A news story in the IT security press on July 20th reported on a very large US law firm that acted for Fortune 500 companies that had been breached with ransomware earlier this year. As you would expect, this law firm held a great deal of highly sensitive and business-critical data about their clients. Their customers included Apple, Boeing, IBM, ExxonMobil, Fisher-Price, Ford, Honda, and many more.
Now data breaches are rife these days, but Ransomware gangs are increasingly pulling double-extortion attacks. They first encrypt your data and hold you to ransom to get it back, but they will also copy that data. Once you’ve paid to have them unencrypted, they will say, “Ah, by the way, we took a copy of everything, and we’re going to release the lot on the public web unless you pay us again.”
Big company = big target … no one is interested in the data my small business holds
You might think that because this is a large law firm with large clients and it is over in the States, this doesn’t relate locally. Unfortunately, this couldn’t be further from the truth. If you are a service provider and hold anything like critical data about your customers, you are a high-profile target. No matter what your size.
You may be a small accountant, law firm, or another professional service organisation, but you are a target now. Not for the value of your business data but for the value of your customers’ business data. Because they only have to breach you once to get everything on all your customers!
What do you need to do to protect yourself?
Just because you have anti-virus or anti malware software doesn’t mean you are protected. It is a starting point. Various pieces of security software do different jobs.
An anti-virus package would prevent some programmes from running automatically. It will listen out for the kind of activities that shouldn’t happen on your computer, and it will stop them from happening.
However, the main reason ransomware is so effective is that it comes in through phishing attacks.
Your staff are your biggest weak spot.
Phishing attacks, by and large, come as a plausible-looking email with a link to your staff members. And the problem with the link is that when they click it, this is human permission to overrule your basic anti-virus software. When the link is clicked to the PC, it is saying, ‘Yes, run this.
Obviously, they didn’t know you were giving this permission, but they have given the software authority to run, and it will then go and encrypt everything in sight! Game over.
Cybercriminals are constantly coming up with new extortions
Ransomware gangs are coming up with ever-nastier tricks. Increasingly we are seeing tactics such as setting a ransom figure to unencrypt your data; it could be £20,000 or £2 million, they pick a number they know you can’t afford.
When you can’t pay that amount, they make a counteroffer. Your data will be unencrypted for free if you agree to pass on their phishing attack to some of your customers. They are asking you to infect your customers to get your data back.
This is because successful phishing attacks come from recognised and trusted sources, such as a supplier. And, if you email your customers saying, ‘I just need to adjust this invoice,’ of course they are going to trust it and trust you and will click on that link. They want to use your credibility as a Trojan horse to attack your customers.
What should you do?
The advice from GCHQ, the police, and the security industry is, DO NOT PAY THE RANSOM.
In reality, if you are the victim of a cyberattack, it is probably too late for you. If you do pay and they unencrypt your data, how do you know that they won’t encrypt it again in the future? How do you know they haven’t copied it?
There is a significant reference case on this one, a video game software company in Poland, CD Projekt Red. They published a title recently called CyberPunk 2077. They had a ransomware attack. Their software was encrypted, and the ransomware people had taken a copy and threatened to release their source code on the web if they didn’t pay the ransom. And they did. The source code for CyberPunk 2077 and other titles was released on the web and some employee personal data.
How can you improve your cybersecurity?
There are several things you can do to protect your business from cyber-attacks.
First and foremost, get some cybersecurity certification. You can start with Cyber Essentials. That is a good start, but it is only a start. There are higher, more robust standards of certification you can achieve.
Secondly, get some software over and above your standard anti-virus, designed explicitly for managing ransomware attacks. Several titles are out there that look for different kinds of activity and recognise it, even if someone has clicked a link and given it the authority to run. For example, one software vendor has a product that can roll back the encrypted data to before the attack happened, even if a ransomware attack gets through. Another vendor has a product that ring-fences every piece of software and application on your computer and limits what you are allowed to do. So even if your web browser has full permissions to run as a web browser, it will stop running browser extensions it hasn’t seen before. It can also prevent data theft, disabling people from being able to plug in USB storage keys. It can even prevent people from being able to email files to themselves at home.
There are several technical solutions, but none of them are any good on their own.
Build your security castle walls
An analogy I like to use is one of a castle. Each one of these solutions builds the walls of your security castle a bit higher. But, only in their bit of the wall. So if you had no anti-virus and install anti-virus, you have built that part of your castle wall a bit higher. But attackers never go for the high points of the wall; they always go for the low points of the wall.
So the best advice I can give is that cyber certification will make you look at all the walls around your business. Surprisingly, only a few of them are technical. Many of them are procedural or policy-based. They are business rules, not technology rules.
Things like cyber awareness training and simulated phishing attacks all play a part. You can get services that simulate a phishing attack and then report back on which of your staff opened the email. The critical thing to remember is that this isn’t a stick to beat your team. Instead, it is a litmus test for how successful your training has been. In effect, you are auditing the success of your cybersecurity training and awareness across the business rather than auditing what individual people do.
So if you have not completed Cyber Essentials, which walks you through a basic security policy, we would strongly recommend that you do that. Please talk to us if you need any more advice.
If you do not have a technology partner to advise you on the IT side of IT security, again talk to us, we can help.
The overall message is that just because you are a small organisation does not mean that you are not a high-value target to cybercriminals. You are, and you need to protect yourself and your clients.