Ransomware stays front and center
It has barely been a year since the last time we were here talking about how ransomware refuses to cede the throne when it comes to data breaches. With a recent breach shutting down thousands of colleges across the world during finals week, we’re back on the familiar storyline.
As we wait to for confirmation on the exact cause of the breach (the group claiming credit, ShinyHunters, has a history of phishing and social engineering tactics), it’s a great time to look at why bad actors are so in love with ransomware as a method of monetizing a breach, and why organizations need to protect themselves from something 78% of organizations have experienced in past year.
More than just money
“ShinyHunters has breached Instructure (again),” the extortion message read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'” — The message multiple Canvas users received when they tried to log in to the platform
We don’t need to dwell too long on the obvious:Hackers love ransomware because it turns illicit access into cash. But there are other ways to profit after breaching an organization. Why is ransomware so attractive?
To start with, ransomware can be devastating to the operations of any organization impacted, locking down critical files and systems and essentially turning the organization off until it pays up. We’re pretty far into the digital-first era, and if the wrong files get encrypted, the damage is catastrophic — and only compounds the longer a company resists paying the ransom.
Even worse, recovery is rarely as simple as paying a fee, because many attackers have no intention of fully restoring access and may still retain stolen data for future extortion. That combination of operational paralysis, financial pressure, and uncertainty is exactly why ransomware remains such an attractive tool for bad actors.
But these factors only address the internal pressures. Ransomware offers another perk for bad actors extorting organizations: The public understands it (or thinks they do at least).Ransomware events make frequent appearances on newsfeeds, explained in straightforward terminology with big numbers and obvious damage. This means a ransomware attack presents another, potentially even more impactful, cost to the reputation of the organization and applies additional pressure to the organization to pay up and make it go away.
The threat of crippling disruption for the organization combined with major reputational damage is what leads so many organizations to paying up, crossing their fingers the hacker group keeps their end of the deal — and what keeps CISOs around the world up at night.
SMBs are a compelling line on a spreadsheet for attackers
“Why would anyone bother hacking us?” An unfortunately common perspective for smaller companies is that it wouldn’t be worth it to hack them. They lack the big revenue numbers, the public image, and the huge amount of sensitive PII, so no elite hacking group would spend the resources to target them. Which is true; they’re not specifically being targeted, but that doesn’t mean safety.
SMBs are what I’ve always referred to as “a line on a spreadsheet” for bad actors, one organization out of many thousands that the bad actor seeks to compromise a percentage of. Contrary to larger, more targeted incidents like I mentioned above, SMBs are more likely to be breached, ransomed, and maybe restored without a human bothering to learn their name. But they often lack the robust cybersecurity defenses of larger organizations to mitigate the damage.
When you add in 27% of small businesses being one disaster away from shutting down, it is critical that every organization of any size has plans and defenses in place against ransomware incidents.
Build your company on a stable platform
A hard lesson from the recent breach is that it’s not enough to simply secure your own organization. You’re reliant on the integrity and security of the platforms you use as well.
Whether you operate a university that has to postpone final exams as a results of a breach, or a company using a file-transfer servicethat exposes large amounts of sensitive data, the blame from customers will land on your organization. Just like you can’t get away with blaming a carefree employee who fell for a social engineering tactic, your organization bears the responsibility for its own sensitive data.
CIOs and CISOs can no longer afford to overlook the growing use of lightly adopted SaaS and cloud tools that still handle sensitive data outside traditional oversight. They must ensure every such workload remains inside the enterprise security boundary and governance framework to preserve visibility, control, and compliance.
There are a couple paths to reducing the risk of compromise via third-party system. For one, security works best in layers, so strong anomaly detection within the organization can detect anomalous events that could indicate malicious activities and alert admins to shut them down. You should also be heavily vetting any platforms that will touch sensitive data, ensuring there’s proper encryption (atrest and inmotion) and authentication controls are in place. Finally, no security in the world is perfect or infallible, so preparing a rapid recovery tool in the case of a breach can help turn a disaster into just a close call.
Taking every step you can to secure your organization goes beyond the scope of this blog (not to mention my own knowledge), but the central point is to exercise diligance and caution when adopting third-party systems. They may run the software, but you still own the data.
If you have sensitive data, someone out there wants it
The reality of the cybersecurity landscape is that, outside of rhetorical debates, asking “Why would someone bother to hack me?” is an empty and sometimes dangerous question. If you have any sensitive information, from student records to product designs to employee financial information on file, there’s an ocean of bad actors out there who would love to scoop it up and resell it on the dark web. We may well be back here with another blog next year highlighting another major, visible ransomware attack, but hopefully at least a few of you are able to take steps now and avoid being the next headline.
If you’d like to learn more about how Box fights back against ransomware, including information about Box Shield Pro’s Ransomware Activity Detection, check us out at www.box.com/shield. Already a Box customer and want to discuss the latest cyberthreats and security challenges? Join us at our Security and Governance user group.
