Looking for a New Year’s cyber resolution? Try perpetual vigilance
Most people enjoy improvements and innovations when it comes to consumer electronics, but the unfortunate truth is that cybercriminals are innovating and improving their techniques and tactics, as well. These innovations include “getting a second bite from the ransomware apple” and using ransomware to cause “physical vulnerabilities at your business.” Hopefully, the anecdotes below help to convince the decision-makers in your business to follow the Coast Guard’s motto semper paratus — always ready.
The ransomware twofer
Ransomware originated as a means of denying access to your data, but hackers are now taking ransomware attacks to a new level. Lately, cybercriminals have not executed the ransomware attack immediately after they breach the network. Instead, the attackers wait until they have mapped the network and copied the valuable data for future use. At that point, the intruders initiate the encryption attack and demand payment to decrypt the files.
But once the ransom is paid, the cybercriminals add insult to injury by demanding a second payment in exchange for not publishing the same data your business just paid to recover. Sadly, this development reaffirms that any ransomware attack that penetrates your business network is an unauthorized access and must be viewed not just as a denial of access, but as a data breach that requires your business to act.
Katie bar the door — if the malware will let you
Last month, the U.S. Coast Guard published its third Maritime Safety Information Bulletin involving cyberattacks on the shipping industry. Ports and merchant ships have long been considered easy targets for ransomware gangs. In this recent case, the port facility was victimized by the Ryuk ransomware, which did more than simply encrypt data on the IT network. Alarmingly, the intruder was able to move laterally within the network and access the facility’s industrial control systems (ICS).
Through the ICS, the intruders were able to monitor and control cargo transfer processes and disrupt the facility’s camera and physical access control systems. Imagine the effects on your business if it could not lock or unlock its doors. The maritime facility had to shut down its operations for over 30 hours to initiate repairs and recover its network.
The potential for cyberattacks to manifest themselves with physical consequences is not limited to maritime shipping. Since August 2018, the Ryuk ransomware has been used to extract money from a variety of lucrative targets in the public and private sectors. Recent victims include the city of New Orleans, health care providers in Texas, logistics companies in Europe, and other industry sectors.
The National Conference of State Legislatures reports that as of 2019, 25 states had enacted laws applicable to the data security practices of private sector entities. The majority of these state laws require private sector entities possessing state residents’ personal information to develop and maintain “reasonable security procedures and practices.” These reasonable measures must protect that information from unauthorized access, disclosure, modification, or use.
The reasonableness element cuts both ways. It allows for the security measures to be commensurate with the sensitivity of the personal information and the size and sophistication of the business. However, it also means that the standard of care is not fixed in time, but rather will evolve and advance along with technology, if only to keep up with the cybercriminals.
Eric Dullea is a Denver-based partner with the law firm Husch Blackwell LLP who focuses on administrative and regulatory law with an emphasis on workplace safety and security in critical infrastructure sectors such as mining, energy and aviation.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.