Here are some questions that I face during cyber discussions.
It feels like a week hasn’t gone by without news of a new high-profile cyberattack. What’s driving this wave?
The bottom line is that cybercriminals have found a way to make money through ransomware attacks. When the world first became digital, cybertechnology was a tool of states as another way to spy on each other. But then these tools started to leak and fall into the hands of criminals, which is why we see ransomware attacks for financial gain. Initially, a criminal would break into a computer system, lock it and demand payment to unlock it. That has become less effective over the years as more businesses have backed up their data. Instead, most criminals today steal information from a company and then demand payment to give that information back. And as our digital footprint increases our threat surface gives more opportunities for bad actors to exploit. During the pandemic, so many businesses raced to go digital. Security WAS NOT their top concern in that rush.
Say I’m a large department store. What kind of information can be stolen?
Most often, stolen information is just tombstone data: name, address, birth date, social insurance number. If the business or institution that gets hit is not willing to pay the ransom, the information gets posted on the dark web as something other criminals’ leverage. Everything has a price attached to it: 50 cents per credit card number, two dollars per passport number. This kind of personal information is used to fuel scams, usually phishing schemes that have become an everyday occurrence.
And institutions get hit hard too. The average cost of reported ransom payments is escalating, but there is also the cost associated with having to take your entire system offline to prevent any spreading. Getting it back up and running IS costly, both in terms of hiring technical experts and having your business offline for days or weeks on end. And if you are a business with clients, there is going to be a cost in terms of relationships and rebuilding trust.
Hacker stereotype of the basement-dwelling internet nerd is no longer accurate?
There are still hackers who live that life. They are the ones who develop the breaching tools, only now they are selling them to more sophisticated criminal enterprises like LockBit and BlackCat operating on an actual business model called RaaS, or Ransomware as a Service. These groups rent out their ransomware tools to other criminals and take a cut from ransoms paid by victims, and, you don’t need to know coding to launch a cyberattack, you just need to know how to navigate the dark web and other people will do it for you.
Do the scenes in Mission: Impossible where Tom Cruise is trying not to set off any of the laser trip wires. Now it’s all just clicks?
By clicking you can allow a malicious actor to bypass all your organization’s defenses and once they’re in, they can communicate with people on the outside.
Is paying ransom an ethical dilemma, or a business decision?
The US has laws against paying ransom. The government doesn’t recommend it, but yes, it’s a calculation. Any business considering it must factor in two things: first, you’re dealing with a criminal and there is no guarantee that they will hold up their end of the bargain. In some quarters there is honor among thieves, but at the end of the day you just don’t know.
Are there professionals who specialize in handling these sorts of situations?
There are professionals who will hold your hand through a ransom negotiation, but ideally, we want organizations to invest in cybersecurity to avoid these situations in the first place. When an incident does happen, our organization has published a ransomware playbook that contains lots of guidance about protecting yourself. We encourage anyone who has been the victim of an attack to report it so that we can assist. Our services are totally confidential. We know that cybercrime is often under-reported, perhaps because of shame or because the victims are too busy managing the immediate situation. https://www.linkedin.com/pulse/top-5-myths-ransomware-richard-freiberg-cpa-pc-vwgke%3FtrackingId=m44C2L%252FlRqmtSzRA2KI1hQ%253D%253D/?trackingId=m44C2L%2FlRqmtSzRA2KI1hQ%3D%3D
What is the biggest cybersecurity mistake you see businesses making?
We hear people say, I’m a small or medium business, why would anyone come after us, but that’s not the point. It doesn’t matter what niche your business is in or how large they are. If cybercriminals find a weak spot, they will exploit it. Almost always these weak spots are based on a failure to update. Whether it’s an iPhone or a corporate server, the update notifications you receive aren’t just about increasing functionality, they’re about closing vulnerabilities.
So, running an old OS is like leaving your keys in your glove compartment?
Exactly. That’s why I always say: patch, patch, patch.
We are also seeing cyberattacks against critical infrastructure and government.
Ransomware attacks hit critical infrastructure and governments, but in cases of nation-state driven attacks, the motivation is generally strategic, either to steal some kind of valuable information or to destabilize it. Russia shut down electricity in Ukraine two Christmases in a row in 2014 and 2015. You can imagine if that was to happen in the northeast during winter, the impact would be devastating as was the Colonial Piepline attack. https://www.linkedin.com/pulse/what-weve-learned-16-months-after-colonial-pipeline-/?trackingId=obosB5L9S0qrJBia8dEgIA%3D%3D
Phishing emails are a growing problem. What is your best advice on how to avoid them?
Everyone must be very critical of the emails they receive. Phishing is more sophisticated now. Before, you’d just look out for weird sentences and grammar mistakes to know something was fake, but now cybercriminals are using ChatGPT to craft emails that are indistinguishable from the real thing. And it’s moving from the written word to voice and video. They can go on YouTube and hear my voice in an interview I’ve done and now they can have my voice saying anything they want.
You’re talking about deepfakes. Was Taylor Swift a hot topic around the office back in January?
Deepfakes ARE a topic of conversation and still from the point of view of electoral security. More and more we’re seeing cyberthreat actors use AI to generate misinformation whether it’s fake phone calls or videos. Over half the world will vote in the next year, so this could be hugely consequential.
To best protect yourself from becoming a victim of cybercrime, it is highly advisable to reach out to us.
Richard Freiberg
Profitability Consultant
Richard Freiberg CPA PC
Phone (980)339-3352
Cell (914)393-0033
www.rmfreibergcpa.com
LinkedIn
to subscribe to Cyber Insights Today
to subscribe to LinkedIn Newsletter Cyber Security
Providing valuable counsel to help boost your company’s bottom line, while navigating competitive forces, industry, and economic risks in today’s challenging environment