When computers and the internet were undergoing development in the 1970s and 1980s, computer security threats were not much of a problem. In fact, the internet – originally called ARPANET (Advanced Research Projects Agency Network) – was designed as a trusted loop, meaning there was no need for security since everyone using it was a known quantity and was working towards a common objective. Fast forward 50 years to today; there is a prolific underground of malicious actors that leverage dozens of different techniques to invade networks and exfiltrate critical value data, writes Chris Pogue, pictured, Head of Strategic Alliances at software firm Nuix.
During the COVID-19 pandemic, there has been an unprecedented rise in the number of companies falling victim to ransomware. This specific species of the malware family has evolved into a prescription service known as Ransomware-as-a Service (RaaS). RaaS enables cybercriminals that are unfamiliar with malware development to outsource this skill to those that can.
Since the pandemic began, companies have had to shift operations to cater for a remote workforce that was accessing corporate data on unsecured home networks. Without the presence of security protocols that would support the move to remote workforces around the world, it was inevitable that companies would be ill-equipped to deal with the rising army of cyber gangs.
Indeed, during 2020 ransomware attacks were up 150%pc compared to 2019, with the amount paid out in ransoms growing by 300pc. It’s a trend that is set to continue into 2021, with a wide range of high-profile ransomware attacks being made against crucial infrastructure and government institutions. The ransoms for attacks, such as that against Colonial Pipeline, are running into the millions, with that particular attack rumoured to have required a $5 million ransom.
Such is the scale of the problem that recent data from Atlas VPN suggests that 34 per cent of businesses in the UK are forced to close down after falling victim to a ransomware attack. These extreme consequences emerge due to a combination of the loss of customer confidence, loss of market share and revenue loss due to brand damage. Even those companies that aren’t forced to shut down still often have to find a way to recover from the unanticipated financial burden introduced by the attack, potentially being forced to shed a large number of employees as a means of weathering the storm.
A prime example of the chaos to come was the recent attack on Kaseya’s VSA servers that was named “the biggest ransomware attack on record”. The targeted Florida IT management software company is used by smaller companies without their own tech departments and the disruption was felt internationally. This included the closing of 500 Swedish supermarkets.
Cybersecurity: The online watchman
The word “ransom” perhaps naturally conjures up imagery of a dramatic hostage situation in a contemporary Hollywood movie starring Liam Neeson. We think of a maniac charging into a bank and capturing innocent people or precious belongings, whilst the FBI, SWAT team and resident negotiator stands outside trying to resolve the situation. Ransomware is a similar concept, but the hostage situation has been digitalised.
Despite the panic and fear surrounding this kind of ransom, cyber security has surprisingly become an overlooked element of business risk; neglected in favour of the protection of physical assets. Businesses have historically invested in the physical security of their operations buildings, buying locks and chains for the doors of their brick-and-mortar offices and installing cameras to deter the bad guys. Recent reports have shown that companies around the UK and globally are admittedly unprepared for cyber threats, but especially those attacks leveraging RaaS. The cyber age has transformed this threat into one that is orders of magnitude dangerous, leaving companies scrambling to adapt to new security strategies and prepare for oncoming attacks.
Meanwhile, governments have begun to look at how they can protect and advise their nation’s organisations on how to respond to ransom demands by attackers. For instance, the Institute for Security and Technology recently launched a task force, complete with members from the likes of Microsoft, Cisco, and Amazon, as well as the UK’s National Crime Agency, the FBI, and the US federal Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), to try and better address the ransomware problem. A recent report from the group argues for a much more aggressive response to ransomware than the largely ineffectual approaches being taken thus far.
How to strength posture
With the lack of cohesive government and industry advice, not least on whether or not to pay the ransom in the event of a ransomware attack, it is crucial that companies focus on doing what they can to prevent unnecessary vulnerabilities. It is impossible to stop all cyber threats or halt their evolution in the future, but most companies have seen avoidable breaches due to human mistakes. It is the human part of an organisation’s defensive posture that needs to address to identify mistakes from triggering the spread of preventable threat vectors. Attackers are ready to exploit even the smallest misconfigurations, so they must be denied the opportunity wherever possible.
There are preventable human errors that organisations can easily eliminate to bolster their cybersecurity armoury against cyber attackers, including human laziness, poor patch management, slow (or no) detection, a lack of understanding of the baseline of normal activity and comprehensive logging.
By eliminating laziness, it can help all of these problems. Laziness is what has stopped businesses from ensuring that they are deploying missing patches before data breaches occur or quickly afterwards. It is also what has prevented companies from accurately detecting intruders through analysis of their daily operations. Additionally, without incentives to develop a comprehensive defensive posture, a culture of inadequacy continues in many industries, with businesses failing to keep logs on intruder activities to identify, analyse and subsequently prevent further attacks. If businesses want to succeed in battling the cyber revolution, they need to start with the human vulnerability.
