Compromise can happen to anyone. It’s no longer a case of ‘If a cyberattack hits my business’ but ‘A cyberattack will hit my business’. We have come a long way from the thinking that only certain types of businesses (or business functions) could be the recipient of a cyberattack. Most security professionals now assume that a breach is inevitable and prepare accordingly.
The stats show the same. According to Accenture’s 2020 Innovate for Cyber Resilience report, “On average, organizations now face 22 security breaches per year.”
Everyone is a Target.
Some businesses may consider themselves to be unique and believe that they might fly under the radar of attackers. However, having that mentality can lead to security holes that attackers are happy to exploit.
Take, for instance, the Blackbaud data breach. Blackbaud is a fundraising software used by charity and education bodies the world over. That’s a software product that any ‘moral’ person wouldn’t attack. And, as a payments platform operator, their clients would expect the business to be highly secure.
However, in 2020, Blackbaud was the victim of a ransomware attack that resulted in an "astronomical amount of data" being siphoned to attackers. The months-long intrusion resulted in personal data leaks affecting millions of people, and from organisations including the University of Birmingham and The National Trust.
Is it morally reprehensible to attack these sorts of organisations? Sure, for you or I, but these are criminals we’re talking about. This is also why, if you experience a ransomware attack, you have no guarantee your systems will be handed back over or your data won’t be stolen. When you’re talking about criminals, their morality can be flexible or different from our perspectives. In Blackbaud’s case, they paid a ransom to their attackers so they would delete the stolen data, however, it can be tricky to say whether this actually happened.
Supply chain compromise and trickle-down effects.
This example also brings up another vector of compromise: supply chain compromise. Supply chain compromise happens externally to a company, through a secondary provider. For the University of Birmingham, their own client’s data was breached through the third-party Blackbaud software.
This same type of attack has crippled businesses across the world this July. Kaseya’s IT Management and MSP software was hit by one of the world’s biggest ransomware hacks on record, courtesy of REvil - the Ransomware as a Service provider wreaking havoc across the world on behalf of other criminals. The attack affected thousands of clients when their data was suddenly encrypted. In just two examples of the impact, 800 of Coop’s Swedish grocery stores were closed as their register software was down, and a number of schools in New Zealand were bumped offline. In this instance, it wasn’t just direct customers of Kaseya that suffered, but also customers of companies using the Kaseya management software. Ransoms were sent out to the victims individually, however in the end Kaseya has managed to obtain a ransomware decryptor for their clients.
As a business, your customers may still be on the hook for data breaches that occur through third-party apps or services. Organisations have a lot of apps, and the number is growing. As Blissfully’s SaaS Trends 2020 outlines, “The unique number of apps in use per company is up about 30%, year over year, with companies averaging 137 in 2019 vs. 2018.” With this in mind, you need to do comprehensive reviews on what software you are trusting and your legal obligations if something goes wrong.
How do we prepare for the inevitable?
Adopt a Zero Trust approach, i.e. not trusting anyone internally or externally until they are verified. This means cutting off access to all resources until users are verified, and forcing users to re-validate their credentials as they move between applications within your network.
Take, for example, the infamous Colonial Pipeline attack. The attack occurred due to a stolen password on an inactive account that allowed access to a company VPN. The password was subsequently discovered on the dark web, suggesting the account owner had reused a password that was involved in a prior data leak.
This particular attack brings up several security issues: 1) password reuse, 2) removing inactive accounts, and 3) multi-factor authentication.
These three security vectors align with the approach needed to practice Zero Trust: with people, tools, and processes. Let’s dive into them.
People: Password reuse needs to be eradicated, but it needs to be about educating your audience, not just putting in failovers to stop reuse within your organisation’s systems. If attackers can link a personal and business email address (or username), and have obtained a stolen password from another breach that lists the personal email, and an employee has reused a password at work and at home, they may now have access to your systems. This can also impact multiple systems if they have naming conventions for their passwords, such as “SoftwareNameYearOfBirth,” it’s not just exact password matches. Your employees may not realise this is possible, so education is key.
Mitigating the risk means engagement from your executive team to the front line, education and vigilance. Your people are your front line in the fight against cybercrime.
Tools: Multi-Factor Authentication will help stop access from unauthorized users. If access is requested, even with a matching password, a secondary check should be made to ensure that the user is actually who they say they are. Having region-specific IP blocking can also help, although this can be circumvented by experienced attackers.
Adhere to the principles of 'Defense in Depth' security - no one solution will protect your business. In fact, most enterprises have over 50 solutions in the security stack. A zero-day threat can arise anywhere, anytime, so it takes a multi-faceted, multi-layered approach employing the expertise of specialist solutions to protect your people, your company and your data.
Processes: Inactive accounts must be deleted to remove access for users who no longer need it. This should occur when people resign, change roles, or their responsibilities shift. This is a case for systems administrators and security professionals.
Security processes must be documented, automated, audited, and updated. With an ever-changing threat landscape, you must keep up to date.
Email as the number one attack vector
While password-stealing can be a more difficult way for attackers to access systems, email is not. Business email addresses are generally publicly available and can be linked to people’s business roles as well as personal social media accounts and their overall online footprint.
Take, for instance, the email we discovered for an ‘Urgent order’. The email, asking if they can pay urgently for 30 days invoice, with deliveries to Belgium, France, and Luxembourg, might easily fool your sales department at first glance, chalking up the stilted text as an ESL speaker from Europe, rather than an obvious cyberattacker. However, the attachment, an Excel spreadsheet titled Order0076654, has the ability to deliver a malicious payload when opened.
To address the number one attack vector for businesses - that’s email! - you need to educate employees, use tools such as MailGuard to help quarantine and delete malicious messages before they hit employees’ inboxes, and have reporting strategies in place for when employees are suspicious about an email.
More tips for preparing for cyberattacks:
- Design mitigation strategies according to the Essential Eight
- Use outside assessments like the Australian Government’s Cyber Security Assessment Tool for small to medium businesses to gauge cyber readiness
- Engage the services of a cybersecurity consultant if you don’t have in-house expertise
- Perform tests to check your current systems, such as sending employees an email mimicking a fraudulent email, testing for DDOS attacks, and running a password cracker to see if anyone is using simple passwords
- Assess and rollout tools that will help with readiness, such as backup providers, firewalls, and specialist email security like MailGuard, etc.
Prevention is always better than cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid being hit by ransomware or other compromises in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
Being hit by a cyber-attack can cause businesses significant financial losses and a hit to their reputation, especially following a tough pandemic-ridden year which resulted in many businesses struggling to keep the lights on. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to complement Microsoft 365. For more information about how MailGuard can help defend your inboxes, reach out to my team at firstname.lastname@example.org.
How is your business preparing for cybersecurity attacks? Share your thoughts below.