This isn’t a surprise. We’ve known that what’s at stake in cybersecurity is no longer just as a tech issue – it’s a risk with real-world physical security implications. Ransomware, in particular, has become a pandemic of its own. For consumers, such incidents create chaos and can disrupt everyday life. For companies that fall prey, they cost millions of euros, plus an inestimable amount of damage in reputation and public trust. Today no individual or organization anywhere can be guaranteed 100% security. However, you can strengthen the systems that contribute to cybersecurity by integrating high standards for digital trust into your business model.
To achieve this, Schuberg Philis has always treated security not as a team, a system, or a tool, but as an attitude. This attitude guides our approach to ensuring customers have the most fitting security solutions for their society-critical IT, whether they handle banking, pensions, groceries, or energy distribution. Part strategy and part attitude adjustment, these four cornerstones can help sustain stronger digital trust.
1. See and believe the reality of cybercrime today.
The IT industry has become more professional. But so have the criminals who dwell and deal in it. While it might be comforting to believe that our worst cyber enemy is a bored nerd hacking in their parents’ basement, this is not true. Today’s ransomware attacks are regularly carried out by organized criminals within sophisticated international networks. These organizations operate in a structure with refined specialties: initial access brokers skilled at infiltration; finance pros who can tier victims and investigate people’s net worth and willingness to pay; negotiators; and even a service desk to assist with any decryption problems.
Indeed, we must acknowledge that cybercrimes are now a problem that could potentially threaten human safety and wellbeing by causing major social disruption. Log4Shell led to ONUS, one of the largest crypto currency exchanges in Vietnam, suffering a data breach and extortion attempt. Targeted attacks have affected software VMware vSphere and UniFi. Ransomware gangs have discovered this vulnerability too, either for the purpose of gaining initial access or for lateral movement and encryption of VMs. These incidents appear to harbinger worse strikes. Meanwhile, ransomware itself is evolving. Its criminal brokers are always looking for the next incentive to convince victims to pay – be it to prevent a DDoS, to get their own data back, or to keep data from being disclosed. We expect ransomware to evolve into nastier forms, designed to cripple businesses or even harm people. In early 2021, for example, an attack on a water treatment facility in Florida was thwarted but, if successful, could have led to the distribution of contaminated water.
2. Practice digital vigilance through diligence.
In the same way the pandemic-stricken world came to learn that social distancing, masking, and vaccinating curbs the spread of COVID-19, certain practices can reduce the likelihood of an organization getting hit by malware. Specifically, we can practice good IT security hygiene. Although there remains a chance of exposure and infection, a well-maintained and updated system combined with the right security solutions make it a lot harder for hackers to break into systems in the first place. With the awareness that attackers themselves are running a business and are hungry for just about any source of revenue, implementing proper access control, least privilege access, and minimal internet exposure go a long way. This plays to the notion that you don’t need the absolute best locks on your door; you need locks that are strong enough to compel an attacker to seek another target.
Good hygiene starts with applying patches in a timely manner. Though nobody enjoys patching, it needs to be done regularly, accurately, and swiftly. Ultimately, we could say that IT security takes a bit of vigilance and a lot of diligence. Letting systems go unpatched makes a company vulnerable, but sadly, the internet is still riddled with systems containing vulnerabilities even though their patches were available months, if not years, ago. When we faced Log4Shell, we had launched a program to address the vulnerability for everything under our responsibility and for all our customers. This consisted of preventative patching, upgrading versions as needed, applying other mitigation measures, and checking that SaaS services were patched by their providers.
3. Differentiate the crown jewels from commodity IT.
There is no one-size-fits-all solution for security. What might be considered over-the-top for certain scenarios could be the bare minimal or insufficient for a mission-critical system. In addition, defenders need to make sure all their systems are secure because, to gain entry, an attacker only needs to find and exploit one. It’s for this reason that we encourage differentiating between your crown jewels and your commodity IT and, based on that distinction, partner with category-appropriate providers. Relying on one IT provider for everything is necessarily risky, as is maintaining critical and non-critical systems in the same infrastructure. If combined in this way, a security problem in a non-critical system can spill over into your critical applications.
Certainly, leave mission-critical activities for those with relevant expertise. There’s a better chance to protect what matters most if the IT provider with mission-critical experience takes care of the mission-critical operations. In a lot of ransomware cases, cybercriminals begin by infiltrating an office environment and then making their way into critical operations. While it’s annoying if office operations go down, most organizations can cope with such inconveniences. However, when the ransomware involves mission-critical operations, that’s when the business stops.
4. Remember that when it comes to ransomware, to err is human but to plan is divine. Education and good digital hygiene meaningfully contribute to preventing ransomware attacks and other security issues. Yet, prevention alone is not enough. With ransomware attacks as rampant as they are, everybody needs to actively plan for the worst and have ready answers for hard questions. After the foiled attack on the Florida treatment facility, we were left wondering: would a water council board have been willing to pay serious money to prevent such an incident?
In fact, as organizations we should detail our response to various hypothetical scenarios. If attacked, could we realistically recover? If so, would the recovery be fast enough? Which of our business processes should we consider critical? Who should be informed about any breach? How would we handle negotiations with a malicious actor? Would we pay ransom? If so, how much and in which cases?
And finally, as IT specialists, we should remember that we may once have been in the business of defending just computers and information. Now our cybersecurity work is even more urgent. It involves defending social order and, potentially one day soon, world peace and people’s wellbeing.