Ransomware relies on human fallibility crypto-ransomware, malware that extorts money from victims by encrypting their files and systems until they pay a ransom, has been much in the news since WannaCry hobbled IT systems around the world last month. While much was made of the fact that WannaCry spread through networks by exploiting SMBv1 vulnerabilities in unsupported Windows systems (such as Windows XP, Windows 8 and Windows Server 2003), it is unusual for ransomware to self-replicate in the way WannaCry did.
Often, ransomware, in common with most other forms of malware, is spread by drive-by downloads or phishing campaigns, both of which exploit human error. So, even if you use robust anti-virus and anti-malware solutions, conduct regular penetration tests and ensure you keep your systems up to date and install the latest patches, your system could still be compromised thanks to a careless employee.
According to a 2016 report by SentinelOne:
- 39% of organisations in the UK were hit by ransomware in the previous year
- 72% of those infections were attributable to phishing
- 38% were attributable to drive-by downloads from compromised websites
People are frequently acknowledged as the weakest link in any security system. But with better levels of staff knowledge, companies are more secure as you can, in effect, ‘patch’ your employees. Therefore, a best-practice approach to information security such as an ISO 27001 compliant ISMS (Information Security Management System), follows a holistic approach that addresses people as well as processes and technology.
Amicus ITS takes security seriously. “We say security is part of our DNA here” advises JP Norman, Director of Technology, Security & Governance, “and I consistently refer to the importance of “the squishy bits” (ie. the people) in IT management. You can deploy the best systems and infrastructure money can buy – but you have to ensure your people are trained too.”
The Wall Street Journal in the US has reported a significant rise in cyber threats being dealt with in the legal sector. The allure of law firms to criminals is especially attractive given the highly sensitive nature of the data held by them.
But are we just talking about some underworld cyber guys ransoming data? Apparently not – some of the recent targets have also included the suspicion of attempts at insider trading deals (now allegedly the subject of investigations by the FBI).
Phishing attempts in law firms continue to feature highly in the latest reports. Stephen Tester, partner at London law firm CMS which brokers cyber insurance commented to the BBC: “We’ve seen examples of emails [at client law firms] that purport to come from a managing partner to a more junior lawyer directing them to make payments to an account or to send certain information to an address… they can look very much like a regular message.”
However, it’s the accounts of alarmingly insidious new ways that cyber criminals are trying to access systems that should put everybody on their guard. Would you have considered your video-conferencing systems or telephony to be vulnerable? Well apparently so. “There are ways in which people can go into video-based conferencing facilities and literally listen in on meetings” Mr Tester said. Telephone systems these days are delivered via VoIP, in essence translating analogue to digital then back to analogue. Not many organisations even consider this to be another attack surface.”
The rise and variety of attack reflects both the cunning and sheer determination of attackers looking for any infrastructure loopholes and sometimes striking gold through wifi settings and unsecured networks. Ally that to unsuspecting staff (“93% of data protection breaches reported to be caused by human error”) source ICO report 2015 and you have a Tsunami of potential threat on the horizon with today’s cyber vultures circling.
Questions for you
• Can you afford to sit back and either your organisation is not a target?
• Can your company afford to lose trust?
• Can your company afford to pay the financial penalties if you are found to have mishandled EU resident’s data – this could be a fine of up to Euro 20 milllion or 4% of global turnover (EU GDPR).
You have a duty to your employees, customers and shareholders to know that you are can protect the data you are holding.
So what can firms do to avoid having cyber criminals musing over yours or your client’s data for their financial gain? Well certainly an audit with cyber security experts is a good start. Reviewing data security policies is a natural follow on – and identifying and keeping up to date what your plan is in the event of a cyber breach. Finally, with phishing, this is an opportunity for companies to raise everyone up by prioritising education around data security and cyber threats amongst staff. Better to pick over your own bones that have it done to you!
Cyber criminals continue to aggressively targeting SMBs in the hope that their systems will be less robust than larger, enterprise organisations.
Data theft and disruption (digital vandalism) are pure salmon on the menu for hackers, to either steal money from or pass details to other criminals and criminal organisations. The US in 2013 had 28 million SMBs, 66% of which contributed $7.5 trillion to the US economy. 36% of SMBs in the US suffered cyber attack in 2012. The UK in 2014 had an estimated 5.2 million businesses employing 25 million people, with a combined turnover of £3.5 billion.
Common types of attack:
• Phishing – scam email from a familiar looking person or address getting the user to reveal passwords or credit card details.
• Digital vandalism – Denial of Service (DoS), virus attacks or other malware to interrupt a business with damaging cost impact to business.
• Data theft – this can paralyse a smaller organisation – average cost to a US SMB in 2013 was $9,000. Of those attacked it is estimated that 60% go out of business within six months.
Impact on business:
• Business lost during a cyber breach
• Loss of company assets (bank account details, passwords, customer records, company strategy, employee information)
• Damage to reputation – this can go on for years (and hacked websites can be quarantined for long periods by search engines preventing new business in).
• Risk of being sued – failure to protect customer information with reasonable measures could leave an SMB open to litigation.
• Vulnerability of business through lack of firewalls, encryption, virus software and staff monitoring and managing the protection of a company’s digital estate.
Failing to act is no safeguard. Understanding the infrastructure and its weaknesses is a first step to positive preventative action. Pen-testing offers a relatively cheap and often eye-opening analysis of risk and gaps.