Tag Archives: ransomware

FCC Alert on Cybersecurity Risks

The FCC recently took the unusual step of warning telecom companies about an increased risk of ransomware attacks. The FCC is warning telecom companies to regularly patch their systems, enable multifactor authentication, and segment their networks to avoid falling victim to ransomware attacks. The alert cited data that shows a fourfold increase in attacks on telecom companies from 2022 to 2025.

In the alert, the FCC said it has become aware over the past year of increased ransomware incidents involving small-to-medium-sized communications companies. These attacks have disrupted service, exposed company and customer information, and have locked ISPs and carriers out of critical files.

The FCC alert talks about how ransomware works and offers advice on how to protect against the problem. The FCC also offers advice on how to respond to a ransomware scammer, including advice for contacting the FCC and the FBI.

The most interesting recommendation was to monitor the cybersecurity practices of your critical vendors, which I take to mean vendors who supply network electronics or software systems. The FCC warns that a significant number of telecom intrusions have come from weaknesses in systems supplied by vendors. I’m not really sure how a small ISP is supposed to monitor this, because every major vendor you work with is going to swear that they have safe practices.

The FCC alert includes all of the standard cybersecurity practices related to regularly backing up data and training employees to avoid phishing and other bad practices. They also say that every ISP ought to have an incident response plan of how to deal with cybersecurity problems and to test it regularly.

An appendix to the FCC alert lists some best practices that are being recommended by the FCC’s Communications Security, Reliability, and Interoperability Council. This is a group formed that includes the FCC,  large ISPs, and carriers. This list recommends taking additional steps like requiring validation of software patches before using them.

This Council also strongly recommends using the least-privilege principle (PoLP) for network access. This is a process that limits access to critical software systems only to those who need access. It also involves granting minimum access rights so that users can only access the parts of a system they need while blocking access elsewhere. It can mean granting people temporary access only for the duration of a needed task. Finally, this means granting access by job function, and not by user identity.

I’s obviously impossible to fully protect a company from external attacks, as was witnessed when the Salt Typhoon hackers gained access to a number of giant corporations and government agencies that supposedly have world-class cybersecurity. But it’s worth reviewing your practices and systems, because of the downside of being unlucky enough to be a victim of one of these attacks.

Productizing Safety

padlockThe Internet is becoming a scarier place by the day to the average user. It seems like a week doesn’t go by when there isn’t news of some new and huge data breach or other nefarious use of the web. But as much as those big events might create a general industry sense of unease, these announcements also make people worried about their own individual Internet security.

The big ISPs like AT&T crow about recording and monetizing everything that their customers do on the web. And with a likely weakening or elimination of Title II regulation by the FCC this is likely to intensify. Every web site parks cookies on the computers of their visitors, and the bigger sites like Facebook and Google gather every fact fed to them and peddle it to the advertising machine. There are hackers that lock down PCs and hold them hostage until the owner pays a ransom. There are smart TVs that listen to us and IoT devices that track our movements inside our homes. There was news this week that smartphones with a certain Chinese chip have been sending every keystroke back to somebody in China.

All of this has to be making the average Internet user uneasy. And that makes me wonder if there is not a product of some sort that smaller ISPs can offer to customers that can make them feel safer on the web.

Savvy Internet users already take steps to protect themselves. They use ad blockers to reduce cookies. They use browsers like DuckDuckGo that don’t track them. They use encryption and visit sites using HTTPS. They scrub their machine regularly of cookies and extra and unidentified files. In the extreme some use a VPN to keep their ISP from spying on them.

Small ISPs are generally the good guys in the industry and don’t engage in the practices used by AT&T, Comcast and Verizon. I know some small ISPs that try to communicate to their customers about safety. But I think safety is now one of the biggest worries for people and I think small ISPs can do more.

Customers can really use the help. It’s easy to assume that customers ought to understand basic safety procedures, but the vast majority of them load some sort of virus protection on their PC the day they buy it and never think of safety again. They repeatedly do all of the bad things that lead to trouble. They open attachments on emails. They don’t update their software to have the latest security patches. They use social media and other sites without setting basic privacy filters.

I think there is an opportunity for small ISPs to be proactive in helping to make their customers feel safer, and in the process can create more loyal customers. I think there are two possible ways to undertake this. One is an intensive education campaign to inform customers about better web practices. I’m not talking about the occasional safety reminder, but instead a steady and concentrated effort to tell your customers ways to be safer on the web. Brand yourself as being a provider that is looking out for their safety. But don’t pay it lip service – do it in a proactive and concentrated way.

I also think there is a space for a ‘safety’ product line. For example, I have clients who run a local version of the Geek Squad and who repair and maintain people’s computers. It would not be hard to expand on that idea and to put together a ‘safety’ package to sell to customers.

Customers could have a service tech come to their home for a day each year and you could ‘fix’ all of their safety weaknesses. That might mean installing ad blockers and a spyware scrubber. It would mean updating their browsers and other software to the latest version. It could mean helping them to safely remove software they don’t use including the junkware that comes with new computers. It might include making sure they are using HTTPS everywhere. It also might mean selling a VPN for those who want the highest level of security.

I have clients who have been selling this kind of service to businesses for years, but I can’t think of anybody who does this in any meaningful way for residential customers. But since the web is getting less safe by the day there has to be an opportunity for small ISPs to distinguish themselves from larger competitors and to also provide a needed service – for pay of course.