Business Tech Tactics

The Year of Ransomware

CEOs rate cyber risk the #1 threat for organizations

With millions of people working remotely in North America due to the pandemic, the number of vulnerabilities in IT systems has increased exponentially. As a result, cyber crime has grown significantly. In a 2021 CEO survey by KPMG, CEOs rated cyber security risk as the top threat.

Ransomware is top of mind for North American businesses, with high profile cases like Colonial Pipeline, creating gas shortages in the eastern U.S. last year. However, most ransomware attacks never become public knowledge.

The U.S. Treasury has tied $5.2 billion in bitcoin transactions to ransomware payments. Global estimates are $20 billion and are predicted to grow over 20X in the next 10 years. But the ransom paid, however, is only the tip of the iceberg in terms of cost to organizations. According to McAfee, cyber crime costs $1 trillion each year globally.

Cyber security is one of the fastest growing areas of IT, which in turn has resulted in over three million unfilled cyber security positions globally. “There are only two types of organizations, those that have been hacked, and those that don’t know they have been hacked,” said John Chambers when he was CEO of Cisco.

Phishing

Most cyber attacks begin with phishing. Phishing can begin as an email from your bank saying your account has been hacked and urging you to immediately change your password, providing a convenient link to the login page. However, when you login, you are not logging into the bank, you’re on the hacker’s site which looks like the bank and you’re providing them with your account and login details.

Then there’s spear phishing. That’s where the hackers research you and the email you receive is far more customized and sophisticated. John Podesta, Hillary Clinton’s campaign chair in her 2016 presidential run, was the victim of spear phishing. All Clinton’s emails were leaked as a result. Podesta even reached out to an IT staffer to ask if he should reset his password, and the staffer replied that it was legitimate.

Finally, there are whaling attacks. That’s where an executive in your organization emails you and instructs you to urgently change your password or download a file and open it.

Ransomware, phishing, cyber crime — how can organizations reduce risk? Here are some effective strategies.

Top Ten Risk Reduction Strategies

1. Training, training, training

2. Multi factor authentication

3. Password management

4. Automatic updating of software

5. Antivirus and antimalware software

6. Backups: both cloud-based and on premises

7. Steps to protect against identity theft

8. Use of AI to detect irregular network behavior

9. Insurance

10. Ongoing training

The Human Factor: Training

While IT professionals often have a bias for technological approaches to mitigate cyber risk, there must be more focus on employees. Every person in your organization must be trained in cyber security awareness. And the training needs to be ongoing.

A CEO told me how every single employee in his company had been trained to identify phishing threats. Two weeks after the education sessions, the training company ran a phishing exercise and 20% of employees keyed in their login and password. This underscores the importance of ongoing training. Also, any third-party, such as a supplier, who can login and access your systems must also have continuing training.

During the pandemic hospitals have been shut down by ransomware and cyber crime has become dangerous business. Business must take this issue very seriously indeed.

Jim Harris is the author of Blindsided. Follow him on Twitter @JimHarris or email him at jim@jimharris.com.