Locking your front door on your way out is a mindless act, performed daily to protect your home and prevent break-ins. Yet there are other crimes we are less aware of and more careless about.
That’s the case with cybercrime, a prevalent threat in a world that relies heavily on technology but continues to underestimate the dangers it brings.
Individuals and businesses alike are potential targets of cybercriminals. Earlier this summer, Narragansett Bay Commission was in the news after sustaining a cyberattack that ended with the organization paying $250,000 in ransom.
This wasn’t an isolated case. Last year, the R.I. Public Transit Authority suffered a similar attack and paid $170,000 in ransom. Two years before, it was the Coventry Public School Department.
More agencies and businesses are becoming victims of cybercrime every year, with at least one or two cyberattacks in Rhode Island every month, said R. Michael Tetreault, cybersecurity adviser for Rhode Island Region 1 New England in the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
“With what we’re seeing within Rhode Island, NBC [Narragansett Bay Commission] is not the first and won’t be last to be victim of ransomware,” he emailed.
And while cybersecurity has been an issue for some time now, the danger is escalating.
This is partly because the cybersecurity landscape has changed in recent years, turning more sophisticated and complex, experts say. Cybercrime often comes with “low risk and high rewards,” Tetreault says, which makes it more appealing to potential threat actors.
“There was an evolution in ransomware,” Tetreault said. “It has become an entire industry and it often mirrors the business world.”
Threat actors used to be exclusively hackers and programming experts, but now the market has expanded. Cybercrime has become a business, with cyber syndicates that are extremely well funded and engage in recruiting and crowdsourcing.
“You can now rent ransomware, you can rent the tools that are needed from legitimate hackers, and they’ll train you,” said Todd Knapp, founder and CEO of Pawtucket-based Envision Technology Advisors LLC. “In the past, it was one hacker, one attack. Today, it could be one hacker, thousands of attacks.”
Jason Albuquerque, chief operating officer at Envision Technology, agrees.
“The threat actors are monetizing their services,” Albuquerque said. “They’re innovating their criminal techniques.”
Remote work has thrown another complication into the mix. With many companies shifting to hybrid work and employees storing information in the cloud, the potential of an attack is higher.
While it is easy to think that only certain companies could be the victim of a cyberattack, experts say no one is safe from this growing threat. Even small businesses can be targeted.
“Companies that previously thought that they were not in the line of fire because maybe they’re small or they’re a mid-market company really are the primary targets today,” Knapp said.
A nonprofit that provides wastewater collection and treatment services to several cities in Rhode Island, the Narragansett Bay Commission might not seem like the most obvious target for cybercriminals, but Bill Patenaude from the Office of Water Resources at the R.I. Department of Environmental Management says wastewater facilities can be particularly vulnerable to these attacks.
“They’re very complex facilities with a lot of technology involved,” Patenaude said. “The work that they do can be threatened.”
Jamie Sammons, a commission spokesperson, said the investigation into the July incident is ongoing. In the meantime, she says the company “is implementing additional measures to enhance the security of its network” and “will continue to train its employees concerning data security.”
Sammons said sewage services were not impacted by the incident, but the attack raises concerns over the preparedness of local agencies. Rhode Island produces 120 million gallons of wastewater every day, Patenaude said. If hackers were to successfully take over the control systems, the risk of a biohazard threat would be extremely high.
“It could go from a not-significant event to a huge event in the blink of an eye,” Tetreault said. “You could have deadly consequences.”
Consequences can be costly for businesses. On top of the financial strain of paying the ransom, companies often deal with loss of credibility, potential lawsuits and fines, and involvement of auditors and regulators, Tetreault says.
Experts agree that prevention is the best way to counter cybercrime. Companies must integrate cybersecurity in their culture, focusing on establishing solid policies such as adding multifactor authentication and creating an incident response plan. A key part of the solution is educating employees.
“You need to develop a culture of shared responsibility for cybersecurity throughout your organization,” Knapp said. “Your employees need to understand how to protect themselves … because if the individual employee is more protected, then the business is inherently more protected.”