Cyber attacks shifting to extortion, SMEs a target
Any company that collects and uses data is a potential target for hackers looking to turn a profit
Attackers used to target organizations rich in data that could be sold to others but they now focus on going after companies that are willing to buy their information back, according to Richard Wilson, a partner in the cybersecurity practice and privacy consulting leader at PricewaterhouseCoopers.
“The shift is now that they may not care at all about the data that they are encrypting but they know you do,” Wilson said during a panel regarding the investment gap in the area of cybersecurity at the 2017 International Cyber Risk Management Conference, held recently in Toronto.
“The only question is, do you care about your data and do you care about your operational assets because if that’s the case and [the cyber attackers] know that, then [they have an] ability to monetize that data with you.”
A business of any size that relies on the internet must understand that it is vulnerable to the increasingly sophisticated skills of cyber attackers, conference delegates heard.
SMEs that do not possess large amounts of client data tend to feel that they will not be targets of cyber attacks.
Goldcorp Inc., a Vancouver-based mining company, learned this in 2016 when its systems were hacked. The firm’s management and board of directors believed that they were not at risk of a cyber attack because they are in mining but the fact is the company is very dependent on technology to run those mines, said Luis Canepari, vice president of information technology at Goldcorp.
The company ultimately chose not to pay the hackers. “It was a wake-up call for us and I do believe that every company out there is a target today. Anybody can hack,” he said.
Defend your organization
“We need to secure what we have and defend [our businesses] against those who would seek to disrupt or take what we have,” said Tom Ridge, chairman of Ridge Global and the first U.S. secretary of homeland security, who was a keynote speaker for the event. “You have to build a culture of [cyber] resilience.”
“You’re all digital companies. You don’t think about yourselves as that way but you are,” he added.
Digital companies include small and medium-sized businesses that must understand they are not necessarily experts in cybersecurity and should look to retain companies who are skilled in this area, according to Ben Cotton, president and CEO of CyFIR.
“There are a number of capable organizations that can come in and become extensions of your security staff for very a reasonable [amount of money],” he said.
Retaining experts in this area is important, as commonly used anti-virus programs will only pick up about 40% of threats, he added.
Several panelists stressed the importance of training employees to recognize how their own simple actions could lead to a successful cyber attack.
Educating employees on the topic of cyber risk should be an ongoing program so that they can build an “unconscious ability” to recognize potential risks, said Jonathan Raymond, national lead for Canada at Cisco Global Security, who spoke about the challenge of detecting cyber threats.
Cyber attacks can be realized through the most mundane of actions. For example, training employees to second-guess their immediate instinct to click on a strange link could prevent a cyber threat from being realized, suggested Susan Wolburgh Jenah, a corporate director, who spoke about the importance of cybersecurity awareness from a governance level.
“It’s amazing how much can be accomplished through those types of things,” she said.