businesses (SMBs) so they can stay safe from cyber threats and continue to grow and be successful. SMBs are the growth engine of our economy and critical part of our supply chain, and yet they are the most vulnerable to cyber threats since they have limited resources and do not have the cybersecurity know-how. This is why I founded CyberCatch. We are mission driven. One of the exciting initiatives was for us to create the Small and Medium-Sized Businesses Vulnerabilities Report (SMBVR), which we released in January 2022. The SMBVR is the first ever research report of cybersecurity vulnerabilities at SMBs in North America. We scanned 21,850 SMBs in U.S. and Canada to identify vulnerabilities that an attacker could exploit, so we could alert SMBs. The report is ground-breaking and reveals three key vulnerabilities (spoofing, clickjacking and sniffing) that we discovered that SMBs are susceptible to, so the report provides a great service to SMBs by serving as an early warning and prompts corrective action in order to stay safe. The SMBVR will be a quarterly report and will continue to deliver value to SMBs.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?
Ransomware is a significant threat to the world, especially certain segments such as SMBs. I have been leading the fight against ransomware for many years as a busines leader of risk and cybersecurity SaaS solutions that prevent, detect or respond to ransomware, and also extensively researched the most significant ransomware cases for my book, Next Level Cybersecurity: Detect the Signals, Stop the Hack. My book became a best-seller and is ground-breaking as it reveals signals of ransomware, that if detected early in the attack chain can prevent a loss. The book is being used at several educational institutions globally to teach students and has been adopted at several Fortune 500 companies as part of cybersecurity training programs. I have also been speaking at various conferences to educate on ransomware threats and risk mitigation, especially the cybersecurity controls necessary to thwart the threat effectively. Additionally, I’ve led training programs for federal and state examiners covering Privacy, Information Security, GLBA, FTC Safeguards Rule, and Consumer Protection, and have led the inaugural training program for the Consumer Financial Protection Bureau (CFPB) examiners. Most recently, I’ve had the honor to serve on the CIO Strategy Council as an advisory board member and help author Canada’s Baseline Cybersecurity Controls Standard for Small and Medium-Sized Organizations to mitigate risks posed from cyber threats such as ransomware.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?
In simple terms, ransomware is malicious malware that encrypts computers, files and systems so they are inaccessible and inoperable, unless a key is provided by the attacker to decrypt. There are many variants. The attackers used to demand a ransom payment in the form of bitcoins for the decryption key, but now a ransomware attack frequently also involves an exfiltration of a copy of data as well as encryption of computers, files and systems to blackmail the victim to pay the ransom with the threat that the data will be disclosed publicly or sold in the dark web. Also, some of the ransomware now will search for backups of data and encrypt so even the backups will be inaccessible and inoperable. Some of the ransomware will irreversibly encrypt and is highly destructive and used by hostile foreign adversaries.
Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?
Both need to be concerned, but businesses need to be most concerned, especially SMBs. A ransomware attack is an existential threat to SMBs because they may never be able to recover. We at CyberCatch are deliberately focusing on SMBs because they are the growth engine of our economy; they need us the most. There are over 30 million SMBs in the U.S. and Canada — the large organizations rely on these little guys. For example, in the U.S. there are 300,000 SMBs that provide goods and services to defense/military organizations.
Here’s an example of impact to an SMB. Recently a medical practice shut down permanently because the ransomware encrypted all medical records of patients including backups, and the business could no longer serve patients, who also switched to another medical provider. The doctors refused to pay the ransom demanded but realized even the backups were encrypted and patients had fled, so they shut down the business permanently. Unfortunately, there are many such examples.
Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?
First each company should have an Incident Response Plan in place with a designated team to handle a ransomware attack. A table-top exercise should also be performed regularly to test the Plan for incidents such as a ransomware attack. So, if there is a Plan and a designated team to respond, then the team will handle and respond to mitigate the risk. Additionally, a cybersecurity expert should be contacted for additional expert assistance, and also the local federal police office, such as an FBI office in U.S. or RCMP office in Canada.
If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?
The earlier one can detect that a ransomware attack is happening the quicker one can respond and activate an Incident Response Plan to fight the attack and mitigate impact. This is why one must have an Incident Response Plan in place, and one must test it regularly via a table-top exercise so that one can respond effectively when an attack actually happens. When the attack happens, one can quickly assemble the response team and follow the Plan and take risk mitigation steps ranging from possibly unplugging certain computers to prevent any further spreading of the ransomware to activating offline backups to resume operations quickly to ensure minimal impact to customers.
Should a victim pay the ransom? Please explain what you mean with an example or story.
A victim should not pay the ransom, because it rewards the attacker, but also there is no assurance the attacker will provide the decryption key or will not go ahead and sell the stolen data anyway in the dark web or attack again in a few weeks or months. Unfortunately, many end up paying the ransom so they can resume operations and avoid material impact to the business or customers. However, there are many instances where the attacker did not provide the decryption key even after the victim paid the ransom and others where the attacker again inserted ransomware through a planted backdoor even after the victim paid the ransom the first time. For example, an SMB owner paid the ransom but did not receive the decryption key, could not resume operations, and ended up shutting the business down permanently and laying off several hundred employees.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
What we found in our research study with the SMBVR is what the attackers are seeing. There are bad codes on either the web server or on a website that hackers can use to break in. For example, we found that in the U.S., 33% and in Canada 84% of SMBs had spoofing as a vulnerability. Spoofing occurs when the hacker injects a code or script and fools the website and server to accept it because they believe it’s legitimate. Businesses end up providing access to usernames, passwords, and even the database. It’s very alarming, but that’s what we want to alert businesses to — those attackers are seeing these vulnerabilities right from the outside. From thousands of miles away, they can get in, infect ransomware, steal data, and shut the business down. We need to have these businesses take a better look at their controls from the outside to inside.
The three common mistakes we are seeing companies make are:
- There is no Incident Response Plan in place, or the Plan is not tested for ransomware, so when ransomware attack does happen, no one knows what to do to respond effectively or timely.
- There is no segmentation or air gapping in place, so the ransomware easily spreads rapidly and pervasively, shutting operations.
- The backups are not offline, so the ransomware finds the backups and encrypts, and the business is unable to resume operations.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
On the government level, there should be a law in each nation that bans ransomware and provides for criminal penalties for perpetrators of ransomware, including lengthy jail sentence and significant monetary penalties. Also, extradition provision so a perpetrator can be extradited to the nation with the ransomware victims for prosecution without bail. There must be a significant consequence for perpetrating ransomware in order to deter this destructive threat.
For tech leaders who are suppliers, they need to make sure their cybersecurity controls are adequate because they may be targets of ransomware where the attacker installs ransomware undetected and when the tech supplier provides an update to its customers, the ransomware activates and installs and spreads rapidly unbeknown to the customer. There are several cases of attackers using a tech supplier as a “mule” to carry ransomware undetected into the network of hundreds and thousands of organizations. The NotPetya ransomware a few years ago is an example of this, infecting thousands of organizations worldwide from an accounting software provider. NotPetya caused over $10 billion in losses. Most recently, Kaseya is an example of ransomware being installed undetected and infecting hundreds of this tech provider’s customers. It comes down to tech leaders making sure they continually test cybersecurity controls from the outside in and inside out to plug security holes so an attacker cannot exploit to break in and install ransomware.
Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)
Here are proven, five risk mitigation action steps every organization must take:
- Implement an Incident Response Plan and test it via a table-top exercise for a ransomware scenario so you can be prepared to respond effectively when a ransomware attack happens.
- Implement multi-factor authentication, optimally on all users, but minimally on privileged users, since attackers will try to steal credentials to make lateral movement once inside to install ransomware at optimal locations to accelerate widespread infection.
- Implement segmentation and air gapping, so the ransomware cannot spread rapidly and pervasively and shut down operations.
- Maintain backups offline, so the ransomware cannot find the backups and encrypt, and the business is able to quickly use the backups to resume operations.
- Continuously test cybersecurity controls from the outside and inside to find security holes and fix so attackers cannot exploit to infect ransomware.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Our belief is that CyberCatch will make a difference in the world. CyberCatch is a mission-based company, our focus is to protect SMBs from cyber threats. SMBs are the growth engine of our economy and critical part of our supply chain and yet they are the most vulnerable. Our mission is to transform cybersecurity for SMBs forever so they can be safe, continue to grow, create jobs and be successful. CyberCatch will make a difference forever and make the world safer from cyber threats. This will be our legacy.
How can our readers further follow your work online?
Thank you so much. Your readers can visit cybercatch.com, visit my author website at saihuda.com or follow me on LinkedIn.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!