In this second blog article in our series of three, we focus in on ransomware and other areas of high-level cyber risk.
Strengthening Cybersecurity Models to Counter Threat
One year after the start of the Russian-Ukrainian conflict, the Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) continues to emphasize the cybersecurity recommendations it issued the previous year in February 2022. The Shields Up campaign specifically raises awareness about the possibility of sponsored cyber-attacks targeting companies and other entities associated with the American aerospace and defense sectors.
In addition to the preventative measures that are put into place within entities themselves, the CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) in March 2023. This is a program by which data sources, tools and other resources at the disposal of CISA can be shared and leveraged in order to fight back against ransomware attacks.
Ransomware attacks, as well as other means of catastrophically destabilizing and destroying a company’s information systems, are on the rise and becoming more and more dangerous. In this article, we will delve into some of the specifics of the risks relating to these attacks and what organizations can do to best protect themselves, their data and the longevity of their business activity.
Ransomware Attack: Definition and Mode of Operation
A ransomware attack is one type of cyber-attack that an organization could potentially face. In this scenario, a hacker takes control of the information systems and encrypts part or all of the data they contain. If this action is reversible, it is followed by a ransom demand from the attacker. This is usually accompanied by a threat to disclose, damage or delete the data held hostage by this individual or group.
Although the attacker can use several methods such as sending an email containing a dangerous attachment or inviting users to click on a fraudulent website, their objective always remains the same: to break into the information systems and access the key assets and resources of the company. Once inside the systems, the ransomware attack begins in earnest, using the organization’s access accounts and potentially hacked identities. A ransomware attack is, therefore, always the consequence of a malicious intrusion followed by an exploitation phase using one or more user or technical accounts with sufficient privileges.
Dealing with the threat of ransomware attacks cannot be reduced to simply equipping yourself with a good extended detection and response (XDR) or anti-virus system, no matter how effective it may be.
Faced with the growing creativity of hackers as well as with internal threats which together represent the greatest percentage of cyber risk, there is one key word that sums up a company’s responsibility in preventing cyber threats: readiness.
A Growing Threat with Sophisticated Approaches and Costly Impacts
Among the cyber threats identified, the risk of ransomware attacks remains high. In 2022, this type of attack was responsible for 11% of data breaches compared to 7.8% in 2021, an increase of 41% in one year¹. Beyond this, the evolution of the tactics used by the perpetrators of these attacks calls for great caution. Through the deployment of increasingly sophisticated strategies and the targeting of more discreet accesses, ransomware attacks often go undetected, leaving attackers significant leeway in compromising all of an organization’s resources in a very short time. The impact of this type of attack is quite considerable. Beyond the disruption of its activity, a company’s potential loss of credibility and reputation can come at a price: $4.54 million on average,¹ not counting the cost of a possible ransom.
In fact, ransomware attacks are a critical risk for organizations and require the deployment of optimal protection and security measures. Legacy anti-virus software, as useful as it may be in countering attacks, will not be sufficient in protecting an organization’s assets. With the increasing sophistication of attacks, new questions are emerging. How can the impact of a successful attack be minimized, and its risk anticipated? What are the vulnerabilities that could be exploited and how can they be identified?
Application Sprawl and Cloud Computing: Access Rights Security First
Other issues beyond the prevalence of ransomware have caused organizations to need to be more vigilant in their cybersecurity policies and posture, including the ever-increasing presence of data, assets and resources in the cloud. Over the last few years, more and more companies have embraced this concept, sometimes precipitously, whether it be to capture new opportunities, optimize productivity, develop innovative capabilities, or meet the needs of remotely working employees. As a result, most of them have hybrid and complex architectures due to their use of cloud computing.
While the move to the cloud is widely perceived as a step forward, it is not without risk. In 2022, 45% of all reported data breaches occurred in the cloud.¹ As data is stored, processed and managed via remote services, new issues around securing access rights are emerging, bringing with them associated strategies and controls.
Similarly, with the increase of the cloud’s presence in day-to-day operations, companies are seeing the number of applications used by departments and employees grow, both locally and in the cloud. Today, most departments have 40 to 60 tools each, with over 200 applications at the enterprise level. Large organizations have an average of 364 tools, while small businesses have an average portfolio of 242 applications.²
The explosion in the volume of data stored and the number of applications used, as well as the emergence of new uses with the advent of the cloud, represent a real challenge. How can access to all of a company’s resources be controlled while being scattered on both sides of the information systems, locally or in the cloud? At a time when potential attack surfaces are multiplying, what are the ways to know exactly who is accessing what resources at the scale of an organization and how this can be verified?
Human Error and Negligence: A Major Vector of Risk
In its 2022 report on the cost of global insider threats, the Ponemon Institute reported that 56% of attacks that occurred in the companies it surveyed were the direct result of employee or contractor negligence. Additionally, the same entity stated that incidents occurring within the organization have jumped 44 percent in the past two years. The average cost per incident has increased by more than a third to $15.38 million. More than 1,500 of the total incidents reported by the organizations surveyed, or nearly 26%, were caused by malicious internal users, with an average cost of $648,062 per incident.³
While it is never pleasant for an organization to imagine that the threat could come from within, this is, unfortunately, a common occurrence. It is therefore necessary to deploy measures to protect against it. For some, session locking, while widely practiced, is rudimentary and far from being adopted unanimously throughout an organization. However, it is the first line of defense against the theft of logins and passwords, and by extension, identity theft. In the same way, at a time when some people avoid using any public Wi-Fi network, others will be happy to take full advantage of working remotely and use the network, often unsecured, of the local café or business to send their emails to both internal and external recipients. Consideration of the risks associated with this type of practice varies from one individual to another.
Mitigate Risk with Principles of Least Privilege and Identity Analytics
The lack of terminal security, the failure to respect security policies in force within a company, and the non-execution of available updates and patches can also be particularly concerning. While awareness and training on cyber risk is desirable and the implementation of a strict internal security policy is necessary, it will never be enough to mitigate this type of situation.
One way to balance this out is to enforce the principle of least privilege as a way of reducing the attack surface. In general, access rights and permissions should be granted in as fair a manner as possible, and only when needed. In addition to the principle of least privilege, the need-to-know principle and segregation of duties policies can help an organization to better monitor who has access to what and if this access is legitimate as a means of countering the risk that comes with employee and third-party negligence or malice.
In the third and final blog in this series, we will explore how to counter cyber threats by using an identity analytics tool that, at its root, provides a way to be sure that the right person has the right access to the right data at the right time. Until then, schedule a meeting with our team at the upcoming Identiverse conference from May 30 through June 2 in Las Vegas, Nevada, we’d love to connect in person.
- Cost of a Data Breach Report 2022, IBM and Ponemon Institute, https://www.ibm.com/reports/data-breach
- Ponemon Institute’s, A Crisis In Third-Party Remote Access Security Report, 2021 https://security.imprivata.com/wp-state-of-cybersecurity-third-party-remote-access-register.html
Subscribe to receive blog updates
Don’t miss the latest conversations and innovations from Radiant Logic, delivered straight to your in-box.