So you think you’re unhackable? Think again.

Ransomware was once a buzzword in the tech industry, but has now become a prominent fixture within the technology space. With the growing trend of ransomware, losses are expected to exceed USD$20 billion by 2021, with criminals taking off with more money than ever before. We usually associate these attacks happening to big corporations, but 62% of them are actually targeted at small and medium sized businesses, who may not have the resources to respond appropriately to these attacks. 

What is ransomware?

Ransomware is a type of malicious software that is released and gains access to files or systems and removes access for the owner of these files. These files or systems are held at ransom to the owner – and are often encrypted – until the owner pays the fine. Ransomware has been around for decades, but it has become more sophisticated in the new-age of ransomware 

How do you get it?

Ransomware can make its way to your organisation in a number of ways, but the most common way is describing something as a super important email attachment – like an invoice or a bill from an important client or the ATO. An email like this will encourage people to open the attachment – which spreads the ransomware throughout the organisation quickly. A similar thing can happen on social media, when a profile is created and messages are sent out to people’s “friends'' with an attachment or link to be clicked on. And, one of the oldest tricks in the book is the classic browser pop up. 

It couldn’t possibly happen to me, right? 

It’s easy for us to be doom and gloom about the outside world – but there is a solid reason behind it. It goes beyond our innate paranoia, but is drawn upon by the personal experience of a few of our valued clients. 

One of our clients was a victim of ransomware at the end of 2019. Their computers were hacked into by a foreign cyberespionage company via their Wi-Fi router – which still had its factory supplied username and password. Once they had access to the Wi-Fi, they could enter a staff member’s computer who hadn’t updated a desktop application. Right there on the staff member’s desktop was a digital sticky note of all of their important passwords. The hackers could use this information to get into all of their systems. 

This client was held ransom and didn’t pay the fee, so all of their information was wiped and they had to start from scratch. So how does it happen? 

How easy is it to attack someone?

A ransomware attack is actually relatively easy to execute, because a lot of basic security protocols often aren’t followed by individuals. Ransomware is typically executed by hacking groups who may be based overseas. They usually don’t own up to the attack and keep their identity a secret. This helps them stay agile and out from the crowd, and continue to run a system that works.

There was a hack in 2017 in Lake City Florida that was executed by a group of Russian cyber security criminals who demanded USD$530,000 in BitCoin from the Council  – which they paid and then fired their IT manager for falling victim to the attack in the first place. This particular bit of ransomware is called Ryuk, and earned the creators more than USD$3.7million in its first four months of operation. 

In fact, some of our team members have been known to pick on one another with their own hacking. One of our former staff members didn’t believe that hacking was as easy as we said it was, so one of our developers put it to the test and got into his Facebook, email, bank account and home Wi-Fi router – all within an hour! What started as a fun joke ended up being a serious conversation about how easy it is to get into these systems – and that’s without any malicious intentions. 

What happens if you’re attacked?

You might think that, if you’ve been hacked, you are the victim and will be compensated accordingly by your financial institution or insurance company – however, this isn’t always the case. If you’ve agreed for a third-party platform – such as a budgeting app – to access your banking information, if that app is hacked, your bank is unlikely to refund you the funds, as you gave permission for this application. Read the ABC article about how this happened to an Adelaide man.

Who is liable?

In Australia, banks are liable to replace any stolen funds, but it does depend on the extent of the fraud and how this was carried out. This isn’t the case overseas, in Canada there aren’t the same protections we have here, with banks not being held liable for any stolen funds. Customers have to appeal any transactions, which undergo an investigation, with no guarantee of any of the funds being returned back to the customer. 

This was the case in the UK up until a few years ago. When their government switched the liability, security within financial institutions skyrocketed and fraud plummeted as investment in online security was increased. 

Can insurance protect you?

You might think that insurance could help negate any of these difficulties, but cyber insurance companies may not always pay out your claim. Just like how insurers are unlikely to pay out a claim if you left your keys in your car or your house unlocked, cyber insurance providers can reject a claim if you didn’t apply ‘reasonable care’ to your systems. A failure to follow or maintain security best practice in your organisation can result in a claim not being made at all – causing more heartache and stress in an already tumultuous time. 

How to prevent an attack:

Update your applications

We’ve all been guilty of seeing the pop ups telling us to update our computers and our applications and snoozing them until later. They often come at an annoying time in your day, but they are helpful in updating everything on your computer. 

Make backups

If you are a victim of ransomware but have a backup of your information in a separate location, you won’t have to pay their ransom to get your data back. This helps to ensure that your data is accessible in the event of a ransomware attack, or in the event of something happening to your computer, a physical robbery or even a natural disaster. These back ups might be to a cloud based server, or a physical server. 

Adopt a consolidated IT approach 

Just like how every business is required to have a work health and safety policy, we believe every organisation should have an enforceable IT policy. Such a policy should have the same checks and balances as all your other policies. We have our own IT policy that outlines a variety of major touch points with our systems and people, including: 

• How we dispose of old computers 
• How we onboard our staff and what they get access to 
• How often our computers are updated 
• What anti-virus software we use 
• How we secure our building and monitor who comes and goes 
• Two-factor authentication (more on that later) 

We complement this policy by having a cyber security officer and quarterly meetings checking over every point of the document. This ensures it’s still being executed and helps to identify any new gaps or changes in technology. Having this accountability makes sure that we actually follow through on our word, and that everything is up-to-date every quarter – because even we can get a bit lazy sometimes. 

Long-term best practice

Operate from a zero-trust security mindset 

Just like work health and safety practices, there does need to be a cultural shift to ensure any IT policies are followed and adhered to. Further, all staff members need to follow up in the event that they aren’t. One of the most popular ways of enforcing this is implementing a zero-trust mindset in your cyber security. Adopting a zero-trust mindset means you remove any trust from your employees and their devices and recognise their ability to be an internal threat to a part of your system. 

Up until recently, best practice was to lock down the perimeter of your organisation, protecting it from the scary internet and all of its dangers. This assumes that if you are in the building on the local network, everything will be fine. As we’ve seen the sophistication of ransomware change – and the downside of assuming tech literacy in the workplace – this model no longer works. Not only that, it doesn't allow people to work from home – which has become essential in the COVID-19 pandemic. 

Not only that, real life isn’t perfect. People leave their passwords on a sticky note, or fall for phishing and ransomware attacks that penetrate the perimeter. People often use their own devices for work systems and emails – which the IT department really can’t control. Zero trust isn’t like that, it doesn’t make any assumptions, basing decisions on robust authentication mechanisms and context-aware access control. 

Use two-factor authentication & geolocation tools

Context and identity are the two main cruxes of zero-trust security management. Managing people's identities and their access to different systems is paramount to maintaining security.

Identity

Now, in a perfect world, we always use different passwords that are super varied and up to best practice standards, and we change them regularly. In reality, we get lazy, and have a bit of cognitive dissonance about this.The best way to protect against a weak or compromised password is two-factor authentication. If our client mentioned above had two-factor authentication enabled for their emails, banking etc., the ransomware hackers would’ve had a harder time trying to get in – if they could get in at all. Utilising an app like Authy is one of the safest ways to do this, otherwise you can use the SMS feature, which is more likely to be compromised than an app like Authy. 

Context

Even if someone has confirmed their identity, the context behind why they want access to something should still be considered. Enforcing factors such as geolocation information, device type, operating system and network context are important factors when considering your access policy. For example, an email request comes through from the CEO (who would be given permission to access classified information), but it has come from an unknown device, in an unknown location, and from an IP address that’s based in a country she’s never been to before. These are all red flags that signal that yes, even though we’re checking identities, there might still be a gap in the system. 

Now, that may all seem pretty doom and gloom, but ransomware attacks do happen and they’re more common than you think. So, it’s important to make your best efforts to protect yourself. These are just some of the simple steps you can take to protect yourself and your business.