Cybersecurity has become a major topic of discussion for businesses and organizations of all sizes, as the number of security incidents has spiked, capturing headlines worldwide.
This year, even presidential candidates will likely join the discussion, as 64 percent of registered U.S. voters believe cyberattacks will undoubtedly plague election campaigns, according to a study from Experian.
If, until now, the cybersecurity landscape was somewhat uniformly distributed between activism and public shaming, today’s cyberattacks are either financially motivated or state-sponsored and aim to steal state secrets or cripple critical infrastructure. Politically motivated cyberattacks seem to have been at the heart of the Ukraine cyberattack on its power grid during the Russian-sponsored conflict there in late 2015.
Cyberattacks Can Hit Anyone and Anything
Even if they’re targeting a government of private organization, cyberattacks can hit individuals, especially public figures, celebrities or otherwise politically engaged people. “The Fappening” – also known as “Celebgate” – is a notorious example from 2014 when more than 500 private and nude pictures of celebrities were leaked to the internet in one the most controversial cyberattacks in the past couple of years. With social engineering at the heart of it, the incident prompted a massive investigation fallout and public debate on whether people should even be looking at the pictures and urging authorities to apprehend the cybercriminal.
A more recent attack on an individual’s public image has to do with Anonymous declaring “war” on Donald Trump, the candidate for the Republican nomination for President of the United States in the 2016 election. The hacker group openly started a campaign against Trump, threatening to find and post all personal and sensitive information they can find on him.
“The single biggest existential threat that’s out there, I think, is cyber” - Michael Mullen, retired United States Navy admiral
Hospitals have also been the target of malware – particularly ransomware. In February 2016, the 434-bed Hollywood Presbyterian Medical Center stated they had to pay the equivalent of $17,000 in bitcoins, to hackers who seized their computers and encrypted all data on them. While at first the cybercriminals demanded $3.4 million to restore access to the hospital’s computers, a negotiation took place to release them for a smaller amount.
Even operating systems believed less susceptible to malware have been kneeled by ransomware attacks. If at first Linux was the one to be hit by Linux.Encoder – the Linux version of the ransomware threat – in late 2015, in early March 2016 the Apple OS X was targeted next. The unprecedented Mac ransomware threat is believed to have affected thousands of users, as the infected application was estimated to have been downloaded by more than 6,000 users.
While the Linux variant was relatively easy to crack, as security researchers were able to provide a tool to offer free decryption of the infected files, it stands to reason that cybercriminals will improve the threat to make it more difficult – even impossible – for the researchers to decrypt the files.
How Can Businesses Protect Themselves?
Probably one of the first things organizations need is a policy for enforcing strong authentication methods, particularly strong passwords for all users. According to a 2016 study from SplashData, the two most popular passwords for the past couple of years have remained “12345” and “password,” while the third is “12345678”. While most data breaches that affect companies involve stealing employee credentials via phishing or social engineering scams, attackers have been able to breach particular networks just by guessing or brute-forcing authentication credentials.
Another important security measure that organizations need to implement is endpoint security and some form of centralized security management console that can offer security administrators visibility into network threats and the capability of remotely managing security policies. Combining that with network traffic monitoring capabilities, organizations can actively watch their infrastructure for threats and intrusions.
Companies that accept BYOD should have the proper BYOD policies set in place to avoid data or network breaches caused by infected employee devices connected to the corporate network. To this end, organizations that decide to support BYOD should start setting up DMZs, separate networks for employee personal devices, and even specify which devices are permitted to access – or not – critical data.
CIOs are also encouraged to start looking for a penetration testing and vulnerability scanning team or solution that’s able to constantly stress-test the internal infrastructure and come up with new plausible attack scenarios to help train both employees and the IT department. This has been considered a very effective tactic in proactively fending off cyberattacks and in minimizing the financial impact of a security breach. CIOs and CSOs need to budget these security assets and convince upper managers that the benefits of having such a team far outweigh the financial risks they’re exposing themselves to.
"Companies need to protect their own networks, and harden themselves against cyber attack." George Osborne, Chancellor of the Exchequer
Of course, in the security chain the weakest link is usually the human component, which is susceptible to social engineering, phishing and other forms of cyberattacks. To this end, educating all employees in identifying threats or fraud attempts and reporting them to internal IT departments is mandatory. Some of the most prone to spear phishing attacks or spam campaigns are usually personnel in accounting, human resources, or acquisitions, as most email usually contain titles related to “please check attached invoice,” “here’s your confirmation order,” or other such topics.
Finally, one crucial thing that any organization or company needs to prepare is a worst-case-scenario. These are designed to quickly identify key stakeholders in case of an eventual data breach, personnel responsible to mitigating the found threat or vulnerability, how and when to start communicating with your customers if their data has been compromised, and a forensic team that can study the breach thoroughly to quickly come up with ways to prevent future such cyberattacks. After a security breach, all companies need to ask themselves what they have learned from it. If the answer doesn’t immediately translate into actions or steps taken to proactive counter similar such attacks, a similar attack is bound to happen again.
It’s all about the money!
Whether its companies or cybercriminals, the main motivation behind either setting up corporate security mechanisms or developing malware is always money. When allocating or forecasting security budgets, companies usually rely on the CIO and CSOs to perform SWAT analyses and risk assessment strategies to convince the stakeholders to share a bigger slice of the “cash” budget towards security. At the other end, malware coders usually apply the same strategy when writing malware, as their main focus is to either steal and sell intellectual property or extort their victims.
The main difference between security and cybercriminals is that the return-on-investment for deploying security technologies within an organization is far smaller than the one for cybercriminals. For ransomware alone it has been estimated that the ROI is around 1,425%, according to a security report. To this end, it’s safe to assume that, while companies might find it difficult to justify additional security costs either on a quarterly or yearly basis, cybercriminals are in the win, as they’re getting the most benefit with minimum investment.
“A cyber hacker is nothing more than a bank robber using another weapon. His motivation is robbery and theft.” – L. Collins
Amid the proliferation of IoT devices and their integration with corporate networks, Gartner believes that security costs will increase to 20 percent of annual security budgets. Ironically, the malware-as-a-service industry will start reducing development and deployment costs as new tools are being developed that make it amazingly simple even for non-tech-savvy individuals to purchase, customize and deploy threats on a global scale.
While security experts have been arguing that large, medium and small businesses need to stop thinking about “how” and start thinking of “when” they’re going to be breached, it’s up to CIOs and CSOs to both prepare for the worst and disseminate this message to all company stakeholders.
What is increasingly clear is that cybercriminals will up the game in performing cyberattacks and companies need to be prepared to fight – and sometimes lose a battle or two – against this wide range of potential cyberattacks. The challenge here is to always to learn from past mistakes and collaborate with both government institutions and private security companies in fending off, mitigating and recovering from future attacks.