Cyber Risk Realities
From boutiques offering online shopping and sending monthly e-newsletters to their customers to churches holding virtual services and collecting donations electronically, the growth in online business has given organizations faster and easier ways to engage with their communities. However, doing business online also produces a reliance on networks, applications, social media and data to keep up with modern behaviors, leaving organizations vulnerable to cyber threats.
Every day, common cyber-attacks have the potential for substantial negative business impact. Fortunately, these impairments are often preventable. Let’s take a look at some of today’s cyber-risk realities.
There is an old adage in the military, “The weakest part of any fort is the people inside.” This is a concept that criminals and other bad actors in the cyber arena have taken to heart. The hacking stereotype — someone wearing a hoodie, sitting at a keyboard in a dark room furiously typing away, stripping away firewalls and disabling security protocols by sheer force — isn’t reality. The reality is a well-intentioned user gives away the keys to the castle.
Social engineering is the root cause of most cyber incidents. Criminals simply ask nicely, and someone lets them in. Confidence schemes have been around since the dawn of human history, and technology has made it so much easier. Instead of fighting through layers of security, criminals can send emails to thousands of addresses with malicious links included and wait for someone to click on a link, giving away their login and password.
Social engineering can occur by email, text, phone calls, instant messaging, in-person and in any way that people connect. In this time of quarantine, there’s even been a resurgence of social engineering by snail mail — sending people malicious USB sticks that compromise computers when inserted. Criminals are nothing if not inventive; any method of communication can be a method of deception.
What happens once they’re in? There are many possibilities and reasons for someone to intrude on a network, but the two biggest risks right now are ransomware and data theft.
Ransomware has been in the news due to a high volume of attacks on state and local government agencies, but what is it exactly? Ransomware is a type of attack where criminals encrypt data and hold it hostage until a ransom is paid, usually in untraceable cryptocurrency. From a cyber-criminal’s perspective, a ransomware attack is effective because it’s uncomplicated. Moving a large amount of data takes a lot of time and computing power, so putting a lock on it so no one can get to it is much simpler. Ransomware is also a quicker path to monetizing the crime, since the criminal gets paid directly upfront instead of selling the stolen data. Ransomware is particularly insidious because all it takes to spread throughout an entire network is one person to fall for a social engineering attack.
A recent example of a ransomware incident was the 2017 attack on Møller-Maersk, the world’s largest shipping conglomerate. The computers of employees in 574 offices in 130 countries around the world were infected — each demanding $300 to be unlocked. The total cost of this incident to Møller-Maersk is estimated at $300 million, and they were just one of many affected businesses by the same type of ransomware. As of 2019, Cybersecurity Ventures predicts the global cost of ransomware damages will reach $11.5 billion annually.
While ransomware is on the rise, there’s still plenty of money for criminals to make by selling data. Data leakage is simply the unauthorized transmission of data — usually data that has value, Personal Identifiable Information (PII), Personal Health Information (PHI), banking information or any data that can be sold or directly used to make money, usually by methods of identity theft. Criminals do not stop because of a pandemic. They are using PII stolen or sold on the dark web to steal Coronavirus Aid, Relief, and Economic Security (CARES) Act payments from the U.S. Treasury.
Why is data leakage the risk instead of data theft? Because stolen data is not the only way that unauthorized data gets out. Sometimes it’s merely a mistake, such as someone sending the wrong attachment or disclosing the wrong piece of information. There is a lot that can be done to stop data theft with technical controls, but it’s much harder to detect a simple mistake.
One thing making data loss riskier is an organization’s desire to move data to the cloud. Storing data in the cloud (off premises) provides many advantages, but it also presents many risks. A simple misconfiguration can expose all your stored data to the world rather than keeping it private. For cyber criminals, it’s even easier than social engineering: they just scan for misconfigured cloud storage and the data is simply there for the taking. No muss, no fuss.
A Terrible Union
Globally, businesses and governments have determined that paying ransom is a bad idea in the long run, because there is no guarantee the data will be returned, and it only serves to give the criminals more resources to launch more attacks. Many enterprises are choosing to restore and rebuild instead of paying the ransom to get their data back. In response to this trend, criminals now download the data before locking it up to give them more leverage — pay or the data gets released.
What assurance do you have that the data won’t be released anyway once the ransom is paid? None.
Managing These Risks
Ransomware and data loss are just two of many cyber-risks. Programming errors, insider threats, denial of service, vendor compromise, lost or stolen devices, business e-mail compromise, supply chain attacks and a variety of others present a clear danger to your business or organization. What you should keep in mind is that cyber risk, like all risk, is manageable.
When talking about risk, people often think they’re helpless against cyber criminals. The cyber world does present risks, but as long as those risks are planned for and controlled appropriately they’re no different than any well-understood, established risk in the physical world.
If your business or organization doesn’t have cyber insurance solutions in place, talk with your GuideOne distribution partner about our coverages and tools that could meet your needs. To learn more, check out our Cyber Suite Overview.
© 2020 The GuideOne Center for Risk Management, LLC. All rights reserved. This material is for informational purposes only. It is not intended to give specific legal or risk management advice, nor are any suggested checklists or action plans intended to include or address all possible risk management exposures or solutions. You are encouraged to retain your own expert consultants and legal advisors in order to develop a risk management plan specific to your own activities.