Chris Weston (Principal, European Client Advisory)
Marc Dowd (Principal, European Client Advisory)

The threat has changed: hype or reality?

It might be that the google cookie monster is building on my paranoia by showing me articles on Ransomware attacks at every turn. I hope so. That said it does seem that the threat has changed somewhat and become more sophisticated.

Ransomware is extortion pure and simple and has been around for some time now. I remember last year speaking to the CIO of a hospital whose systems had been closed down right when they were struggling to keep people alive in the face of a virus that nobody knew much about. It seemed to me at the time to be particularly low and execrable to purposely target people who were risking their lives to try to save strangers from dying in increasingly large numbers. War profiteering used to be punished harshly but this seems to have been a crime that in this case nobody was properly punished for.

Unfortunately, that is still the case. Despite the huge number of attacks, the penalties are still low and the chances of getting caught are slim. The rewards for these criminals however are not slim. There are estimates that one gang has extorted $150M since their formation.

My question is what can and should we as Digital Leaders be doing about this. Well, I doubt if most readers of this article have a budget of $150M to spend on cybersecurity so we are fighting an asymmetrical war and to be frank an unacceptable number of the battles are being lost.

I for one, do not want any of my Advisory Clients or members of the IDC Digital Leadership Community to lose one of these battles.

So, what do we know about the enemy – well it appears that they have separated into a marketplace of specialists who play to their strengths: “initial access brokers”, deployment specialists and extortionists. Sometimes they are all the same actors – sometimes details of vulnerable companies are traded so they can play to their strengths. To combat these threats, we need to ensure we can match each stage:

  1. stopping them getting in,
  2. recognizing when they get in,
  3. stopping them from spreading,
  4. stopping them exfiltrating information,
  5. and having a plan worked out to deal with the extortion if it happens.

Do you have all these things adequately covered? Maybe asking yourself the following questions will give you some insight into how prepared you are:

  • How often do you run Penetration tests? How high a priority are turning results into actions?
  • Do you have an escalation procedure when a CoboltStrike component that you were not expecting is identified in your environment?
  • Do you use a risk-based approach to vulnerability management?
  • If you have a tested resiliency plan that is updated quarterly to keep pace with developments.
  • Are you sure your data is secure? What about data in your ecosystem of partners?
  • Do you have board approval to pay a $1.4 million (average) ransom?
    (Should you pay the ransom? (Research shows that those who pay up on average end up spending more than double those who refuse to pay).

Those are just some examples but I hope it shows the diversity of elements that you need to be considering and planning for. If any of them are new to you maybe it is time to review the whole area.

Your biggest threat?

Everyone knows that the major vulnerability is often people. I don’t think enough is being done in most organisations to make people aware. Not just the awareness of the threat but the more sobering awareness that one-quarter of UK SMEs were likely to go bust if they were forced to deal with the average cost of a cyber attack. I have sat through compulsory cybersecurity training but it focuses one what to look out for (important) but not on what it could mean to me and my livelihood (frightening). Research, commissioned by Vodafone, also showed that 16 per cent of firms would likely be forced to lay off staff in the event of a hack.

IDC research shows that security is top of the agenda for CEOs at the moment. We also believe that these turbulent times we are living in make it imperative that all leaders focus on resiliency. If this is a focus for the CEO and it is your responsibility, are you comfortable that you have all the bases covered? We publish about threat hunting: IDC PlanScape: IT Security — Creating A Robust Threat Hunting Capability. We suggest approaches to securing yourselves. Have you for instance mandated the use of 2 factor authentication? Out IDC PlanScape deals with that: IDC PlanScape: IT Security — Using Multifactor Authentication.

What are you going to do?

The “what” and “how” of defence are vital but maybe you need more. Being a Digital Leader is not only about defence and implementation it is about helping to understand risk and communicate what the organisation at every level needs to know. From a leadership perspective, what can you do to lead in the defence of your organisation? I don’t have the answers, but I know a group of clever people who can help.

If you would like some ideas of what your peers are doing – or you have implemented something that really works – you should come to our next meeting where we will have a completely peer led discussion of this vital digital business issue.

Please come and join us to learn from other Digital Leaders (not techies) how to confront the worsening threat. If you get one idea out of the hour it might be the thing that makes a difference. Oh, and its free.

The IDC Digital Leadership Community holds meetings of peers every two weeks. Many participants come regularly because they see it, as one Digital Leader put it, as “a chance to hear how others are solving issues without being put on the spot of having to know all the answers”.

Sharing