Over the July 4th weekend, the US was hit by what one expert described as a “colossal and devastating supply chain attack”. The attack, believed to be the work of REvil, a ransomware syndicate, affected the networks of at least 200 organisations. This type of supply chain attack is most effective when organisations operate on a trust model and rely upon the security of their suppliers to protect their systems. This latest attack goes to prove that hope is not a strategy.
A time to change
What will it take to break company executives and IT professionals out of their apparent cybersecurity stupor? Looking at the endless stream of hacking headlines you’d be forgiven for thinking network and data protection (malware and ransomware in particular) must be top of everyone’s priority list. Apparently not. But wait, perhaps the rising tide of civil litigation is the push needed to break the inertia.
In the US, lawyers recently announced a class action suit launched on behalf of a single motorist, Ramon Dickerson. The action targets Colonial Pipeline owners IFM Investors, KKR, Koch Capital and Shell. It comes in the wake of the catastrophic ransomware attack that led to fuel supply disruption and rising motorist fuel costs.
Despite dire warnings from cybersecurity professionals, high-profile data breaches and increasingly sophisticated malware attacks, apathy still appears to prevail. Evidence to support this is more than just anecdotal. The former Gemalto Breach Level Index reported that of the 14.6 billion records lost or stolen between 2013 and 2018, just 4% were encrypted.
The role of cybersecurity regulation
Since 2018 and the introduction of the GDPR, with its tougher financial penalties, things don’t seem to have changed much. Whilst a third of enterprise scale organisations claim to make widespread use of encryption technology, just 9% (according to a recent TechTarget Study on behalf of Thales) believe they have an effective cybersecurity strategy in place that will provide long-term data protection.
The GDPR still sets the standard as far as global cybersecurity regulations are concerned, but other developed nations are making progress with regards to their own, stricter national data protection policies. In the US, the Biden administration has issued and executive order and is moving towards a rare national standard for cybersecurity regulation.
The voice of the customer
The litany of data breach notifications and news headlines suggests that most organisations haven’t got it right yet. With the average cost of a data breach in 2020 sitting at $3.86 million (according to the Ponemon Institute’s annual report) it may be that enterprise scale organisations feel this is an acceptable price to pay. Unless and until the dial is moved, this may not be incentive enough to affect a long-term change in behaviour. This is why the Ramon Dickerson class action is worth watching. If people power can result in significant financial penalties or litigation, it might make more boardroom executives sit up and take notice.
An evolving landscape
In the past five years, there have been some prevailing trends in the breach landscape. Whilst many hacks are financially motivated, the emergence of state-sponsored cyber-gangs has seen the number of politically motivated attacks rise. Many of the most successful malware attacks leverage undisclosed, signatureless or zero-day exploits as the point of ingress. Finally, the scale of damages inflicted is on the rise, not just in terms of the financial cost of a breach, but long-term brand value, customer trust and even existential threats.
The recent SolarWinds, Colonial Pipeline and JBS Meatworks ransomware attacks highlight the potential damage to operational systems and business continuity. Contrastingly, the AXA ransomware attack highlights the implications of data theft – in this case more than 3 terabytes of data was reported to have been exposed.
One of the recent revelations is that legacy anti-malware solutions are no longer fit for purpose. In hindsight, relying on the disclosure of threats before they can be defended against was always doomed to fail. Even if a threat is discovered within 48 hours of its creation, sophisticated hackers could cause extensive damage with even a small window of opportunity. For anti-malware to be effective it needs to be proactive, not signature dependent, and adopt a zero-tolerance approach to file sanitization.
It may be that impending litigation is the motivation that will compel organisations to become more proactive in mitigating the risks associated with malware attacks, network data in motion or file-sharing activities. If negligence is proven, it could break the cycle of apathy and re-set the rules of engagement.
Senetas is a global leader in cybersecurity. Our proactive anti-malware technology provides protection against the most advanced cyberattacks, including signatureless, undisclosed or zero-day exploits.