Cybercrime has become a big business—professionalized, specialized and increasingly personalized. Sophisticated criminal networks are taking their cues from intelligence services and militaries, and certain governments are looking the other way while criminals attack companies from afar.
For companies of all sizes, “cybercrime has escalated from a nuisance to a potentially business-ending event,” said Chester Wisniewski, principal research scientist at cybersecurity leader Sophos. “The criminals’ level of skill is approaching that of nation-states.”
According to the Sophos 2022 Threat Report, three of the biggest threats businesses can expect to see this year are ransomware, malware on mobile devices and attacks on internet infrastructure. To fight these challenges, both your employees and your systems must stay vigilant to a growing and ever-changing threat landscape.
Ransomware goes pro
Ransomware is now an industry. The makers lease out their wares to attackers who specialize in system break-ins. The growth of “ransomware-as-a-service” has helped criminals “innovate new ways to break into progressively more well-defended networks,” according to the Sophos 2022 Threat Report.
Back when ransom attackers just encrypted data, businesses could defend against the worst impacts through regular backups. Then the criminals started threatening to release personal data and trade secrets. Now ransomware attackers are asking for bigger payouts, and many victims are paying up.
But most organizations that pay the ransom still don’t get all their data back, according to Sophos research. Sometimes their data is still leaked or sold on the dark web. And in most cases, the cost of rebuilding damaged systems—known as remediation—far exceeds the cost of any ransom paid.
Bottom line: By the time the ransom note is issued, the battle has largely been lost. “The best way to guard against any of this is by being more effective on defense—by preventing access to the system in the first place,” said Douglas Schmidt, a computer science professor at Vanderbilt University.
Most attacks—ransomware and otherwise—can be deterred through “basic cyber hygiene” measures, said Josephine Wolff, a professor of cybersecurity policy at Tufts University’s Fletcher School. This includes keeping software security patches up-to-date and installing multi-factor authentication (such as requiring a fingerprint in addition to a username and password). Networks should also be segmented so that an attacker who obtains any one set of credentials cannot roam around freely, Wolff said.
More sophisticated criminals are using a hybrid of human-led and automated techniques. They will rely on malware to detect vulnerabilities and then bring in human attackers to winnow out targets, break in and search the network for sensitive data.
Most organizations still aren’t prepared for human attackers, and humans are very unpredictable and tenacious.
The solution likewise requires a human touch. “Threat hunters,” experts who can be engaged through a service such as Sophos Managed Threat Response, are familiar with the patterns and techniques of criminal gangs. They can sift through the countless alerts issued by security systems to identify serious threats, and importantly – neutralize them. With cybersecurity budgets limited, many organizations are outsourcing threat hunting to vendors with a full view of the evolving threat landscape.
Malware on your mobile
Your company’s logistics manager gets a text message from a “delivery company” about a missed parcel. When she clicks on the link, she unknowingly downloads malware that gives criminals full access and control over her phone. Soon they are impersonating her in texts or emails or collecting security credentials that help them breach corporate firewalls.
The past year has seen a steep rise in this and other types of smartphone malware, Sophos reports. For example, the “Flubot” banking trojan, spread primarily through SMS messages, presents users with fake bank and cryptocurrency login screens to steal their passwords for those services. Sophos has found hundreds of malicious apps in all the major app stores. These apps don’t contain malicious code themselves but find other ways to deliver it after they’ve been installed.
Most Common Android Threats:
- Droppers (malware that distributes other malware)
- Bankers (including Flubot)
- Hidden ad clickers
- CerbSpy (Cerberus) malware
Sophos 2022 Threat Report”
In the new world of home-based and hybrid work, attackers are targeting remote log-in and access tools on employees’ phones and other devices. Putting remote management services behind a VPN or better yet into a zero-trust environment adds protection.
So far, most of the losses from mobile malware have been to individuals, but anytime employees use the same device for work and play it creates a risk. On the technology side, mobile device management systems allow an organization to segregate business data, monitor a device for malware or phishing attempts and even control or wipe a device remotely.
On the human side, many corporate cybersecurity trainings still don’t pay enough attention to personal mobile devices, said Andrew Brandt, principal researcher at Sophos. Employees may not understand that actions such as downloading pirated software on their own device can put their employer at risk. That’s where training comes in.
Employees should know that anybody can be on the front line of attack, and if you make a mistake, there’s no shame in letting the security team know.
The internet of things
Connected devices “can have security vulnerabilities that could give an attacker a foothold on your network,” Brandt said. “They can be the stepping-stone to an attack.”
The best way to protect IoT devices is to have a system in place that ensures they are always updated with the latest security patches from their manufacturers. Then again, the updates themselves can sometimes be a problem. In two major incidents last year, customers of remote IT management companies downloaded malware-infected updates that left them vulnerable to ransom attacks.
The fact is, every organization is served by many vendors, each of which could pass on a vulnerability in what’s known as a supply chain attack. Here are some ways to reduce your supply chain risk:
- Map out your vendors and assess their security posture, for example by determining what certifications and audits they are subject to.
- Find out their default security policies for their devices when they’re installed in your network. Will they customize passwords or restrict access?
- Demand transparency about security issues, said Wisniewski. Vendors should release updates (with notes) with some frequency.
- Tuft’s Wolff suggests requiring in your contract that vendors inform you about breaches.
69% of IT teams experienced an increase
in cybersecurity workload in 2021
54% of IT teams
believe cyber attacks are too advanced
to tackle in-house
Go for defense in depth:
While you can’t completely control the behavior of your vendors or employees, a layered and preventive approach to cybersecurity can mitigate most risks. For workers and IT teams, that means frequent training and drills; for your systems, frequent updates and continuous monitoring, often delivered through the cloud as-a-service. Going forward, emerging technologies like A.I. will play a greater role, serving up security recommendations the way consumer services suggest products to buy or movies to watch.
With your people and systems constantly looking out for signs of compromise, the chances of thwarting attackers improves greatly.