Between data privacy, liability, public image and expense, ransomware attacks pose a huge threat to companies in the financial sector.
And savvy criminals are learning that your access to your own data isn’t the only leverage they have – lost business time and revenue can be held against you as well.
A panel at the Mortgage Bankers Association’s National Servicing Conference on Monday addressed the changing landscape of ransomware, what those in the mortgage industry should do to prevent falling victim and how to respond if it happens to you.
Rick Hill, MBA’s vice president of Industry Technology, moderated the discussion, which included Evan Bredahl, cybersecurity engineer at Richey May & Co, Tom Clerici, chief technology officer and chief information security officer at Freedom Mortgage Corp., and Gretchen Francis, vice president of specialty lines sales at Proctor Financial.
All three panelists stressed that ransomware incidents can spell doom for a company, putting your job and your paycheck at risk.
“This becomes not just a business and IT play, but a business continuity play,” Clerici said.
If you’re unable to access your data to service your loans, that becomes the true cost of a ransomware attack, Bredahl said.
Criminals understand that the lost business income is a huge factor in whether a company pays out; as he put it, their perspective is, “I can convince you to pay me, because you being out of business is worse than you paying me $200,000.”
Francis said that depending on how long the downtime lasts, employees may quit and companies may be left with a human resources problem at the end of their ransomware recovery. She said the average downtime a business experiences due to a ransomware attack is 16 days, though exact numbers are difficult to determine due to the limitations of self-reported data.
Surprisingly, the panelists noted that cybercriminals who use ransomware are just as focused on delivering good customer service as anyone else.
Clerici related an incident in which an organization had no backups of its data and chose to pay the ransom. As soon as the ransom was paid, the criminals went from “evil bad guys” to delivering great customer service, chatting with their victims to ensure the decryption keys worked and their data was accessible again. They even offered their victims a 30-day guarantee in case the ransomware locked their data up again.
“They 100% want you to believe that when you pay the money, you’re getting your files back,” Clerici said.
After all, if ransomware criminals cheated their victims out of the decryption codes, who would ever pay their ransom again?
Of course, the goal is to avoid ransomware incidents altogether with preparation and training.
Bredahl said he was aware of 20 incidents of ransomware in the mortgage space in the last year, and half of those he dealt with personally came in via email. He said that training staff on how to identify a malicious email goes a long way in protecting an organization. In addition, a company’s user base should be tested regularly to see who could benefit from further education on phishing and other email-based attacks.
The panel also touched on wire fraud. Francis had four words for that: “pick up the phone.”
In other words, call the person who’s just requested that you wire them money – and don’t just rely on the phone number included at the bottom of their email, as criminals have evolved enough to have call centers to support their fraudulent emails and wire transfer requests.
Bredahl added that, “You should make it a requirement that all wire transfers have to be verified by either the controller or the CFO, because that’s such an easy way to steal from a company.”
Both Clerici and Bredahl emphasized the importance of working with the IT department on an incident response plan and practicing that incident response plan with tabletop exercises, including practicing restoring systems. Bredahl noted that feedback on how long teams can survive without their data is important, as it helps prioritize which parts of a system to restore first.
And if a ransomware attack should happen to you?
In addition to executing your incident response plan, Clerici recommended calling your IT department first, as well as getting leadership and legal counsel involved very quickly. Marketing and public relations should also be brought in, he said, because it’s important to figure out how to handle the messaging and whether – and how – to notify affected customers before they hear about it elsewhere.
“When it comes to ransomware, it can be a very difficult process for a company or a very painless process,” Bredahl said. “It just depends on your company as a whole and how well you’re able to address it.”
Ransomware and other methods of cybercrime are going to continue to change as technology evolves and affects the way business is done, Clerici said, and criminals are going to take note of those changes.
“Staying up to date on the threats and having a plan in place is crucial,” he said.