By Kathy Gibson – Everyone has something that can be stolen – and we make a big mistake in not realising that all of us can provide access to lucrative cybercrime targets.
This is the word from Professor Elmarie Biermann from the Cyber Security Institute, who told delegates at Pinnacle’s All Things Cyber Security conference that ransomware is still one of the major threats to organisations, closely followed by email fraud.
Often the one works hand in hand with the other, with phishing emails the route into a corporate system.
“Ransomware is not a new thing,” she explains. “Cybercriminals just use the latest technology to make money – and some criminal organisations are making as much as Euro 300 000 per year.”
Currently about 40% of organisations do pay the ransomware, and the amount they are paying is going up.
In South Africa, amounts of R3,5-million are not unusual, Biermann says.
“So it’s not going away, and companies need to approach cybersecurity form a risk management perspective.
“There is no one silver bullet – you need to apply solutions that match your risk profile.”
Many ransomware criminals are now not only encrypting data, but also stealing it. And a new wrinkle is emerging where the data will be published if a ransom isn’t paid.
“We know there were breaches in some organisations because the criminals published it.”
Security is less about technology than about people, Biermann adds. This includes the criminals and the people working within an organisation too.
“The Gautrain breach was a person inside the company. And this is not uncommon, there are a lot of people in companies who are not happy.
“So risk managers needs to have their finger on the spirit of the organisation.”
Supply chain threats are also real and growing, Biermann says. A newly-reported US bank breach, with 1,5-million records was actually breached in December 2021, so those records have been available for six months.
Complicating the security and risk environment is the constant change, Biermann says.
“If you look at new technologies, such as quantum, think about what the impact will be down the line. For instance, the SSL protocol is there to protect data at a packet level. It uses advanced encryption technologies, which would take about 30 years to break using normal technology. But quantum technology will make it easy to decrypt data that could be stolen now or later.”
Blockchain is another technology that is being used in new security developments, she adds.
In future, digital identities will become more important, and will have to be matched to a person’s physical identity.
“There are sites that can recreate your digital identity, from your hardware to your software and access,” Biermann points out.
“Your banking app utilises that online flowchart, for instance it may flag you if something is different. Synthetic identities are now rising to the next level and simulating the full digital identity.”
Every user leaves a digital trail with every transaction they perform, or message they send – even the statistics collected by a smart watch – adding to their digital profile.
The cybercriminal is no longer a guy in a hoodie, Biermann adds. Today, they include state-sponsored entities who have a geopolitical motivation to take the war to the digital space.
Cybercriminals are in it for profit, hacktivists for ideology and terrorist groups for ideological violence as well as money. Thrill-seekers still do it for satisfaction, but there are fewer in number now; and insider threats are often as a result of employee discontent.
Leaders involved in risk management in their organisation need to understand the type of threats that will be levelled against them – and this means training employees to be aware, while the relevant technology solutions have to be implemented.
“Remember, companies are different: what is relevant for your company is not relevant for another.”
An emerging threat is ransomware as a service: Maze Cartel, which started the double extortion model, now provides a ransomware ecosystem that can be bought or leased.
They also develop new versions of the ransomware systems, and sell various iterations depending on their partners’ requirements.
This is why it’s so important to keep PCs and mobiles updated and secured, Biermann adds. “Mobile phones are now the main point of entry into networks.”
Once a company has been targeted by ransomware, they may think their problems are over – but they are probably just beginning, says Biermann. “Once they have been breached, they draw the attention of other hackers and researchers, leading to more vulnerabilities being discovered and exploited.”
To counter risks, security needs to be governed and managed from board level, says Biermann, because resources and money have to be assigned.
“Security is not an IT issue – it is a business issue. There has to be a proper risk management system in place.
“And compliance does not mean you are secure,” Biermann adds. “You need a layered approach of security controls that fit your organisation, coupled with a training programme.”
Companies also need to establish incident and breach response processes; with a plan to deal with breaches when they do occur.
It’s important to understand what assets there are and what the data flow is, recognising where the critical data is so you can protect is.