As a CEO or CTO, you rely on your IT team to keep your systems secure and while they always want to do the best job possible for you, are you sure they’re telling you the whole truth?
Imagine living in a family house and some of the children knew that the father left the back door unlocked every night, the mother always assumed it was locked but it never was, and for years nothing happened. ‘has passed. Then one night, they get robbed and their valuables go missing.
Imagine the questions;
Dad: “Well, that door has always been unlocked”
Mom: “why, and why was I never told?”
Kid 1: “I knew but I assumed you did it mom!”
Kid 2: »
This is the scenario in businesses around the world.
The mother (let’s say COO of a company) doesn’t think she needs help because she has a husband who locks all the doors.
The following is an illustration of the problem organizations are currently facing.
We are seeing a growing trend of attacks towards data backups. These are rarely targeted, but become a concern when ransomware is considered. Ransomware is a scary prospect at the best of times, when a computer virus is planted in internal systems, leaving criminals open to extort money from companies.
During a ransomware attack, the course of action may include preventing IT administrators from accessing systems, stealing customer data, or even wreaking havoc. If you’re ever worried about how your organization protects its backups, it’s for good reason. But there is worse to come.
Jim from accounts – the silent problem
Imagine a scenario where you, as a business leader, have assurances from your technology team that the live environment and internet-facing perimeter topology are secure. It has passed all recent tests and the measurements are all green. From a cybersecurity perspective, the recent red team exercises with the board went great, and the playbooks are all up to date. A position that many C-Suite executives find themselves in, and what a great place.
But, unbeknownst to anyone, good old Jim in the accounts yesterday ordered his girlfriend a cute pre-summer holiday gift from a well-known online retailer. Today Jim received an email from the same retailer saying his payment had been declined. After he unknowingly clicked on a link to find out why, new malware, containing an undetectable virus (called a zero-day attack), was downloaded to his laptop.
It was not a valid email, but a well crafted phishing email. An embarrassed Jim deleted the email, going about his day with no intention of reporting the incident for fear of being reprimanded.
At Cybercriminal Towers, an alert was quickly received that the malware was active, and an elite team of experts began working. It’s well-organized outfits, with desks, free fruit, and a view — plus a single, balaclava-wearing young chancellor punching keys into a keyboard in hopes of landing a big fish.
We need to evolve our understanding of how cybercriminals operate and act. Given the lucrative nature of the job, they sometimes compete for the same technological talent as the right side of the law, strange as that may seem.
This team of criminals, on this occasion, targets even more sinister malware against a specific target. They work quickly, undetected, and traverse the corporate network from Jim’s laptop. They have very quick access to the servers.
And after a short time, there it is, the backup system – in all its glory. Similar to a scene from lethal weapon, where Murtaugh and Riggs await instructions on which cable color to cut, a subtle click here and there and boom – a thorny set of files containing the most complicated ransomware are planted on the backup system. The consequences? None, nothing. Not yet. Now, we’re waiting, while the clock is ticking down.
Cybercriminal Towers – The Revisit
Over time, another risk review occurs and that is another healthy state. Happy days, until…
This time, the Cybercriminal Towers team aligned their next visit to Jim’s company with a goal. In the network they go again. This time the live environment looks too appetizing, and for good reason. This is where the crown jewels are. Another server, same effect, Boom! Ransomware landed again. Easy pickings.
This time, the malware is executed immediately, alerting the technical teams. At the same time, the executives are all receiving ransom emails from the company because their website, app, and entire back office are crippled. The email states: “Pay or lose your data and online presence”. A captivating and moving moment for everyone.
As the out-of-body experience fades, the inevitable playbook emerges and the tech team arrives, chests bulging ready for action. The prognosis is simple: don’t pay and we’ll follow the proven process. Shut down affected servers, delete data, experience some downtime, and ignore all requests, and in no time, backups will restore the business to where it was. Sanitation is then carried out and all the holes are plugged.
With smiles everywhere, the action plan is clear and the teams are springing into action. However, this time the plan does not go as planned. The now crowded office is hit with shock and numbness, one by one, and like a game of dominoes, everyone quickly realizes the problem. Backups are not available. They are locked by the same ransomware message seen minutes earlier on the live server.
Like an enlarged chessboard in many pub gardens, it feels like a very public call for checkmate has just been announced. As the inevitable scramble for a speedy bitcoin payment process is written, it’s the start of a very long day and night for everyone within the company. They have no choice but to pay but wish to do so discreetly, so as not to worry investors, customers and shareholders.
If you think your organization is too big, too shielded, and excluded from such scenarios, then great, I admire that stance. Just be sure to monitor the changing risk landscape on a daily basis. Because that’s what we’re all fighting against. The culture at Cybercriminal Towers is not to write articles, or to have committees or meetings, but to be determined to deliver their projects.
The ability to analyze data, perform security and penetration testing, and have good governance in place from management information, policies, and procedures is often seen as a boring or bureaucratic part of technology. As demonstrated here – it really isn’t.
In the end, your IT team may think they’ve got all your security needs covered, but in reality, that’s probably not the case. As a CEO or CTO, it’s wise to get an outside or third-party review to assess security vulnerabilities. Should you ask your IT team more questions about the coverage in place and challenge it?
About the Author: David Davies, Managing Director of Navos Technologies, is an expert in helping financial services companies deal with online threats. As a former Chief Information Officer at Hargreaves Lansdown, where he oversaw a team of 400 people, he is well placed to understand the importance of a watertight cyber defense strategy.