Ransomware and Data Theft are Rampant
Astonishingly, despite the danger, only a small percentage of organizations make serious investments toward protecting their network to safeguard their data, intellectual property, employees, partners and customers. Why? What does it take to inspire action on appropriate security efforts? Compliance requirements can get organizations motivated to avoid penalties and monetary fines. However, when compliance is not a requirement, most organizations don’t seem to take the cyber threat seriously, until they are hit by phishing, ransomware, or have their sensitive data and systems hacked.
Why don’t organizations invest in sufficient protection? The reflex answer is cost. But that answer is overly simplistic and not truly accurate. Once a company is hacked or ransomed, they will pay inordinate sums to resolve the attack. They will pay criminals who just want their money. They will pay IT professionals to mitigate & investigate the attack. The cyberattack that was once a vague possibility is suddenly painful and very real. In most cases it is effectively too late, critical information has been stolen or the network is completely down, with systems and data encrypted, and the company is being ransomed (or all of the above). After a company has endured a cyberattack, if they survive, they have no problem investing in an effective Cybersecurity program. Because they endured an attack, and know what is being protected against, they don’t want it to happen again.
Another reason organizations don’t invest is they think their current IT resources have it covered, or blindly assume their employees will keep them secure by not falling for phishing and other tactics. If asked, leadership will say, “we’re good”, or “we’re happy with our service”, without truly knowing, testing, and verifying their measures are protecting them and the full extent of threats they face. In these situations, occasional network penetration testing (an Attack Audit) is prudent, at the very least, to assure the network is indeed secure.
In many cases (though certainly not all cases), we find supposedly secure networks with significant if not critical security holes; some have malware already running on their systems setting them up for attack. The reality is that unless an IT team or an IT provider is have appropriate experience and focus on Cybersecurity, they won’t design secure environments. Their security solutions reflect their level of attention and knowledge.
Our desire is for such threats to never become a reality for organizations. Unfortunately, over our 20+ years of providing IT services and security solutions, we have only seen the problem grow increasingly worse. The sheer number of attacks, their sophistication, damage caused, and information and monetary losses continue to grow exponentially. Without sincere, purposeful action organizations will continue to face this mounting risk.
Federal Bureau of Investigation (FBI)
The FBI is the lead federal agency for investigating cyberattacks by criminals, overseas adversaries, and terrorists. The threat is serious— and growing. Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Our nation’s critical infrastructure, including both private and public sector networks, are targeted by adversaries. American companies are targeted for trade secrets and other sensitive corporate data and universities for their cutting-edge research and development. Citizens are targeted by fraudsters and identity thieves, and children are targeted by online predators.
When it comes to computer and network intrusions the collective impact is staggering. Billions of dollars are lost every year repairing systems hit by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of hospitals, banks, and 9-1-1 centers around the country. Who is behind such attacks? It runs the gamut—from computer geeks looking for bragging rights, to businesses trying to gain an upper hand in the marketplace by hacking competitor websites, to hactivists fighting for a cause to rings of criminals wanting to steal personal information and sell it on black markets, to spies and terrorists looking to rob our nation of vital information or launch cyber strikes.
Hacktivists are motivated by causes beyond just financial gain or random ‘just because they can’ harm. It may be politics, ideology, or some other motivator that gets an organization on their radar. The fact that this type of cyberattack is usually intentional and directed can increase the potential for harm. Defending against this threat is likely not a priority for most, but for those in government, defense, healthcare, law enforcement, and other verticals that may catch their attention, it should not be ignored. Unlike cybercrime for profit groups, Hacktivists also tend to bring a social element that can lead to additional attention and potential ‘bandwagon’ attacks.
Today, these computer intrusion cases—counter-terrorism, counter-intelligence, and criminal—are cyber program priorities because of their potential national security nexus.” In its annual Internet Crime Report, the FBI disclosed that the Internet Crime Complaint Center (IC3) received 467,361 complaints in 2019, which was an average of more than 1,200 every day! These numbers are on a steady march up, and there was more than a 70% increase in complaints between 2014 and 2019. More concerning, the monetary losses during that same period increased over 437% jumping from over $800 million in 2014 to $3.5 billion in 2019! As chief of IC3, Donna Gregory, was quoted as saying, “…report shows how prevalent these crimes are. It also shows that the financial toll is substantial, and a victim can be anyone who uses a connected device.
4,000+ ransomware attacks a day since 2016
-Department of Justice
Cyberattack monetary losses jumped from $800 million in 2104 to $3.5 billion in 2019
Motive for 71% of breaches was financial
Motive for 25% of breaches was espionage
Cybercrime is big business; that 437% increase & $3.5 billion ends up somewhere. It can take the form of outright targeted hacking to steal data, industrial espionage, phishing, phone scams, extortion, ransomware, or social hacking. The threat can be a lone actor, a small-time ring of hackers, or seasoned professionals who have been at it for years. The end goal of these attackers is to make money, and the attacks can be highly sophisticated or basic. One efficient tactic is combining data theft and ransomware encryption a combination that allows the attacker(s) to get revenue twice. They get payment to decrypt the data and make money on selling the data they managed to steal.
Department of Justice (DOJ)
“Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. Ransomware targets home users, businesses, and government networks and can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.”
Department of Defense (DoD)
Cybersecurity is important enough to the DoD that on June 13th, 2019 Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Cyber, stated, “…security is an allowable cost. Amen, right?” She also stated, “… if we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base (DIB) doesn’t have robust cyber hygiene. Only 1% of DIB have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”