So you think you’re unhackable? Think again.
Ransomware was once a buzzword in the tech industry, but has now become a prominent fixture within the technology space. With the growing trend of ransomware, losses are expected to exceed USD$20 billion by 2021, with criminals taking off with more money than ever before. We usually associate these attacks happening to big corporations, but 62% of them are actually targeted at small and medium sized businesses, who may not have the resources to respond appropriately to these attacks.
Ransomware is a type of malicious software that is released and gains access to files or systems and removes access for the owner of these files. These files or systems are held at ransom to the owner — and are often encrypted — until the owner pays the fine. Ransomware has been around for decades, but it has become more sophisticated in the new-age of ransomware
Ransomware can make its way to your organisation in a number of ways, but the most common way is describing something as a super important email attachment — like an invoice or a bill from an important client or the ATO. An email like this will encourage people to open the attachment — which spreads the ransomware throughout the organisation quickly. A similar thing can happen on social media, when a profile is created and messages are sent out to people’s “friends’’ with an attachment or link to be clicked on. And, one of the oldest tricks in the book is the classic browser pop up.
It’s easy for us to be doom and gloom about the outside world — but there is a solid reason behind it. It goes beyond our innate paranoia, but is drawn upon by the personal experience of a few of our valued clients.
A ransomware attack is actually relatively easy to execute, because a lot of basic security protocols often aren’t followed by individuals. Ransomware is typically executed by hacking groups who may be based overseas. They usually don’t own up to the attack and keep their identity a secret. This helps them stay agile and out from the crowd, and continue to run a system that works.
There was a hack in 2017 in Lake City Florida that was executed by a group of Russian cyber security criminals who demanded USD$530,000 in BitCoin from the Council — which they paid and then fired their IT manager for falling victim to the attack in the first place. This particular bit of ransomware is called Ryuk, and earned the creators more than USD$3.7million in its first four months of operation.
You might think that, if you’ve been hacked, you are the victim and will be compensated accordingly by your financial institution or insurance company — however, this isn’t always the case. If you’ve agreed for a third-party platform — such as a budgeting app — to access your banking information, if that app is hacked, your bank is unlikely to refund you the funds, as you gave permission for this application. Read the ABC article about how this happened to an Adelaide man.
Who is liable?
In Australia, banks are liable to replace any stolen funds, but it does depend on the extent of the fraud and how this was carried out. This isn’t the case overseas, in Canada there aren’t the same protections we have here, with banks not being held liable for any stolen funds. Customers have to appeal any transactions, which undergo an investigation, with no guarantee of any of the funds being returned back to the customer.
This was the case in the UK up until a few years ago. When their government switched the liability, security within financial institutions skyrocketed and fraud plummeted as investment in online security was increased.
Can insurance protect you?
You might think that insurance could help negate any of these difficulties, but cyber insurance companies may not always pay out your claim. Just like how insurers are unlikely to pay out a claim if you left your keys in your car or your house unlocked, cyber insurance providers can reject a claim if you didn’t apply ‘reasonable care’ to your systems. A failure to follow or maintain security best practice in your organisation can result in a claim not being made at all — causing more heartache and stress in an already tumultuous time.
Update your applications
We’ve all been guilty of seeing the pop ups telling us to update our computers and our applications and snoozing them until later. They often come at an annoying time in your day, but they are helpful in updating everything on your computer.
Make backups
If you are a victim of ransomware but have a backup of your information in a separate location, you won’t have to pay their ransom to get your data back. This helps to ensure that your data is accessible in the event of a ransomware attack, or in the event of something happening to your computer, a physical robbery or even a natural disaster. These back ups might be to a cloud based server, or a physical server.
Adopt a consolidated IT approach
Just like how every business is required to have a work health and safety policy, we believe every organisation should have an enforceable IT policy. Such a policy should have the same checks and balances as all your other policies. We have our own IT policy that outlines a variety of major touch points with our systems and people, including:
- How we dispose of old computers
- How we onboard our staff and what they get access to
- How often our computers are updated
- What anti-virus software we use
- How we secure our building and monitor who comes and goes
- Two-factor authentication (more on that later)
Operate from a zero-trust security mindset
Just like work health and safety practices, there does need to be a cultural shift to ensure any IT policies are followed and adhered to. Further, all staff members need to follow up in the event that they aren’t. One of the most popular ways of enforcing this is implementing a zero-trust mindset in your cyber security. Adopting a zero-trust mindset means you remove any trust from your employees and their devices and recognise their ability to be an internal threat to a part of your system.
Use two-factor authentication & geolocation tools
Context and identity are the two main cruxes of zero-trust security management. Managing people’s identities and their access to different systems is paramount to maintaining security.
Now, in a perfect world, we use different passwords that are super varied and up to best practice standards, and we change them regularly. In reality, we get lazy, and have a bit of cognitive dissonance about this.The best way to protect against a weak or compromised password is two-factor authentication. If our client mentioned above had two-factor authentication enabled for their emails, banking etc., the ransomware hackers would’ve had a harder time trying to get in — if they could get in at all. Utilising an app like Authy is one of the safest ways to do this, otherwise you can use the SMS feature, which is more likely to be compromised than an app like Authy.
Even if someone has confirmed their identity, the context why they want access to something should still be considered. Enforcing factors such as geolocation information, device type, operating system and network context are important factors when considering your access policy. For example, an email request comes through from the CEO (who would be given permission to access classified information), but it has come from an unknown device, in an unknown location, and from an IP address that’s based in a country she’s never been to before. These are all red flags that signal that yes, even though we’re checking identities, there might still be a gap in the system.
Now, that may all seem pretty doom and gloom, but ransomware attacks do happen and they’re more common than you think. So, it’s important to make your best efforts to protect yourself. These are just some of the simple steps you can take to protect yourself and your business.
Originally published at https://www.hutsix.com.au on January 8, 2021.
