When a company or government agency experiences a digital security breach, sharing might not be the first impulse. It could be embarrassing, hurt their reputation or make them a potential target for more attackers.
But Stacy Arruda wants more organizations to share that information with each other. And she wants to help them do it.
Arruda is the executive director of the Florida Information Sharing and Analysis Organization, a state branch of the national organization. The group collects information about cybersecurity incidents its members experience and shares them with the membership to help them get ahead of threats. She worked for the Federal Bureau of Investigation for 22 years before retiring in 2018, primarily in the cybersecurity and counterintelligence fields.
Started in 2018, the Florida Information Sharing and Analysis Organization has just a handful of members so far. Arruda said it recently signed up the Florida Department of Management Services, and counts the city of Tampa and the Hillsborough County Sheriff’s Office among its members.
The Tampa Bay Times interviewed Arruda earlier this year. She said one of the largest threats companies and local governments in Florida face in the digital space is ransomware. This interview has been edited for length and clarity.
What does your organization do?
What the ISAO is looking to do is build cyber resiliency. It allows members the ability to share (information). So say Company A saw this anomalous bad thing happened on their network. Now they’ve shared it with us, we’re going to strip (identifying information from) it, we’re probably going to reverse engineer it a little bit, add a little bit more (of our own research) and push it out to the rest of the membership. And it’s not just for the Florida ISAO. We share among all of the ISAOs to hopefully get the information out to as many people as possible.
What is ransomware?
It’s just a piece of malicious code. Ransomware is transmitted (most often) by email...And what can be attached to that email is a piece of ransomware, a piece of malicious code (that) compromises the network.
How big of a concern is ransomware for companies and local governments in Florida?
It’s a big problem. ... 91 percent of all cybercrime begins with an email.
What are some examples of large ransomware attacks?
The big bad example is Baltimore. ... Baltimore was victimized for 14 months by ransomware prior to the big one that shut them down. (In 2019, hackers infected the city’s computers with ransomware that shut them down for weeks, affecting bill payment systems and pending home sales. The city paid $6 million to remediate its IT issues but did not pay the ransom.) Atlanta also is a big one. (For) the big ones in the state of Florida, governments paid. Riviera Beach paid ($600,000), Lake City paid ($460,000).
You specialized in social media at the Federal Bureau of Investigation. How does that relate to ransomware?
Say I have a company that I want to get into. And I find that there’s six people in human resources that have their information on LinkedIn. I can make my attack relate to something human resource-related. One of those six people is going to open that email; it’s the law of averages. The goal of the bad guy is to find something that the recipient would be interested in opening.
Let’s say a business or agency gets infected by ransomware. Then what?
You’ve got three choices. If you’ve got your act together, you have offline backups. You have a robust incident response plan. You already have relationships with forensics companies and incident response companies so you can call them if you have an issue. That’s in the best possible case scenario. Second, you pay, and you hope they give you the proper keys. (Third), you pay and they unlock you, (but) they come back later and they lock you back up. Or you pay and they don’t respond...or give you the wrong keys.
How should companies protect against ransomware?
There is no silver bullet. If there was a silver bullet, I think it’s riding around in a yacht somewhere. But I think good cyber hygiene lessens the likelihood of governments, companies, businesses being affected. It’s important for employees to understand your training, that maybe they shouldn’t be doing these things. Individuals aren’t trained to know that it’s not such a good idea to put all of your life on the internet. ... Bad guys do a lot of their homework on LinkedIn.
For more information on the Florida Information Sharing and Analysis Organization, visit https://flisao.org/.