Cyber threats, real-world consequences

Cyberattacks’ mounting costs include inflation, supply chain shortages and threats to public safety – as average cost of a breach hits $4.35 million.

By WP Creative Group

In the spring of 2021, a ransomware attack brought operations at a major U.S. fuel supplier to a standstill. Gas prices spiked, consumers panicked as lines formed at the pumps and stations in the American Southeast started running dry — stranding some drivers. The chaos was resolved inside of five days, after the company paid millions of dollars (and bitcoin) in ransom.

A new generation of cybercriminals are behind this mayhem — attacks on physical assets that have driven up food prices, temporarily shuttered schools and disrupted work at government facilities and factories alike. Unlike hacker villains of the past, they aren’t just looking to steal personal data and sell it on, say, the dark web. Instead, they’re targeting the world’s most indispensable infrastructure — machinery, vehicles, power plants, bridges and dams, hospitals — disrupting operations and even threatening lives. The larger the disruption, the more of a profit they stand to make.

Ransomware now represents the most common type of cyberattack, according to IBM’s 2022 X-Force Threat Intelligence Index, accounting for 21 percent of incidents. And in an increasingly interconnected world, where so many of the physical objects we rely upon are online, cyber criminals have all the more reach.

infographic: 21% of cyberattacks in 2021 were ransomeware breaches - the number one attack type observed by X-Force.

With the onset of the pandemic, they became even more bold. “You saw the supply chain start to falter,” said Charles Henderson, the global head of IBM Security X-Force – IBM’s elite team of hackers, researchers and cybersecurity incident responders. In some cases, that led to shortages of toilet paper and other everyday essentials. “Criminals were looking at these real-world implications of supply chain strain and they said, ‘You know, I can do that with an attack,’” said Henderson.

A new age of vulnerability

Henderson and his team refer to these effects as “cyber-kinetic” outcomes — virtual activities with tangible consequences. And they now represent the greatest cyber threat to private- and public-sector organizations.

In 2021, Henderson’s security research team at IBM found that manufacturing had become the world’s most attacked industry, unseating financial services for the first time in over five years. And a 2022 IBM report on the cost of a data breach found that between 2020 and 2022, the average financial impact of responding to a data breach had climbed to $4.35 million– an all-time high in the 17-year history of the report. In the event of a large-scale attack, that cost can be even higher: This July, a major telecom carrier paid out a $350 million settlement to nearly 80 million U.S. customers affected by a data breach. 

inforgraphic: $4.35M Average cost to migrate a data breach, per incident

These financial burdens have ripple effects: 60 percent of businesses that have faced a breach have had to raise the prices of products or services, contributing to inflation, the IBM report notes, while introducing an invisible “cybertax” on consumers.

Security and Trust Practice Group Vice President at IDC Frank Dixon likens today’s cybersecurity environment to a perfect storm that favors the attackers, if enterprises fail to take the right countermeasures. The increasing complexity of digital environments, a scarcity of information security professionals and the growing sophistication of cyberattackers all contribute to society’s vulnerability.

Complicating things is the fact that networks are more distributed than they’ve ever been. A few short years ago, digital environments were rooted in a physical location. Today, those environments exist in the cloud. “A house with three windows is a lot easier to protect than a house with 22 windows and 15 doors — that’s the scale we’re talking about,” Dixon said. 

Back to basics

Fernando Madureira, a cybersecurity leader in Brazil, knows this growing scale and complexity well. He oversees security for Cosan, a holding group of 18 companies central to Brazil’s infrastructure and economy – with diverse businesses in the energy sector, complemented by logistics and agribusiness. The Cosan family includes Brazil’s largest train network and its biggest natural gas pipeline – supplying gas to consumers and businesses, including every airport in Brazil.

Cosan was one of several companies in Latin America impacted by ransomware in 2020 as attacks on the region grew. Madureira’s tenure at Cosan started a few months after the cyberattack; he was tasked with leading a new cybersecurity strategy across all the diverse businesses in Cosan’s portfolio. “Like every security leader, I don’t sleep well from time to time, but that’s my job,” said Madureira

The company recovered from that attack in a few days, executing a crisis management process to detect and exclude intruders from its vast digital environment.

According to Madureira, the shift to cloud-based hybrid work environments as well as the wake of the covid-19 pandemic has opened several doors to a new world of cybersecurity risks. “It sounds very weird to say now, but in 2020 many companies were not really prepared for remote workers, for example” he said.

“The challenge today is that a lot of companies are focusing more on projects and challenges related to cloud, digitalization, automation, analytics solutions, artificial intelligence. These are all very important of course, but they are forgetting to focus on the basic security controls and governance – for example access controls.”

Infographic: 33% Increase in the number of incidents caused by vulnerable exploitations from 2020 to 2021

He pointed to the incident at the U.S. fuel supplier and other companies that suffered huge cyberattacks in the past years. “In several attacks, the hacker got VPN access on a user login that was not using multi-factor authentication, for example — just a simple password. Nowadays it is not just about a strong and complex password but authentication controls on top.”

According to IBM’s 2022 study, the use of stolen or compromised credentials is still the most common cause of a data breach, the initial attack vector in 19 percent of the breaches studied. Each incident costs a company $4.5 million on average. This type of breach also takes the most time to resolve — about eight months to identify the invasion and another 12 weeks to contain it.

But there’s more to stopping these attackers than just preventing access. Companies need to consider their entire ecosystem, which could span many companies, vendors and complexities. In this landscape, guarding the digital perimeter of a company and walling off the interior is unrealistic and impractical, Madureira said. It’s no longer just a question of fortifying access points. To protect enterprises like Cosan — and the nations and people that rely upon their services — teams need new approaches. 

Building a zero-trust environment

Businesses that are ahead of the game are shifting to a holistic security focus and operating as if attackers have already gained a foothold into their network.The approach is called “zero trust,” and it’s designed to make it hard for the offenders to move around a compromised environment while giving defenders more time to run interference. Essentially, zero trust shifts the focus to detection and response through better controls and safeguards within the environment, as opposed to prior approaches which concentrated on prevention and perimeter defenses.

“There’s going to be any number of ways an attacker is going to get past your perimeter,” IBM’s Henderson said. “Somebody’s going to click on a link, somebody’s going to run malware, somebody’s going to accidentally let them in. You’re going to have a vulnerability. So, the question becomes, how can you detect and respond quickly as they’re moving through your environment trying to accomplish their goals?” 

Zero trust is a “north star” security strategy — one to always aim for, Henderson said. “Think of [zero trust] as a healthy lifestyle in terms of security, making it more difficult, once an attacker gets in, for them to move around your environment to get to their objectives.” 

Infographic: 41% Percent of attacks exploiting phishing for initial access

Implementing it involves finding ways to minimize the impact of a potential breach, developing zero-trust team security policies, using tools like firewalls and multi-factor authentication to create a zero-trust network and continuously verifying all access, all the time, for all users.

It also means knowing your enemy. To prevent and combat ransomware and other types of attacks on its customers, IBM gleans insights from its deep roster of security expertise and worldwide reach, including over 150 billion potential security events that it monitors for clients each day, and data generated from its X-Force defensive and offensive security services.

“If a company has a target to be 100-percent protected and never have any attack, that’s impossible,” Madureira said. “By focusing on everyday mitigation, security controls and governance, we can detect threats earlier and contain the attack. A robust cyber crises response program goes beyond just the IT department – everyone in the company must be trained to respond to a cyberattack more effectively.”

Click here to access IBM’s  2022 Cost of a Data Breach Report