Ransomware & Data Theft are Rampant
Why don’t organizations invest in sufficient protection?
Astonishingly, despite the danger, only a small percentage of organizations make serious investments toward protecting their network to safeguard their data, intellectual property, employees, partners and customers. Why? What does it take to inspire action on appropriate security efforts? Compliance requirements can get organizations motivated to avoid penalties and monetary fines. However, when compliance is not a requirement, most organizations don’t seem to take the cyber threat seriously, until they are hit by phishing, ransomware, or have their sensitive data and systems hacked.
Why don’t organizations invest in sufficient protection? The reflex answer is cost. But that answer is overly simplistic and not truly accurate. Once a company is hacked or ransomed, they will pay inordinate sums to resolve the attack. They will pay criminals who just want their money. They will pay IT professionals to mitigate & investigate the attack. The cyberattack that was once a vague possibility is suddenly painful and very real. In most cases it is effectively too late, critical information has been stolen or the network is completely down, with systems and data encrypted, and the company is being ransomed (or all of the above). After a company has endured a cyberattack, if they survive, they have no problem investing in an effective Cybersecurity program. Because they endured an attack, and know what is being protected against, they don’t want it to happen again.
Instead of becoming a cyberattack victim, why not prevent it?
Another reason organizations don’t invest is they think their current IT resources have it covered, or blindly assume their employees will keep them secure by not falling for phishing and other tactics. If asked, leadership will say, “we’re good”, or “we’re happy with our service”, without truly knowing, testing, and verifying their measures are protecting them and the full extent of threats they face. In these situations, occasional network penetration testing (an Attack Audit) is prudent, at the very least, to assure the network is indeed secure.
In many cases (though certainly not all cases), we find supposedly secure networks with significant if not critical security holes; some have malware already running on their systems setting them up for attack. The reality is that unless an IT team or an IT provider is have appropriate experience and focus on Cybersecurity, they won’t design secure environments. Their security solutions reflect their level of attention and knowledge.
Our desire is for such threats to never become a reality for organizations. Unfortunately, over our 20+ years of providing IT services and security solutions, we have only seen the problem grow increasingly worse. The sheer number of attacks, their sophistication, damage caused, and information and monetary losses continue to grow exponentially. Without sincere, purposeful action organizations will continue to face this mounting risk.
Cybercrime is big business! It can take the form of outright targeted hacking to steal data, industrial espionage, phishing, phone scams, extortion, ransomware, or social hacking. The threat can be a lone actor, a small-time ring of hackers, or seasoned professionals who have been at it for years. The end goal of these attackers is to make money. The attacks can be highly complex or basic, depending on the cyber-criminals skills and sophistication. One efficient tactic is combining data theft and ransomware encryption a combination that allows the attacker(s) to get revenue twice. They get payment to decrypt the data and make money on selling the data they managed to steal.
Federal Bureau of Investigation (FBI)
The FBI is the lead federal agency for investigating cyberattacks by criminals, overseas adversaries, and terrorists. The threat is serious— and growing. Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Our nation’s critical infrastructure, including both private and public sector networks, are targeted by adversaries. American companies are targeted for trade secrets and other sensitive corporate data and universities for their cutting-edge research and development. Citizens are targeted by fraudsters and identity thieves, and children are targeted by online predators.
When it comes to computer and network intrusions the collective impact is staggering. Billions of dollars are lost every year repairing systems hit by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of hospitals, banks, and 9-1-1 centers around the country. Who is behind such attacks? It runs the gamut—from computer geeks looking for bragging rights, to businesses trying to gain an upper hand in the marketplace by hacking competitor websites, to hactivists fighting for a cause to rings of criminals wanting to steal personal information and sell it on black markets, to spies and terrorists looking to rob our nation of vital information or launch cyber strikes.
Today, these computer intrusion cases—counter-terrorism, counter-intelligence, and criminal—are cyber program priorities because of their potential national security nexus. In its annual Internet Crime Report, the FBI disclosed that the Internet Crime Complaint Center (IC3) received 467,361 complaints in 2019, which was an average of more than 1,200 every day! These numbers are on a steady march up, and there was more than a 70% increase in complaints between 2014 and 2019. More concerning, the monetary losses during that same period increased over 437% jumping from over $800 million in 2014 to $3.5 billion in 2019! As chief of IC3, Donna Gregory, was quoted as saying, “…report shows how prevalent these crimes are. It also shows that the financial toll is substantial, and a victim can be anyone who uses a connected device.”
Threats to cybersecurity come from a variety of sources, including a lone ‘hacker’ who could be a digital vandal, disgruntled former employee, romantic interest, or a bored neighborhood kid. The lone hacker may be motivated by financial gain or to cause intentional, or random, ‘just because they can’ harm. Their skill level can be nonexistent to advanced. In the case of a former employee or romantic interest, insider knowledge can make this threat capable of incredible harm even with no real ‘hacking’ ability. Because they are more random and variable, lone hacker incarnations may be best addressed by an overall strong security culture and hardened infrastructure.
Department of Justice (DOJ)
“Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. Ransomware targets home users, businesses, and government networks and can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.”
Hacktivists are motivated by causes beyond just financial gain or random ‘just because they can’ harm. It may be politics, ideology, or some other motivator that gets an organization on their radar. The fact that this type of cyberattack is usually intentional and directed can increase the potential for harm. Defending against this threat is likely not a priority for most, but for those in government, defense, healthcare, law enforcement, and other verticals that may catch their attention, it should not be ignored. Unlike cybercrime for profit groups, Hacktivists also tend to bring a social element that can lead to additional attention and potential ‘bandwagon’ attacks.
Department of Homeland Security (DHS)
“Because of its geopolitical position in the world and its considerable and vulnerable attack surface, the West faces particular challenges in addressing the cyberthreat and several issues exacerbate an already problematic environment including an inconsistent ability to hold actors responsible. Among the key issues that may need to be addressed are the lack of clear redlines that set expectations and implications for the use of cyberweapons by state and non-state actors. Another consideration is the evolving understanding of how escalation and unintended consequences can and should be managed in a cyberattack. Overall, as would be expected from a relatively new area of warfare, the rules of engagement are still emerging and unclear.”
… “Cyber Threat Landscape: More Actors, Capabilities, and Connectivity The modern cyber threat landscape is distinguished by an expanding array of state and non-state actors with access to various cyber tools or weapons, which may be combined to conduct advanced operations aimed at collection, criminal financial gain, or digital surveillance. Nation-states view cyberespionage as a tool for countering internal dissent or acquiring diplomatic or competitive advantage. Some governments use cyber asymmetry to challenge established powers with significant diplomatic sway or military power or to target private sector entities—a tactic which can be difficult to address with diplomatic or military means. Others have latched onto financially motivated cybercrime as a means of evading sanctions.”
… “In some cases, state actors may sponsor or co-opt indigenous cyber criminals, hacktivists,or semi-professional criminal hackers to either launch cyber operations with a veneer of deniability or quickly draw upon foreign technical expertise. The cyber environment is also characterized by a low entry barrier for new actors, as cybertools are hard to contain and control. Code is nearly impossible to regulate and cyber actors are selling or sharing their capabilities and techniques without restraint. Absent regulation, automation and proliferation of sophisticated and “usable”cybertools abound. As a result, malicious actors can now embark on opportunistic attacks that are also sophisticated.
A recent dynamic is the diffusion of expertise as former government, intelligence, or military cyber experts offer their expertise for hire to nation-states seeking to jump-start cyber programs. The government of the United Arab Emirates (UAE) hired former US government intelligence personnel working for Dark Matter to build an advanced capability to compromise challenging technical targets and boost the government’s cyberabilities. The contractors, Dark Matter, may have operated at a level close to top-tier national security agencies, thus boosting the UAE’s cyber abilities significantly and quickly to achieve previously hard-to-obtain goals in cyberspace.”
From: Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar (2019 Public-Private Analytic Exchange Program)
The most potent cybersecurity threats are nation state actors. This cyberthreat backed by governments brings incredibly advanced skills, and nearly limitless resources, to bear against their targets. They are a figurative and literal army, sometimes reaching out with the full and open public support of their leadership. In some cases they take the form of highly educated and trained members of massive cubical farms. In other incarnations they are loosely organized and largely autonomous, left to apply whatever means available to achieve the goals they have been assigned. Any organization of strategic value should prioritize cybersecurity and defending against this considerable threat.
July 2020: Garmin suffered a cyberattack that impacted online services including website functions, customer support, customer facing applications, and company communications. Some reports indicated the attack may have included ransomware along with substantial financial demands for the key required to decrypt impacted resources.
July 2019: A previously unidentified Chinese espionage group was found to have been active since at least 2012 to gather data from foreign firms in industries identified as strategic priorities of the Chinese government. Some of the targets included were: telecommunications, healthcare, semiconductor manufacturing, and machine learning. The group was also involved in stealing cryptocurrencies and in monitoring Hong Kong dissidents.
September 2017: Equifax announced a data breach that exposed the personal information of 147 million people. Some of the exposed information included: Social Security numbers, names, gender, phone numbers, driver’s license numbers & state, email addresses, credit card information, tax IDs, dates of birth, and addresses. In addition, some images uploaded were compromised including: driver’s licenses, passports, Social Security & taxpayer ID cards, and more.