Cybercrime: Costs Run Deep
By Paramesh Vaidyanathan, Skytop Contributor / August 22nd, 2022
Paramesh Vaidyanathan is a software technologist with over three decades of experience. Based out of the Seattle area, Paramesh spent 23 years building software and leading teams at Microsoft Corporation. His experience spans platform and infrastructure software (Microsoft Windows family of products), and developer tools (Microsoft Visual Studio). With an initial focus on local area networking performance and quality, Paramesh went on to lead large engineering teams there. His stint included a five year stint as one of the key leaders of Microsoft’s India Development Center in Hyderabad, India. Since “retiring” from Microsoft in 2012, Paramesh has spent his time, efforts and money working with, advising, and investing in software startups in the fields of Healthcare, Education, and Cybersecurity. He consults through his company, Yenodu LLC, that he co-founded with his wife in 2012. His current focus is on helping companies large and small, particularly in Healthcare, become more Cybersecurity aware and ready.
Paramesh has a Master’s Degree in Electrical (Computer) Engineering from Virginia Tech, and a Bachelor’s Degree in Electrical and Electronics Engineering from Anna University, Chennai, India. In his spare time, Paramesh dabbles in gardening, reading and playing bridge.
Worldwide Impact of Cybercrime
It is estimated that the worldwide impact of cybercrime will be $10.5 Trillion by the year 2025, placing at severe risk on innovation and investment. Innovation in cybersecurity is essential to not only be competitive but also to thwart cyber attackers and to protect enterprise data. Cybercrime costs result from both the loss to the enterprise from the crime itself, and from the steps necessary to restore the enterprise to the state before the commission of the crime. The losses from the crime could include the damage and destruction of data, downtime, notification costs, intellectual property, theft of personal and financial data/money, and embezzlement/fraud. When data is damaged or destroyed, the company must spend time, effort and money investigating the losses, and restoring and fixing them. In addition, the company’s public reputation would very likely be tainted.
Small to Medium Sized Businesses at Risk
Accenture points out that cybercrime against businesses, particularly small to medium sized businesses (43% of cyber-attacks are aimed at small businesses), are increasing in frequency and complexity. With the evolution to a remote/hybrid model of operation, companies have made themselves the target of more sophisticated and mature attacks from criminals. With employees logging into corporate networks from poorly secured home networks and sometimes personal devices, the exposure of enterprises to attacks, especially those with legacy IT infrastructure and large on-premises footprints, have become significant. Legacy tools built for the old world order of networks and devices don’t stand a chance against the enhanced intelligence used by criminals to break into enterprises.
Ransomware a Significant Threat
Ransomware has emerged to become perhaps the most significant threat to organizations. Ransomware prevents or limits users from accessing resources in their networks or devices, encrypting files until a ransom is paid. Ransomware can find their way into systems in several ways. It can arrive as a payload via email attachments, be downloaded by unwitting users who visit malicious websites, or be delivered via other malware. Once in the system, ransomware looks for and encrypts certain file types. It then issues a message to the user to force them to pay a ransom to get a decryption key that can be used to unlock the files.
Ransomware attacks have almost doubled between 2020 and 2021 in frequency. At the same time, the dollar amount sought for ransom has also increased. Ransomware has affected government agencies, all types of companies, and more recently, supply chains for gasoline, food and medical supplies.
Stages of Ransomware:
A typical ransomware flow includes the following stages:
Initial entry: Using one of several means including Remote Desktop Protocol brute-forcing, E-mail, malicious websites, employees who unknowingly enable exposure of their corporate credentials via targeted email or dangerous websites, or software bugs
Serve-side entry – vulnerabilities against such Internet-facing servers and systems that are exposed by tools like Shodan or MassScan.
Command and Control establishment – once they are in, attackers make contact with breached devices, establishing a firm presence and enabling themselves to carry out the rest of the attack remotely.
Lateral movement – using various tools that can now be pushed in from outside the enterprise, attackers move around the network looking for more weaknesses, scanning for appropriate data to control/take out.
Exfiltration of Data – going beyond just encrypting and holding businesses to ransom, attackers have moved towards doubling their damage – they exfiltrate key data and destroy backups before the encryption takes place. Exfiltrated data is used to blackmail organizations, with attackers threatening to publish sensitive information online or sell it on to the organization’s competitors if they are not paid.
Data encryption (lockdown) – using advanced encryption techniques, threat actors encrypt all the data inside the organization rendering the businesses helpless.
Ransom note – attackers request payment in return for a decryption key and threaten the release of sensitive exfiltrated data.
Clean up – after paying the ransom and securing its data, enterprises work towards protecting themselves from the vulnerabilities that exposed them in the first place. However, data shows that 80% of ransomware victims will be targeted again!
Recovery – The organization begins attempts to return its digital environment to order. Even if it has paid for a decryption key, many files may remain encrypted or corrupted. Beyond the costs of the ransom payment, network shutdowns, business disruption, remediation efforts, and PR setbacks all incur hefty financial losses. The business may also suffer additional reputation costs, with 66% of victims reporting a significant loss of revenue following a ransomware attack, and 32% reporting losing C-level talent as a direct result from ransomware.
It is worth noting that 69% of security leaders in the enterprise are concerned about ransomware attacks in the hybrid work environment of today..
The Impact of Cyberattacks on Companies:
The threat and impact of cyberattacks on enterprises has burgeoned over the pandemic years. Roughly a third of all businesses were hit by ransomware in 2021, with the frequency of ransomware attacks doubling in 2021 over 2020. The average cost of a cybersecurity breach increased 10% to $4.24 million in 2021. Ransomware has proven to be particularly damaging, with damages exceeding $20 billion for 2021, and is expected to rise to $265 billion by 2031. Attackers comfortably hide behind the fact that after breaching an enterprise, they can move around undetected for almost 200 days. It is estimated that after discovering an attack, businesses taken an additional time of over 2 months to contain it. The average business loses about 50 days in time following a malware attack. However, the future looks darker. Forbes writes that supply chain software developers will be the target of nation-state threat groups in 2022 to compromise the commercial software code creation, distribution or code authentication processes. An example of such an attack is the one against Mimecast Digital Certificates. For any organization, perhaps the most invaluable assets in the cloud are machine identities (e.g. TLS keys and certificates) that are used to authenticate devices, services and software. By entrenching themselves in the supply chain, the hackers to exfiltrate and control the flow of sensitive data of businesses.
I Am a CxO and I Should Care
Executives in businesses acknowledge their worry about how rapidly the cybersecurity landscape continues to evolve – over 90% of IT and business decision makers expressed concern about ransomware attacks. Yet, just more than half the teams engage and update their C-suite about the state of their organization at least weekly. The trend towards increasing investments to mitigate the risks of ransomware attacks and security breaches is slowly on the rise. But this trend along with the low engagement with the C-suite leaders suggests a tendency to address issues with money as they arise rather than to gain deep insights into the cybersecurity challenges, then investing appropriately. “Cyber risk management” is a concept that is discussed in less than half the C-suites. In other words, the role of the C-suite continues to be distant. Business and IT leaders need to step up in their mutual engagement on cybersecurity awareness and strategies for their organizations. Leaders at the top can ill-afford to gain deep knowledge and be engaged directly. Else, they run the extreme risk of creating a vulnerable organization. It is imperative that leaders stop looking at cybersecurity as just a technology and start looking at it as a business pillar and has to do with process and people.
CEOs need to engage directly with their CSOs/CISOs and explicitly support them to protect the company. CSOs/CISOs must use security metrics the same way other executives use business metrics, to engage with CEO in a way that they understand the situation, and in a language they are familiar with.