It turns out the Covid pandemic has been a golden age for the crooks targeting enterprise systems. Having people work from home has made it harder to contain security incidents.
Writing at ZDNet Charlie Osborne covers the annual IBM cost of a data breach report. It says a typical enterprise data breach costs the victim US$4.2 million per incident. That’s up 10 percent on a year earlier.
Typical data breaches are where 1000 to 100,000 records are involved. Higher up the scale, things are much worse. Companies where between 50 and 65 million records are exposed now face an average of US$400 million to resolve the incident.
Healthcare has been hit harder than any other sector.
There’s a real problem everywhere with a severe international shortage of skilled cybersecurity professionals. One report says there are 4 million unfilled security positions around the world. More than half of all large organisations say they don’t have the specialist security workers they need.
Yet that doesn’t meant this would be a good time for someone with tech skills to refocus on security. One of the reasons IBM identified for the security skills shortage is an unwillingness for employers to pay people the asking rate for their expertise. Going by the headline incident cost figures in the IBM report, paying for skills would be the cheaper option.
IBM research estimates that the average data breach now costs upward of $4 million.
Asia Internet Coalition, a Singapore-based lobby group says its members may leave Hong Kong if a new doxxing laws comes into force.
AIC members include tech giants Facebook, Google and Apple.
The group worry that legislation could make them criminally liable.
Doxxing is when people publish private details about online personalities. It can be as simple as identifying the real name of someone using a pseudonym.
It could also refer to revealing addresses, phone numbers or other details used to trace and identify people.
In recent years people have weaponised the practice in Hong Kong to the point where there are thousands of victims.
People have used doxxing to scare activists off pro-democracy protests. On the other side, protestors have revealed the names of police or court officials who acted against protestors. It has also been used against journalists.
When private details are published people may find themselves on the wrong end of threatening calls or other intimidating behaviour. Sometimes this includes attacks on family members. Doxxing can lead to identity theft.
Hong Kong’s courts have found the effects can be severe and long-lasting.
The proposed privacy law amendments aim to outlaw doxxing and force social media companies and websites to take down personal information.
The Hong Kong government proposes to change the existing data privacy legislation to include doxxing acts committed with the “intent to cause psychological harm”.
A conviction would be punishable by up to five years in prison and a fine of HK$1 million.
As things stand, Hong Kong’s officials can make employees of social media or other websites criminally liable.
The AIC objects to the definition of doxxing used in the proposed law. It also worries services like Facebook and Twitter might face liabilities when doxxing happens on their services.
In a letter, the AIC says the only way tech companies could avoid punishment would be by withdrawing their services from Hong Kong and ceasing to invest in the territory. It is not clear whether these companies make significant investments in Hong Kong.
For years we wondered. What use would humanity find for cryptocurrency? Now we know. It is not necessarily a force for good.
There have been other technologies which emerged before there were practical applications.
When the first laser was built in 1960 it was impressive. Scientists thought it may one day find use in spectrometry or even nuclear fusion.
Others thought it could be used as a ‘death ray’ military weapon. it didn’t help that the Pentagon funded early research into laser applications.
In time engineers found thousands of applications. Today it powers fibre communications networks. They are used to measure distances with incredible accuracy. Application include medicine, office printers and cutting objects for manufacturers.
The killer app
When the first PC arrived, it looked like it had potential. It could do lots of things, but it did one thing very well: spreadsheets. VisiCalc, an early spreadsheet was the first computer ‘killer app’.
Likewise, the graphically gifted Macintosh computer had its power unleashed by PageMaker. It was a desktop publishing program and another killer app.
In May criminals attacked Waikato DHB demanding a ransom in return for unlocking computers.
It wasn’t the only ransomware attack that month, nor was it the biggest or most disruptive. Ireland’s health computer system was also shut down. The pipeline moving oil to the US East Coast was shut down.
All of these ransomware attacks, and most other online crimes, have a common denominator. The criminals want ransoms paid in cryptocurrency. That’s because Bitcoin and the other cryptos are harder to trace than conventional forms of money.
Ransomware and cryptocurrency
Ransomware is crypto’s killer app.
Cryptocurrency remains a shadowy world. It is not that everyone involved in cryptocurrency is a criminal. It’s more a case of every online criminal uses crypto.
For many everyday folk, their first interaction with cryptocurrency is when they need to buy it to pay a ransom.
This is not an argument to ban cryptocurrencies. Although it could be. And the stories about the vast amounts of energy needed to ‘mine’ these new currencies are also a concern.
Part of the attraction of crypto is that it remains unregulated. That has to stop. The exchanges that deal with cryptocurrency have to face the same accountabilities as other financial institutions. It has to be made harder to move unaccounted funds from crypto into traditional banks.
There is more to stifling ransomware than regulating Bitcoin and its peers. Yet the ransomware epidemic now threatens online commerce. In cases like attacks on hospitals, it is potentially a literal ‘killer app’. Regulating cryptocurrency will save lives and jobs.
Ransomware is when online criminals take control of data, encrypt it, then demand payment before unlocking. Except they don’t always unlock the data. Or, if they do, they may strike again later.
Lindy Cameron, chief executive of the UK’s National Cyber Security Centre, says it is escalating and being increasingly professional. Criminal gangs make most of their money from large profitable businesses that can’t afford to lose data or suffer downtime.
The Guardian says:
Gangs often scout their targets and will tailor their demands to the size of the customer: there are examples of small firms such as hairdressers being targeted and payments of £1,500 being demanded. But most of the targets are large businesses, which are disabled by the attacks.
It reports Cameron calling for insurance companies to stop paying out for ransoms. At the moment paying is legal in the UK if there’s no link to terrorism.
Phishing and credential harvesting
In New Zealand, Cert’s biggest concerns are phishing and credential harvesting. For the first quarter of 2021 Cert recorded 652 phishing or credential harvesting incidents. In comparison, Cert recorded 12 ransomware cases.
It’s possible many New Zealand ransomware incidents go unreported. We know for sure some do.
Cert puts the ratio between the phishing and ransomware categories at over 500 to 1. You chance of a ransom demand is relatively small.
Given this ratio, why does the headline on this post say ransomware is ‘threat number one’?
That’s because when it hits the damage from ransomware can be devastating. Four weeks after the Waikato DHB attack, the health authority’s computer systems are not back to normal. Hospitals have cancelled surgeries. The DHB is not treating some sick people.
The attack caused chaos in the health system. Last month the Irish health system went through a similar incident. In the US ransomware attackers shut down a vital fuel pipeline.
Companies have gone out of business because of ransomware. The attacks are escalating. Criminals target organisations like hospitals knowing putting people’s lives at risks increases the pressure on victims to pay up.
Many computer users don’t need to spend extra money on security software. Others do. Here’s a short guide to help you decide where you fit.
Modern operating systems have built-in security software. Windows has Microsoft Defender1 for free. MacOS has built-in security features2.
For many people these free OS security tools are more than enough protection.
That doesn’t mean you can ignore security risks. Far from it. Online security is more a state of mind than a product.
Online is a dangerous world
You will continue to rub up against risks. The online world is as dangerous as ever.
Yet, for many people paying for additional protection delivers little value. You might be better off using the money elsewhere. If, say, you run a business, it may be smarter to spend the money on training your staff about the risks.
Your computer security won’t be foolproof even if you buy the most comprehensive security products or services on the market. A clever social engineering attack can shimmy past the most sophisticated defences.
The most common example is when a crook persuades a victim to hand over a password or otherwise let them behind the defences. No software will stop that.
Teaching people not to hand over information that helps a criminal to know or guess a password is better protection.
Backups are a powerful weapon in your armoury. If you make regular encrypted backups of everything you’ll recover fast if attacked.
This is an essential defence against ransomware attacks. If you have backups, your data can’t be held to ransom.
Given a choice between spending on security software or a backup service, I’d pick the latter every time.
You should make more than one type of back-up. Say, a cloud service and a local hard drive or server. Ideally that would be a removable hard drive that you can store it away from your computer.
Before you relax. Take some time to check your data actually is backing up as expected. You don’t want to leave it until it’s too late before you learn otherwise.
With one or more good back-ups in place you can recover from common attacks. You can buy commercial security products and services that include back-up as part of their deal.
Were you should spend on security
When do you need to spend on extra protection?
If you deal with customer data or anyone’s personal data then you have a legal responsibility to protect that information from attack. Installing suitable security software goes part way towards meeting your legal obligations. Not having security could increase your liability. Security software can reduce the likelihood of attack, criminals find enough low hanging fruit to leave protected data alone.
If you have valuable data including material you want to stay secret. This includes complex business plans or product designs.
If you are otherwise a potential target for online criminals. This can include having valuable IP that crooks or government sponsored attackers might want. There’s a similar risk if you work for a political party or a campaign where there’s a sizeable community that would be happy to embarrass or otherwise expose your information.
If you indulge in risky behaviour online. This can mean activity like illegally downloading material or visiting dodgy streaming sites. In cases sites at the darker end of the web are fronts to find victims.
If you run a small business where employees are on a local network or you have a home system with teenagers. Sure, you trust people, but you can’t be certain they won’t make mistakes, either by indulging in risky behaviour or being susceptible to scams. Spending money on security is easier and less stressful than attempting to monitor and police other people’s activity.
Microsoft Defender isn’t perfect, but it does a good job and doesn’t interfere with your computing ↩︎
In six years I’ve never had the slightest security scare on my Macs ↩︎