Why companies should not waste time to build up protection against it
In today’s digital age, cybercrime has evolved into the most lucrative and fastest growing “business sector.” All over the world, the number of cyberattacks on organizations and countries is rapidly increasing. Hackers hardly encounter any defense mechanisms when they enter the home office networks and this is the first step into creeping into corporate systems of companies around the world. Thomas Stubbings, CEO of CTS Cyber Trust Services, and Richard Knowlton, former Group Corporate Security Director of Vodafone and the current Director of Security Studies at the Oxford Cyber Academy, have analyzed why companies have no time to lose when it comes to a steep upgrade of their protective mechanisms and what types of cyber threats we will face in the future.
According to the Austrian Federal Chancellery’s Cyber Security Report, Austrian companies significantly upped their cybersecurity game in 2019 compared to the previous year: half of the surveyed companies increased their respective budget and boosted monitoring and client-based awareness measures. 96 percent of companies furthermore invested in IT security, which is also due to respective legal stipulations (also see part 1 of the Cyber Security Spotlight series on the topic of “Cybersecurity: From Best Practice to Regulation”). “One would think that’s good news,” Thomas Stubbings, CEO of CTS Cyber Trust Services and a graduate of the Global Executive MBA, says. “But unfortunately, reality paints a different picture.” Between 2018 and 2019, cybercrime attacks increased by 45 percent – across all spheres: espionage through advanced persistent threats (APTs), ransomware and phishing mails directed at small and medium-sized enterprises as well as CEO frauds (schemes in which CEOs and board members are tricked into transferring money).
It seems that also 2020 was a strong year for hackers thanks to the pandemic. “The awareness of the importance of cybersecurity has been increasing, but that does not correlate with case numbers, which keep rising exponentially.
“Some time in the future, the coronavirus will no longer be the most pressing item on the agenda. On the other hand, we will never get rid of cybercrime, particularly since it is an extremely lucrative ‘business model’ generating billions of dollars in revenues. What’s more, there are few risks involved for the perpetrators; investigating and solving cybercrime is very difficult since hackers often work from countries that virtually make it impossible to seize them.” There are several cybercrime networks connected with each other. “They form a kind of shadow economy based on division of labor in which some of them provide services to other cybercriminals, making up the so-called ‘cybercrime as a service’ sector.” Stubbings points out that the darknet is full of shops akin to Amazon in which illegal Trojan construction kits, malware, manipulated hardware cords, and stolen credit card data, some of which is even verified, can be purchased for bitcoin.
Like many things, cybercrime is undergoing change. “A CERT-EU survey found that 90 percent of successful attacks today involve social engineering,” Stubbings reports. This means that people are tricked by criminals to, for instance, click a link in an e-mail or transfer money upon a fraudulent phone call.
Also Richard Knowlton, international cybersecurity expert, former Group Corporate Security Director of Vodafone, and founder of Richard Knowlton Associates, has observed numerous advances in cybercrime in the last ten years: “The intensity and frequency of cyberattacks have grown significantly. Like other experts, also cybercriminals are increasingly relying on artificial intelligence. They are furthermore exploiting opportunities provided by the pandemic to target employees working from home using ransomware.” Knowlton sees a general trend in the rise of extortion based on ransomware and the decrease in internet fraud cases. Ransomware freezes all systems: data is only released upon a payment. This happens on both a small and a large scale. “If a company is affected, the damage it suffers can amount to millions. And ransomware is constantly getting more malicious,” Richard Knowlton finds, pointing to a cyberattack in the fall of 2020 in which all IT systems and life-saving devices at Düsseldorf University Hospital were frozen, resulting in the death of a woman.
Stubbings has observed a new trend of attacking companies’ supply chains via software updates. “In such cases, malware is distributed via software providers to tens of thousands of customers and again to their customers in a matter of only a few seconds,” Thomas Stubbings warns. An example is NotPetya, malware that exponentially propagated around the world via Ukrainian accounting software.
The two experts agree that smaller companies are targeted in sweeping attacks using ransomware and phishing mails while large corporations, most of which have refined protective measures in place by now, are assaulted in targeted attacks. “We are talking about highly sophisticated campaigns mapped out down to the tiniest details and e-mails you can hardly distinguish as phishing mails any more. They take, for instance, the shape of a response by a colleague including a personal message,” Stubbings explains. For such attacks, cybercriminals invest months in the so-called reconnaissance stage to research a company’s structure and identify the most important people in it. “Cybercriminals might attempt CEO fraud or employ technical measures to sneak their way into the system until they come across a powerful account – where they then, for instance, manipulate money transfers,” Stubbings says. Just one example: “After months of preparation in which cybercriminals diligently studied a Russian bank’s IT infrastructure, it only took them 15 minutes to hack its trading system so effectively that they could manipulate share prices and reap massive capital gains.” For Thomas Stubbings, it is thus highly advisable not only for large groups of companies but also individual enterprises to draw up a list of sensitive, privileged accounts and secure them with two-factor authentication: “In reality, most companies have several system accounts that everybody has forgotten about, and hackers use them to enter the system.” Stubbing’s advice is to implement a sandbox to check internal mails before they are forwarded.
Richard Knowlton sees a need for CEOs of large companies and politics to more actively deal with the issue of cyberthreats looming in the near future: “Quantum technology will have an enormous impact on the quality of cyberattacks,” he forecasts. Quantum computers with 1,000 times the computational power of current models might take no time to hack what is today still considered sophisticated encryption technology.
This will have a major impact on cryptographic encryption employed, e.g., by the secret services or to handle corporate money transfers. Quantum computers will be available in ten years’ time, and we already need to prepare for them today.
There is a chance companies still don’t see what’s in store for them: “For many managers, all of that is mere geeky stuff.” But new virtual hazards are popping up every day: “As digitalization advances, also industrial and even military robots as well as self-driving cars could be hacked, which is an extremely unsettling prospect,” Stubbings concludes.
“Cybersecurity is often depicted as an onion model: you should never rely on just one layer but implement many layers (i.e., a defense-in-depth concept), particularly when you are a large company with a complex structure,” Thomas Stubbings explains.
Read on for a brief description of the most important steps:
With our range of programs around digitization and transformation, you can ideally equip yourself for the digital present and future. For more information, please click here.