Ransomware Attacks To Service Providers Becoming Industry Liability
The time to start treating cybersecurity as one of the most serious threats to the promotional products industry has arrived.
- Recent ransomware attacks to service providers that promo companies rely on to make business easier have resulted in huge inconveniences, and even lost business, to many companies.
- In 2022, PPAI detailed numerous incidents of various hacking and fraud-related cybercrimes, with increasing levels of sophistication, that affected suppliers and distributors.
- Hundreds of thousands of dollars have been stolen from promo companies, with example upon example of unsuspecting victims.
- Last year, The White House officially warned companies that cyberattacks were likely to increase and urged the private sector to take steps to protect themselves.
Successful ransomware attacks hold a victim’s information or resources hostage. They can take different forms and be the product of an employee error or a security weakness, but they are not uncommon, and most would be surprised by how easily ransomware can infiltrate a system.
“Typically what happens is it pops up some kind of message that say that your computer is infected and you have to call a number or pay an amount, or it wants you to act on something. So, at that point in time, unplug that machine and contact your IT folks,” PPAI Director of Information Technology Paul Elfstrom says. “It’s all about speed and reaction.”
Essent Hack
The most recent major incident affecting a services provider tailored to the promo industry occurred in early November. Essent, a business management system, was the victim of what it referred to as an “encryption attack,” which took down much of its key functions, including communications systems.
Such encryption attacks typically demand a monetary ransom. Essent was essentially unusable for many promo clients.
- In a statement provided by Vice President of Sales Bryan Sheaffer, Essent tells PPAI Media that on the same day the attack happened, “the attackers were neutralized, the systems were secured and forensics started.”
- Nonetheless, ERP functions were down for some companies.
- Website services were down for some.
- Financial specifics, such as purchase orders and client lists, were inaccessible.
- Many were forced to track business manually if they were able to continue business at all.
Essent says that recovery systems were brought online and configured with production installations. Once the recovery systems were verified, customers were provided “controlled access.”
One mid-sized supplier spoke to PPAI about the incident, confirming that the company lost access to Essent from November 4 until the Thanksgiving holiday. The supplier processed orders manually during that period, hoping to enter the information back into Essent eventually. The access gained around Thanksgiving was “very limited” and did not allow for all the tasks that were possible prior to November 4.
As of the week leading into Christmas, there are still employees of the supplier who do not have full access to Essent. “Almost every task or process takes longer than it did” prior to November 4, according to the source.
Communication and transparency were inconsistent, according to the supplier source, as Essent could only offer requests for patience in lieu of updates or information.
- The supplier is still doing handwritten notes on orders due to bugs and issues currently plaguing its Essent experience.
- This supplier is reevaluating its future with Essent.
“[We’re] not faulting them for the attack, as that can happen to anyone,” a senior representative from the supplier said. “But the response after the attack and lack of communication has not done them any favors.”
One distributor who declined to comment for this article acknowledged that the incident caused dramatic operations changes for their team during the busiest part of the year.
Another source from a large supplier said the company managed to work around a “bit of a struggle” and credited its own cybersecurity policy and plan of action to minimizing the impact. They added that Essent was, “in general a good partner, but [we are] surprised they did not have better internal controls.”
Essent described to PPAI what went into the company’s restoration process in the aftermath of the cyberattack. It included “a review of our entire platform: the architecture, topology, systems and security controls along with the implementation of 24/7 externally managed detection and response team for all endpoints with an industry-leading heuristic-based detection and response system,” says Sheaffer.
- By way of this process, Sheaffer says the Essent platform “has been deemed by experts to be safe and secure.”
Prior to the cyberattack, the Essent Commerce Cloud had been in production for 16 years without such an event, the company says.
Rackspace Hack
Also late in 2022, Rackspace Technology, a third-party email service provider, went through an outage on its Hosted Exchange services, essentially shutting clients out of their own emails. The San Antonio-based company (which is not a PPAI member) blamed the incident on an “unidentified security incident.”
- Rackspace advised customers to switch to a competitor’s services to communicate through email.
- Companies with small staff struggled to migrate their email accounts to other services.
A Creative Touch, a North Carolina-based distributor and PPAI member, is a Rackspace client. Founder and CEO Renée Jones, MAS+, a PPAI board member, detailed to PPAI Media her experience with the aftermath of the hack.
- Near the first of December, A Creative Touch employees lost access to their Exchange email hosted by Rackspace.
- By Monday, December 5, access had not been restored. Hold times to speak to Rackspace were unreasonable. Taking matters into her own hands, Jones enlisted the tech company Enfuse Technologies to create a new Microsoft 365 account, eventually migrating all of the company’s accounts.
- The transition took a week before A Creative Touch had full access to email. The company struggled to get orders to suppliers, fearful that it would be sent from an account that would not stay active.
- Jones has no way of knowing if the company lost sales due to emails not coming through, and says the company spent thousands of dollars in tech support.
“I would consider this entire issue a disaster,” Jones says.
Rackspace has never reached out to A Creative Touch since the incident occurred.
It Once Happened To PPAI
Back in 2015, PPAI was the victim of a ransomware attack. At that time, ransoms were often cheaper than they are today, and PPAI elected to pay it.
- On a Friday afternoon, a PPAI employee clicked on a phishing link.
- A message appeared that the system had been infiltrated. The employee shut down their computer for the weekend and did not notify IT.
- Within hours, IT began getting notifications that systems were going down. Over that weekend, all shared data on the employee’s computer was renamed and then encrypted. Eventually everything the system had access to was encrypted.
- By the following Monday morning, PPAI was completely shut down. Recovery took the majority of the week.
“I don’t like [that we paid the ransom],” Elfstrom says. “It’s the principle of it. But our backups were taking so long because we had so much information to restore that it was faster and cheaper to pay the ransom.”
Ransomware attacks have only become more common, more sophisticated and more relentless since PPAI was victimized seven years ago. PPAI has improved and changed its security practices countless times.
“It’s a hard, hard lesson to learn,” Elfstrom says. “But you come out of there, and you’re better for it. Because you’re putting things in place that will protect you from things like that.”
Being Proactive
Jo-an Lantz, president and CEO of Geiger, uses the analogy of healthcare and the safety of her family. Geiger represents her work family, and constant investment in cyberattack prevention is less costly than dealing with the aftermath of an attack.
“The people responsible for cyberattacks are relentless and keep innovating,” Lantz says. “Client security requirements are increasingly demanding and sophisticated. Cyber security investments in people, processes, penetration testing, and insurance rates continue to skyrocket. This is part of our daily discussion.
“If we think we have it covered or have the solution, then we are woefully naïve. If we think we are investing either too much or enough, then we are missing the mark.”
One large service provider that has managed to have a stellar record in cybersecurity is SAGE. Eric Natinsky, SAGE’s CEO, confirms that the quantity and sophistication of cyberattacks is on the rise in many industries. It’s a C-suite problem now.
“Cybersecurity was traditionally an IT function,” Natinsky explains. “In recent years, it’s become imperative that the entire organization focus on it. Companies are now consistently talking about cyber threats among the board, in executive meetings and, frankly, in all departments within the organization.”
Mike Pfeiffer, vice president of technology at distributor American Solutions for Business, helped create a Cyber Safe Pledge that urges promo companies to commit to 10 key practices to mitigate risk and to make the promotional products industry a safer environment.
“As we continue to see print and promo industry companies fall to cyberattacks, we urge all companies to improve their cybersecurity posture,” Pfeiffer says. “There is no more important action item than to have and execute a ‘Disaster Recovery and Business Continuity’ written plan and tested at least annually in a live production environment.”
Pfeiffer, who chaired PPAI’s technology committee in 2022, has worked with the Association to provide educational webinars on addressing cyber incidents in progress and cybersecurity for the C-suite.
- Elfstrom advises companies to consider how much access to systems, data and files each employee needs in order to be able to do their job. The less any compromised device has access to, the less reach that threat has.
- When archiving data for reference, consider making it ‘Read Only’ so users can look at it but not alter it.
- You can ask for security reports for any service provider you do business with, but Elfstrom warns that a threat can come from anywhere – externally, internally or even from something as ubiquitous as Microsoft.
- PPAI urges companies to be constantly updating their cybersecurity prevention and security plans to keep up with evolving threats. “[Our] security road map looks nothing like it did even last year,” Elfstom says.
The reality is harsh but undeniable: Cyberattacks are more complex and more covert. The threats are increasing and becoming harder to detect. Anyone can be victimized directly or indirectly.
“It’s not a fun place to be,” Elfstrom says. “And a lot of people have been there. Protecting against it is a difficult chore.”