Colorado Springs cybersecurity concerns after Russia invades Ukraine

COLORADO SPRINGS, Colo. (KRDO) -- Russia's invasion of Ukraine could have local cybersecurity impacts, and experts are warning everyone to stay vigilant.

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert for every United States organization -- large and small -- to be prepared to respond to disruptive cyber activity.

The agency says while there are no specific or credible cyber threats to the U.S. homeland at this time, they are mindful of the potential for Russia’s destabilizing actions to impact organizations, particularly in the wake of sanctions imposed by the United States and our Allies.

Dr. Shawn P. Murray, President of Murray Security Services and Lead Cyber Consultant at the Pikes Peak Small Business Development Center, is also alerting local small businesses that more sanctions from world leaders will put pressure on Russia to respond to the measures.

That may include increased attacks on businesses that are vulnerable to cyber attacks, like ransomware, to raise money to continue their activities.

KRDO sat down with Dr. Murray Friday to discuss the growing cyber security threat.

Do you think Colorado is a bigger target because Governor Jared Polis has imposed his own sanctions?

"You know, anybody who goes against the regime, the former Soviet Union, elements of that which still exist, we think you're going to become a target politically," said Dr. Murray. "When the governor makes a claim like that, then you're going to see probably different things, different attacks, different attempts. Everything from national critical infrastructure such as your power grid, your utilities, manufacturing systems, those things that help government run its its day to day business processes."

Should people be worried or concerned?

"For small businesses, look at what has happened," said Dr. Murray. "The rest of the world has said Russia is no longer going to be able to trade in the US dollar or the Euro, and we're going to freeze trillions of dollars worth your assets. So how do you make up for the loss of that revenue? They have Russian state actors, which means Russia, the government itself, and then you've got organized crime sanctioned by Russia. There are different methods that they're going to use. Number one being ransomware, which is a form of malware that can encrypt your systems, encrypt your drives, encrypt your cloud environment, and then if this is a disruption to your business, you're going to want to try and get back into business as quickly as possible. There's a couple of different strategies. Pay the ransom, which is what they're hoping you're going to do. Or if you've got a good business continuity, you've backed up your critical information, you have a method to do your business alternatively, you might be able to survive."

When it comes to small businesses, can anyone become a target?

"Different industries have different challenges when it comes to what we call 'cyber hygiene,'" said Dr. Murray. "So in a manufacturing company, for example, do they have their business network connected to the manufacturing network? If I can go in and I can modify or skew the specifications on your robots during a production run, you've just lost all that revenue. You're probably not going to meet your client's requirements delivering that product, and now your reputation may be shot and they may be going somewhere else. So that could impact your business for loss of revenue and loss of reputation. Whereas, a small photography business is looking at intellectual property associated with their photographs and those portfolios that they create. That's worth a lot of time, and that intellectual property means something if they're selling that to clients or marketing companies. So, protection of your intellectual property, your sensitive information, or data doesn't matter what industry you're in."

What are some questions small businesses should be asking themselves?

"Take a look and do an inventory," said Dr. Murray. "The Pikes Peak Small Business Development Center is publishing a paper for small businesses on those things that they need to consider, and it's a really short list. What are your critical business processes? Consider how 80 percent of your business processes are automated; we're using some type of technology. Figure out what those are and have a backup for that. Backup your information, your data in those critical assets. Whether it's a point of sale system in a restaurant, or it's your manufacturing network, have a backup. A backup firewall, backup server, backup your information and your data, and don't back it up on the same network, because if they get a hold of your network and they institute ransomware, they may get your backup as well, so store the backup off site."

This is really overwhelming for some, especially if they're not tech-savvy. What would you say are the top priorities that people should focus on?

"One of the things that I always try and explain to people, something simple that you can do, is institute multi-factor authentication," said Dr. Murray. "Single factor is just a username and password. It's cheap, it's inexpensive, and it's easy to implement. It's authenticating and identifying at the same time. If you do another factor such as: before you allow me to log into my account, send me a text message to my phone. That's another factor, or multifactor authentication, that you can institute on your bank accounts, retirement account, or other technology you may be using online. Have that other factor to make sure that when you're logging in, or one of your employees are logging in, they are who they say they are, and it's not an adversary."

What should the average person do? Maybe they're also thinking, even if they don't have a small business, 'Should I be worried about my banking information, my 401k, my networks?'

"Have malware detection software, such as McAfee or Norton, and make sure that those signatures are up to date," said Dr. Murray. "That's going to help prevent the malware if it gets introduced to your computer. Don't click on links you're not supposed to, they could be malicious in nature. There are some resources online: VirusTotal.com where if you want to check out a URL, a link in a message to see if it's valid, VirusTotal is a free resource for regular users and will have over 60 scans from the most prominent malware detection services and tell you if it's malicious or not. The other thing is, even on my own computer, when I log into my bank, I do not 'trust' my computer. When I log into that website, it doesn't recognize my computer as me, and asks me to do an additional factor of authentication. Send me a text, send me an email, saying that I am who I am before I get to log in. It may be an extra 20 seconds of inconvenience in your life, but the inconvenience of trying to repair your credit or trying to get your money back if somebody gets into your account, is a lot more damaging, a lot more time."

We know Russia has some sophisticated ways to hack. Is there any sort of scenario where they could freeze our own money, or anything like that?

"No. So within the United States, if you're part of a regular bank, you're covered up to $250,000 through the federal government, the FDIC," said Dr. Murray. "I get to interface with a lot of the bank examiners, and I'm fairly confident for my own personal knowledge that our funds in our bank, they belong to us and they're insured up to that $250,000. If you're in a credit union, DCUA is the organization that regulates credit unions, and it's the same thing. The financial institutions that run your 401ks, your stock options, they all have to meet a certain amount of rigor. But you know, they're going to still require you to make sure that you're not giving away your username and password, that you've got things that are secure. It may take a little bit of communication back and forth, but they are pretty sophisticated. There are methods to get around the multifactor authentication, but rest assured in the United States, your bank accounts are pretty much secure."

This is a complicated topic, but if you could sum up your biggest takeaway for readers, what would that be?

"When people start talking about cyber, cybersecurity, or cybersecurity hygiene, a lot of people don't know what that means... and it's really simple whether you're a citizen or whether you're a small business," said Dr. Murray. "What is your most sensitive or critical information? Your Social Security number, your taxes, the mortgage application that you're filling out on your computer. Those are the types of things that as a regular citizen, you want to be protecting. What is it for your business? Do you collect Human Resources information on your employees? Are you in a business, like a health clinic, where you collect patient data and submit insurance forms? We have cyber and privacy laws in the United States and in Colorado that will hold you significantly accountable financially if you're a small business mishandling that. But in summary: find that sensitive information, whether it's personal information or data on your family and your kids, or whether it's on your small business. Then protect it, and come up with a strategy."

If someone unfortunately does become the victim of ransomeware, what should they do?

"First thing to do is to contact local law enforcement and get them involved," said Dr. Murray. "The FBI, the Internet Crime Complaint Center, they actually have some resources to help you with this as well. They definitely want to know about it, because they're tracking it. Start there first, don't try and figure it out by yourself."

The Pikes Peak Small Business Development Center has free resources and consultation for people within the community regarding cybersecurity. For more information, click here.