Cyber threats are evolving at an alarming pace. And businesses of all sizes are grappling with the challenge of protecting their assets. Among these challenges, ransomware and email-based attacks remain in the forefront, exploiting human error and technological vulnerabilities.
To shed light on this pressing issue, we sat down with Brian M. McCarthy, president of Open Tier Systems. In this insightful conversation, Brian shares with Carlos Gonzalez Shanel his perspectives on the biggest challenges in cybersecurity, his personal experiences managing ransomware incidents, and practical advice for business seeking to bolster their defenses.
Brian, thanks for joining us. Let’s start with some general insights. What do you see as the biggest threats in cybersecurity right now?
Thanks for having me, Carlos. Right now, the two biggest threats are email and people. If I had to put a number to it, I’d say about 90% of attacks come through email, often involving some kind of social engineering. It’s crucial to train employees to be vigilant and to use robust tools to protect what I’d call the “nut” of the business, your critical digital assets like email, databases, files, drawings, photos, videos, configurations, passwords, etc. Keeping a strong protective shell around that your critical digital assets is challenging, but it’s necessary.
That’s a great analogy. Speaking of challenges, what’s your take on ransomware? I’ve heard some staggering statistics about its impact on businesses.
Absolutely. Ransomware is a massive problem. I’ve heard statistics suggesting that 50% of businesses hit by ransomware go out of business within five years. While I can’t confirm the exact numbers, it’s a testament to how devastating these attacks can be. And, unfortunately, many companies still underestimate the importance of robust backups and proactive security measures.
Can you share any personal experiences dealing with ransomware incidents?
Sure. One memorable case was back in 2017 when ransomware was still new and not well understood yet. A client of ours downloaded something from the internet, it infected the workstation, then spread laterally across the network, encrypting everything on the server. Luckily, we had good backups and could have it restored if needed, but it would’ve taken a lot of time to download everything from the cloud. The decryption key was $700, so we decided to pay to save time.
We verified the decryption key with a proof of concept before paying. To get the Bitcoin, I had to send one of my guys to a Bitcoin machine in a holistic store in Brooklyn b/c there was no easy way to get Bitcoin at that time. It was an unusual experience, but we got the decryption key, unlocked the files, and restored everything quickly. Looking back, it probably wasn’t the best decision, but at the time, it made sense. $700 cost significantly less than waiting for the restore to download while the whole team was idle.
It’s interesting how these situations force quick decisions. How do you approach these cases today?
Nowadays, paying the ransom is strongly discouraged and usually not an option since the ransom amounts are so much higher, AND we have a good idea where the money is going when the ransoms do get paid. Companies ARE encouraged to refuse payment and rely on backups. Back then, it was a novel situation, and we were learning as we went. Today, we focus on preparedness, like regular backups, endpoint protection, and comprehensive recovery plans.
You mentioned backups. Can you elaborate on their role in ransomware recovery?
Backups are critical. In that 2017 case, we had cloud backups, so we could’ve restored everything if needed. We tested it, the data was good, but restoring from backups can be time-consuming when you have a lot of data and slower internet as was the case in 2017. That’s why companies often weigh the time cost against the ransom. However, relying on backups requires ensuring their integrity and availability. It’s not just about having backups but also being able to access them quickly in a crisis.
Have you encountered any other notable ransomware cases?
Yes, another case involved a company we were about to onboard as a client. Just two days before our start date, they called us about strange activity they observed on their system when they couldn’t get ahold of the outgoing IT provider. We looked into it, and confirmed they were the victim of a ransomware attack. The attackers had encrypted some data at one site, but the process didn’t work correctly, leaving only some partially encrypted files. They got really lucky b/c they actually had NO backups. How the other IT company left them in that situation I can’t understand.
Luckly, they had cyber insurance, which covered forensics and remediation. Forensics uncovered sources and systems that needed cleanup, and the insurance company outsourced the remediation work to us. We spent about 200 hours re-imaging most of the systems, resetting everything, and ensuring the network was secure. It was an intense month, but we resolved the issue and got them back on track.
That’s a lot of work in a short time. You mentioned insurance. Could you go into more detail on that?
Sure. So, the loss in that case was about $200,000, but it’s important to break down the costs. A significant chunk of that $200,000 was for legal fees and the forensics team the carrier brought in. Our portion was about $50k for remediation. But the rest went to the lawyers and forensics, although probably some of that went to admin. With insurance, they had a $10,000 deductible. If insurance hadn’t been involved, they would have been out $75-$100k, as we still had to do the forensics and remediation, just a lot less lawyers.
That’s a huge difference. So, what would be your advice to other companies hearing this and thinking, “We could be vulnerable to the same attack”?
Insurance is a critical safety net, but it’s not a complete shield. It’s crucial to have strong defenses in place from the get-go. This means solid backups, employee training, protections on all critical systems, and a well-prepared recovery plan. The people aspect is the most important part. Ensuring employees understand the risks and how to spot potential threats is key. But let’s not forget, it’s not just about technology—human vigilance is often the first line of defense.
What would you say to smaller companies that may not have the resources for all these defenses?
Look, I get it—many small companies are stretched thin, but not investing in security is a risky move. However, the unpredictable cost of dealing with a cyberattack can far outweigh the predictable expense of implementing strong defensive measures.
So, what can a small business owner, like a beauty salon or an auto dealership, do to protect their company without breaking the bank?
Start with the basics—train your staff, secure credentials and identity, implement good email defenses, and use strong endpoint protection. Don’t rely on just having an IT department to handle security. Employees need to be trained regularly to recognize phishing attempts and suspicious activity. You’d be surprised at how many attacks start because someone clicked the wrong link. That’s why social engineering is so effective.
It’s kind of frustrating when you think about it. So many attacks come from simple human errors.
Yeah, it’s a huge challenge. I had a recent case where someone emailed an employee, and even after they asked the sender whether the email was legitimate, they were tricked into responding. They thought they were talking to a trusted person, but the mailbox had already been compromised. This is where training becomes crucial—being able to recognize these tactics is half the battle. And when in doubt, always pick up the phone and verify directly. A quick call could save you from a lot of trouble. We believe in trust but (voice) verify.
It sounds like it’s all about being proactive and prepared.
Exactly. You can’t eliminate all risks, but you can minimize them with the right approach—defensive strategies, good tools, and continuous training. Ultimately, it’s about building a culture where security is everyone’s responsibility.
Changing gears, what are some other common questions you’re asked about IT and security?
People ask me about everything—passwords, VPNs, blockchain, and now AI. Blockchain, for instance, isn’t just about cryptocurrency. It’s also versatile technology for storing digital assets securely. AI is another hot topic, with many people curious about its implications for security and business.
It sounds like you’re a go-to resource for tech questions. Have you thought about hosting an AMA (Ask Me Anything) session?
I’ve considered it. Everywhere I go, people hit me with tech questions. It would be fun to share these in an AMA format! It’s a great way to engage people and address common concerns about technology and security.
That sounds like a fantastic idea. Any final thoughts for businesses looking to improve their cybersecurity?
Focus on education and preparation. Train your employees, invest in good tools, and always have a recovery plan. Cybersecurity isn’t just about preventing attacks but also being able to respond effectively when they happen. The stakes are high, but with the right strategies, businesses can protect themselves and their assets.
That makes a lot of sense. Thanks for sharing your insights, Brian.
Thank you Carlos! I’m looking forward to speaking with you again!