Maksim Kabakou - Fotolia
It is sound business sense to be able to fully exploit the revenue potential of any product. Why wouldn’t the developers and controllers of malicious software do the same?
Cyber criminals are now not just encrypting data then demanding money, they are also using the threat of releasing that data into the public domain to pressure victims into paying the ransom.
Ransomware remains one of the most prevalent threats an organisation faces, with the main route of infection through phishing emails.
Reports from the National Cyber Security Centre (NCSC) and results from the annual cyber security survey of businesses and charities by the Department for Digital, Culture, Media and Sport (DCMS) show 86% of malicious software attacks involve phishing. New waves of phishing emails from ‘HMRC’ and ‘TV-Licensing’ are being complemented by those using the Covid-19 pandemic as a masquerade.
If the individual’s social media privacy settings have not be set correctly and they share too much information on their work-related activities, then this can help attackers make their phishing emails much more plausible.
In a recent example, attackers exploited social media information about a project team working in foreign country. The employees posted details of their location and the project, and the attackers used the information to submit an invoice to the head office in London which was almost paid.
Many cyber criminals sell on leaked data on the dark web and this often creates many waves of attacks long after the original breach, with a supply chain of criminals willing to purchase the data sets. This makes it essential to regularly monitor the dark web.
Managing these risks requires a comprehensive approach using both technical and procedural controls, as well as education.
Putting in place the technical controls
Technical controls need to be applied to the IT infrastructure that can be easily configured to meet emerging threats while being both cost-effective and having minimal impact on the user experience. Such controls include using only trusted security software on all devices and keeping software and operating systems up to date through regular patching.
The adoption of cloud services can also help mitigate a ransomware infection, since many cloud services retain previous versions of an organisation’s data.
Encryption is another option, but the business case needs to be clear and in some cases there are regulations that demand that it is adopted as a minimal security requirement.
Creating the right culture through education
Phishing attacks can be mitigated by implementing email gateways that try to trap phishing emails, but these will never stop 100% of the potential attacks, making a user education programme essential. There are some simple things a user can look out for that should alert them to the authenticity of an email, and training people to not click on a link or to enable macros without being completely sure it is genuine is a key part of this approach.
This is increasingly important with growing numbers of staff working at home who need to ensure they keep their work separate from their home-based IT systems.
Hiding data in plain sight
Protecting data is no longer about just preventing access, but ensuring it is only shared based on who is requesting it. Watermarking data by adding unique values to identify compromised information and data loss prevention tools can also be useful.
One of the main questions that we are asked when responding to an incident is ‘Can you find our personal data?’. The ability to identify personally identifiable information (PII) that is present on large IT estates is essential and a fundamental part of complying with the General Data Protection Regulation (GDPR), with the need to have an inventory of PII held by the organisation.
Moving away from the password
Advances in biometric authentication, now prevalent on mobile telephones, are becoming more sophisticated allowing less intrusive means of authentication.
Innovations, such as Microsoft Hello, are replacing passwords with biometrics and a simple PIN. Recently, the State University of New York announced that it had successfully created a 3D finger vein biometric authentication method that provides levels of specificity and anti-spoofing that were not possible before. Such advances in technology will remove the chances of weak or reused credentials being exploited.
Using AI to spot the potential breach before it occurs
Artificial intelligence (AI) is becoming a fundamental part of protecting an organisation against data loss. In a complex environment faced with many threats, the traditional approach of just monitoring technical feeds is no longer enough. This is where AI can play its part, understanding or learning what is the normal level of accepted security and then spotting trends across a wide range of technical and human factors that indicate risky behaviour or actions, which, if spotted in real time, can avoid data loss before it occurs.
It is clear that a full range of all these tools will be needed to protect personal data effectively.
Jim Metcalfe is cyber security expert at PA Consulting.