By Russ Banham
Yesterday’s hackers may have yearned for the bragging rights that come from having pulled off a major cyberattack, be it against a government network or a large company. But today’s hackers aim for the lowest-hanging fruit: Money, in this case bitcoin, is a bigger lure than boasting.
Today’s hackers strike in a flurry of activity — in many cases, distributed denial of service (DDoS) attacks that divert the attention of a victim’s information security team from malware designed to capture valuable data assets. Distracted in its efforts to get systems back online, the responding cybersecurity team overlooks the malware as it worms its way toward the real bounty.
“DDoS attacks are often designed to cover up the actual intent of hackers, which can be data theft, planting of targeted malware or propagation of ransomware,” said Max Solonski, chief security officer at BlackLine, a financial and accounting automation software provider. “By focusing on containing the disruptive DDoS attack, the InfoSec team might not be able to identify the primary attack vector focused on a specific target or quickly react to the unauthorized transfer of data from a computer.”
This modern-day Trojan horse is becoming increasingly common. According to a 2017 study by Neustar, of all the companies hit with a DDoS attack, 52 percent reported a virus associated with the attack, 35 percent reported malware, 21 percent reported ransomware and 18 percent reported lost customer data. “This is all about the value of information,” said Solonski, “and the easiest way for hackers to obtain information is to target companies lacking adequate InfoSec controls and countermeasures.”
Hackers “aim for companies with the most unsecured cybersecurity and inferior disaster response programs,” said Dottie Schindlinger, vice president and governance technology evangelist at Diligent, a provider of secure board communication and collaboration tools. “Once they sneak through the fence, they go for the gold.”
Security Begins At Top
To protect their companies, senior management and board directors need to ensure that hackers don’t perceive their organizations as low-hanging fruit, Schindlinger said. “The days of the IT team alone thinking about cybersecurity are long over,” she said. “Cyber risk management is everyone’s responsibility today — from the top of the company down. Cybersecurity must be embedded into the organization’s culture.”
While employees are increasingly educated about and vigilant of cyber risks like phishing, many board directors and senior executives fail to heed such threats. Sixty percent of board directors regularly communicate with executive management and fellow directors using personal email, according to a study by Diligent. Nearly half (48 percent) use personal PCs and laptops to download company documents. And 22 percent store these documents long term on their devices.
“The biggest risk are the people with the least amount of cybersecurity training,” said Schindlinger, pointing to board members and senior executives.
It’s not uncommon for what seem like trifling digital and physical documents to contain sensitive corporate information that hackers would find valuable to steal and sell. “Any piece of data is potentially lucrative to a bad actor — the home addresses and phone numbers of board members can be used to exploit the organization and them,” said Schindlinger.
Both Solonski and Schindlinger offered several recommendations on how a business can reduce its appeal to hackers. “Think like a hacker,” said Solonski. “First and foremost, you want to understand the types of data the organization owns and where the data is located, and then take a critical eye to determine how a skilled attacker can navigate around InfoSec controls to get to it and fulfill his nefarious purpose,” he said.
Board directors and senior executives might ask their security leaders questions like: Would a hacker perceive the company as a relatively easy target? Which types of information does the business have that would be of significant value to an attacker? Where does this data reside? Who has access? And how is it protected? Does the organization maintain layered controls throughout the environment, or does it just have a strong perimeter, leaving its “soft core” to be accessed via a “back door” planted by a malicious insider or through social engineering?
Vulnerabilities revealed by these questions need to be strengthened, Schindlinger said. And it is up to board directors to take action. “They have a fiduciary obligation and duty of care to ensure the organization is not put on a hacker hit list,” she said. “My advice (to the board) is to establish a policy that stipulates the behaviors they must uphold as board members, and have each member sign off on the policy.”
Some stipulations may be simple, like not using unsecured personal email or shredding paper documents that contain sensitive business data. “You wouldn’t believe how many board members write down proprietary information in a notebook that they can’t find afterward,” Schindlinger said.
The company’s chief security officer should be present at board meetings to present a brief overview of the organization’s cyber risk readiness, she said. Another good idea is to simulate once a year how the business continuity plan will be executed in the event of a data breach.
Board members have good reason to take such measures. If the organization’s data is stolen because the company was perceived as an easy target, “they are the ones who will be held responsible,” said Schindlinger.
Russ Banham is a Pulitzer-nominated business journalist and author who writes frequently about cybersecurity.