Cyber war is nothing new as phenomenon, yet there is still a real lack of understanding when it comes to the topic, writes Andy Wood, Technology Strategist, Cybersecurity, at the data management and cloud storage product company NetApp.
There are all kinds of geopolitical tensions that may cause nation state-sponsored cyber-attacks to target critical infrastructure, with the aim of gaining access to data, disrupting communications, or generally slowing down operations. Cyber-attacks may be aimed at a particular organisation or malicious actors may send the bait to numerous organisations and see what they catch. Once they strike, however, they can have a devastating impact on those directly implicated, but also inflict massive collateral damage.
In 2017, an attack on Ukraine’s national power grid affected other organisations such as shipping company Maersk, advertising giant WPP and the UK’s National Health Service – this served a vital lesson for businesses. Cyber-attacks spread and destroy everything in their path, and they do it rapidly. They do not hit one organisation and stay within the confines of that organisation. A single attack wields the destructive potential to take down multiple companies.
With today’s geopolitical risks, cyber activity from both criminals and nation states leaves many organisations vulnerable. Recent data from the Department of Culture, Media and Sport found that two in five UK organisations had identified breaches in the past 12 months, which is lower overall for the public sector – according to NetApp research. Hacktivist groups also pose a risk and are willing to turn against organisations whose ethics they find objectionable.
So how can organisations mitigate these risks? The best antidote is adopting a zero-trust policy when it comes to cybersecurity, to fortify against potential threats that might not even have been directed at them specifically.
A growing concern
It would not be an exaggeration to state that both the scale and volume of ransomware attacks has increased sizeably over the past couple of years. In 2021, the flow of oil across the eastern United States was disrupted by the Colonial Pipeline ransomware attack and JBS USA was severely impacted by a ransomware attack that affected its’ ability to package meat, involving an $11 million ransomware payment to the criminals who conducted the attack. Both of these attacks were high profile, damaging the reputations of those organisations and disrupting business continuity.
In the case of the Colonial Pipeline, the biggest pipeline in North America was brought down by a single password being stolen. By exploiting the simplest of cybersecurity vulnerabilities, cybercriminals caused severe business and wider economic harm – the impact of which was felt for years by the businesses affected. As a result of this, cybercriminals have seen how productive these sorts of attacks can be and have been encouraged to go further.
While the nature of the ransomware threat today is well understood, the legal consequences that can potentially arise from an attack, are often not as well acknowledged.
In the UK, organisations must comply with data protection legislation, specifically GDPR. The ICO has issued guidance specifically for dealing with ransomware attacks, that includes what falls within a personal data breach and preventative measures that should be implemented. If organisations fail to follow guidance from the ICO, then they may not have acted reasonably in meeting their obligations as a data controller and can face a penalty fine from the ICO. Tuckers LLP, a UK law firm was the first to be issued a ransomware attack fee of £98,000 after failing to implement adequate security measures.
It’s clear that ransomware attacks can also have real legal consequences and financial consequences that can be a knock-on impact. This further highlights why organisations should set traps for rogue ransomware attacks with zero trust.
Adopting a zero trust policy
Zero trust is a key tool in an IT security professional’s arsenal that can effectively set traps for ransomware attacks – containing them and disabling their ability to spread even after the organisation has been infected. Zero trust views networking security from inside out rather than outside in. It recognises that threats to an organisation’s information security can already exist within the organisation. There are three main steps that can be used to setup a zero-trust trap.
The first is that trust cannot be assumed, and so behavioural analytics and two-factor authentication should be used to ensure that users are who they say they are – to prevent unauthorised access to systems. The second is that data needs to be classified, especially data that could be referred to as ‘toxic’, posing compliance or reputational issues when exposed. The third is that employers should only have access to the data that they need to perform their roles, using role-based access control which can be applied for both data and administrative access.
Continuously authenticating and re-authenticating users minimises the potential of ransomware entering an organisation. Whereas introducing a damage control lever means even if the system is infiltrated via an unknowing user, the attacker only has limited access to files and data. As well as protecting organisations against malicious actors from outside the organisation – preying on cybersecurity vulnerabilities and poor digital hygiene – zero trust also provides protection against insider threats.
Zero trust is vital in a world where the threat from ransomware is indiscriminate. Organisations are fallible to cyber events if they are targeted by cybercriminals, especially when malicious activity is at an all-time high. The reward for cybercriminals still outweighs the risk, while geopolitical tensions mean uninvolved businesses may get caught in the crossfire of cyber-attacks taking place between nation states. This is why organisations must adopt a zero trust approach to protecting their business and its stakeholders.
