Most recently, ransomware hackers introduced new types of threats. Across the globe, companies are increasingly subject to data protection laws, like those initiated across the EU with the introduction of GDPR in 2018. Such steps mean that it’s not just the loss, but also the exposure of customer data, which has become a central area of concern to IT departments and board members. This was demonstrated by the Veritas 2020 UK Databerg report, which showed fear of data loss and compliance breaches as being top concerns relating to cloud computing at the moment (55% and 54% respectively).
When looking to extort money from companies, fear of financial and brand damage, become a central lever in cybercrime attacks. In addition to ransomware attacks making critical data unavailable through encryption, it’s now becoming increasingly popular for criminals to exfiltrate data and threaten exposure online as a means of blackmailing companies. According to some reports, more than 11% of ransomware attacks in Q2 2020 involved the theft of data by criminals rather than just data encryption.
Ransomware attackers not only change their way to attack but also change the type of data they target. For example, the EKANS virus attacked Honda in early june. Rather than targeting application data, which is more likely to be protected, EKANS specifically targets ICS data, which, historically, might not have been a part of a ransomware-protection strategy. As such, the question has to be asked: how many other types of data might become ransomware targets and how can these be successfully protected?
Other new trends include auctions on the dark web of data that’s been exfiltrated, possibly for use by competitors or simply to mine it for personal credentials. After-hours attacks have also become increasingly popular, to ensure minimal security personnel presence to help combat the situation effectively. Quite possibly the worst end of this evolution is an increase in the trend towards state-sponsored attacks being created to undermine the very business infrastructure of a country.
Prevention is not enough
Protection against ransomware comes in various forms but at its simplest is split between stopping malware from making a home on the network in the first place, (anti-virus software, data monitoring and employee education through cybersecurity courses) and then being able to respond cleanly and swiftly when an attack is successful.
For the longest time, companies and individuals have focused most of their time and energy on the former of these, with some level of success. Unfortunately, the evolution of ransomware, including increasingly sophisticated social engineering methodologies, means businesses can’t rely on prevention alone.
IT security is always going to be vital but, mostly, it’s the human aspect of the equation that opens-up the risks. This could be miscalculating either what data needs to be backed-up or what data ought to be encrypted; or simply human error in being taken in by a phishing attack and allowing the malware into the network in the first place.
Companies must assume attacks will be successful and be prepared for that. Data protection in the form of trustworthy and tested backup is the obvious answer, but even this doesn’t protect against data being exfiltrated and abused. For that, the only answer is encryption.
The use of encryption at rest as a defense against malware is something that should never have gone out of fashion when data is in transit encryption is still best practice. However, there is a strong case suggesting data is not being encrypted at rest, with one report suggesting that less than 10% of cloud service providers encrypt data once it’s on their servers. It may seem obvious, but this means that it’s open season on over 90% of the data stored in the cloud should it be hacked.
The data challenge
There’s still a challenge of course. An overwhelming number of businesses don’t know what data they have. The 2020 Veritas UK Databerg study shows that 80% of data is either dark, or ROT (redundant, obsolete or trivial).
This makes it almost impossible to know what to back-up, where and how, let alone what data ought to be considered sensitive or risk-worthy enough to encrypt as part of the storage and back-up process. This is clearly reflected in a 2019 study by the Ponemon Institute in which 69% of companies said that just figuring out where sensitive data resides in the organization was the biggest challenge to implementing encryption.
A combination of data insights, (incorporating identifying, tagging and classification) data encryption and reliable back-up seems to be the only sensible way forward to protect against ransomware attacks. Companies need to know what data they have, and they need to actively protect it in the right way without omitting any risk-associated workloads. Then, when all that hard work is done, they need to test their systems to find any unexpected gaps or weak points.