Have cybercriminals inadvertently done the world a favour by making ransomware so rampant? Ransomware encrypts data on a computer and victims must pay to get their information back or risk it being deleted. The prospect of losing vital data forever, combined with a financial hit, may have made many organisations realise the serious threat posed by cybercrime.
Ransomware marks a shift in cybercriminals’ tactics, away from deliberately avoiding detection. “For the last 13 or 14 years, stealth has dominated the scene and a victim could be hit without ever realising it. Ransomware has bucked that trend; by definition, it’s not picking your pocket, it’s mugging you,” says David Emm, senior security researcher at Kaspersky Lab, a security software company that recently opened a R&D office in Dublin.
According to Europol, law enforcement agencies are investigating ransomware in two-thirds of EU member states.
In a similar vein, cybercriminals use Distributed Denial of Service attacks to take websites offline and extort money from victims. Research from Arbor Networks found a “continuing escalation” in the size and frequency of attacks in the first six months of 2016.
Gone phishing
Phishing scams are an ongoing problem. Criminals can make emails appearing to be from a genuine address and use them to impersonate a senior executive at the victim company, requesting an urgent money transfer. The FBI has estimated that ‘CEO fraud’ has netted gangs more than $1 billion.
“Traditionally, phishing was a case of trying to get people to click on links or download an attachment as a way to introduce malware, but now we’ve seen ‘cloaked’ emails that look as if they come from customers or suppliers’ accounts departments and in some cases they even replicate people’s email signatures which makes them look very authentic,” says Darren Daly, partner and head of technology law at solicitors ByrneWallace.
Data breaches are another major risk for businesses, from exposing customer records through a stolen laptop or USB key, to deliberate targeting of customer details or personal information that criminals can sell on black markets.
Aside from losing data, breaches can lead to reputational damage and financial loss. The UK broadband company TalkTalk lost 157,000 customer records in a breach last October. In the following quarter, some 101,000 people cancelled their subscriptions and the company’s pre-tax profits for that financial year were halved from £32 million to £14 million.
According to Privacy Rights Clearinghouse there have been more than 900 million records exposed in more than 5,000 publicly reported data breaches since 2005.
“We’ve seen a massive escalation in the number of breaches and attacks in the last 18 months, from small and medium businesses all the way up to multinationals. We don’t expect the threats to diminish over next five years; if anything we think they will increase. It’s a lot easier to rob a business over the internet than to use a gun and walk into a bank,” says Carl Wright, general manager with TrapX, a San Francisco-based cybersecurity company.
Cybercrime is a business, and attackers approach the job accordingly, looking for potential victims that will result in the highest possible reward for their time, says Colm McDonnell, head of the risk advisory practice at Deloitte Ireland. “If your company carries out a lot of R&D, has a large client base or high availability to cash, or is about to announce results, or launch a new product, and if intel on any of that is valuable, then you’re a target. Anything that can be monetised is of value to criminal organisations. They’re looking for the easiest route to accessible cash, either in euro terms or in items that can be monetised.”
Back to basics
Faced with persistent attackers prepared to play the long game, what can businesses do to protect themselves? “Instead of looking at sophisticated attack vectors, we recommend that people focus on the basics: to know all the technology they have in their business, whether it is all up to date, and to know all the vulnerabilities associated with it, because most vulnerabilities that are exploited are two to four years old,” says David Shaw, security architect with Accenture Ireland.
“There are lots of standard frameworks you can look at such as ISO 27001, or SANS critical security controls are easy to understand. They force you to look across the whole organisation and measure risk across all of it rather than focusing on a single technology threat,” Shaw says.
He says training and employee awareness are also relatively inexpensive yet very effective in improving security. These exercises encourage staff to be more aware of cyber threats such as suspicious emails.
Dermot Williams, managing director of Threatscape, says good backup can help to restore data in the event of a ransomware infection. “When we carry out postmortems on ransomware, we also find that blocking executable files in a company’s email system, and blocking unfettered access to encrypted web traffic would have helped to prevent the malware getting on to the system,” he says.
Certain industries are moving towards a security model of threat intelligence. “Rather than just putting tools in place to stop all comers, some companies realise they can’t fight on all fronts so they need to know what threats are and where to put resources to protect against those,” says Colm McDonnell.
In the past, security spending accounted for about 10 per cent of total IT budgets, but Carl Wright believes the proportion will increase in light of current risks. “We’re going to see a lot more solutions that are less complex, that are cloud-based and pushed down to small or medium sized businesses that don’t have large budgets, or to big organisations that don’t have the resources to deliver that,” he says.
If people only ever did business in the physical world, security would just be a matter of alarms, locks, fences and anti-theft systems to protect valuable offices, stores and warehouses. But more reliance on technology inevitably means the cybersecurity risks increase, warns David Emm of Kaspersky Lab.
“It’s not going to get easier. As we enter a period where more aspects of our lives get connected – everything from hospitals to homes – everything is going to escalate. In the future, as a society, we’re going to have a much wider potential attack surface, from hospital equipment to smart meters or connected cars, and the organisations providing this technology need to look at what they’re doing to make it more secure.”