By Derrick Rice, Principal Consultant, Asylas
In a world where it’s becoming the norm to use digital assets as a medium of exchange and to see systems updating information as soon as it’s received, it’s no secret that our digital footprints are growing exponentially. This growth in our online presence and our reliance on online tools increase the cyber risk that your business can be taken out entirely by a digital extortion attack.
Many attackers use ransomware as their weapon of choice, denying business access to its data and demanding a sum of money for its return. And, as the internet expands, attackers are finding more ways to interrupt critical processes in hopes that it will force a business into paying them off.
So, what new technologies are attackers targeting, and what can you do to keep your business up and running? Here are some things to keep an eye on:
- Phones: Now that you can share money and files away from your desktop, computers aren’t the only devices you need to worry about protecting. Once a hacker taps into your mobile phone, he can listen to your calls, read your text messages and access your address book and apps. He can also guide you to download malware that leads to a ransomware attack.What can you do? Always be wary of what company information your employees can access from their personal devices. If they store sensitive data or files on their phones and later connect them to an unsecured network (i.e. a public WiFi network), bad actors can access that information rather easily, steal the data and demand ransom. Any personally identifiable information should only be made available through your company’s secure network. Make sure employees understand and are trained on these policies.
- Social media: If an attacker gains access to your company’s social media account or creates a fake account under a name similar to yours, he can do instant and irreversible damage to your organization’s reputation. Attackers can share fake information on behalf of your business, gain the trust of your clients and followers and post sensitive information for the world to see, demanding a hefty fee to give you access to the account(s). Once this information has been shared, it’s difficult to remove from the public eye.What can you do? Businesses should treat their social media accounts as if they’re bank accounts. Set up two-factor authentication, create strong passwords and limit account access to only a few employees. Monitor social platforms for any fake accounts that may have been created in your company’s name, as these can be just as damaging to your reputation as having your official account overtaken.
- Real-time services: Any business that offers real-time services (such as banking institutions, healthcare providers, etc.) should be especially alert for extortion attacks. Attackers know that interrupting key components of what makes your business function will put more pressure on you to resolve the issue quickly. And sometimes, resolving the issue quickly might mean paying the attacker what he’s asking for in order to avoid a longer downtime.What can you do? Make sure you have adequate backups of your data and a recovery plan in place. Establish guidelines for how long your business can afford to be down and how long it will take you to restore data afterward. Set up processes for determining where attacks may be coming from (especially if your organization employs hundreds to thousands of people), and make sure your employees know how to report any suspicious activity.
- Cryptocurrency: With any digital asset that can equate to cold hard cash comes the threat of extortion or theft, and cryptocurrency is not immune. If you choose to buy bitcoins, be aware that attacks have already begun, and they will only become stronger and more frequent.What can you do? Stay on top of the latest industry news and laws, and use backup and encryption methods to your advantage. Don’t save the passwords to your digital wallet on any personal devices or online password banks. And, when you’re not using it, make sure you store your digital currency offline.
While new technologies and digital services can pose a significant threat to your brand and critical processes, ensuring you have the proper planning and detection methods set up can save you a lot of headaches – and money – as extortion methods expand.
About the Author
Derrick Rice is a principal consultant at Asylas, security, privacy and risk-consulting firm located in Nashville, TN. With over 15 years in IT, Derrick’s experience ranges from systems administration to technical leadership roles. He is committed to helping people understand and eliminate the inherent threats to their businesses. He focuses primarily on private-sector privacy (CIPP/ US) and HIPAA regulation. Learn more at https://www.asylas.com/.