Skip to main content

The real cost of cybercrime

Being hacked is about much more than just financial losses – and yet it’s about that, too. This is what it’s really like for individuals and businesses who fall prey to cybercrime.

Former FBI director Robert Mueller once said there are only two types of businesses – those that have been hacked, and those that will be. As our world gets smaller, and our systems for sharing information become increasingly interconnected, being hacked is becoming an inevitability. 

Dr Cassandra Cross is an Associate Professor in the School of Justice at the Queensland University of Technology who specialises in researching cyber scams and their victims. She says that despite the rising prevalence of cybercrime, most people still don’t understand what’s really at stake. 

“The problem is that people don’t perceive the threat of cybercrime to them accurately,” she says. “People think it won’t happen to them; that it’s something that only happens to other people. There’s a definite discrepancy between the actual threat of cybercrime, and how at-risk people think they are.” 

The emotional impact 

Before we even begin to count the dollars-and-cents impact of cybercrime, it’s important to consider the psychological impact, which is too often ignored. Victims of a cyber attack can be left with feelings of anger, anxiety, fear, isolation and embarrassment, which can lead to anything from sleeplessness to self-harm. 

“People should know that cybercrime can have a number of non-financial impacts,” Dr Cross says. “It can impact their emotional and psychological wellbeing. Victims can experience depression. It can impact on relationships, on employment, and it can even lead to homelessness. At the serious end, it can have a severe impact on someone’s physical health, and in the worst case scenario, there have been victims who have committed suicide as a response to cybercrime. 

“I think we have to acknowledge, to a much greater degree, the range of impacts that different types of cybercrime can have, and acknowledge that the way one person experiences an incident can be quite different to somebody else in the same situation. That will depend partly on their ability to disclose what’s happened to family and friends, and to gain support from both formal and informal networks.”

Dr Cross says many victims of cybercrime are left feeling that they’ve been violated, in much the same way that you might expect after a physical attack. 

“That feeling of violation and vulnerability is something I’ve come across a lot in my research on cyber fraud,” she says. “Fraud is all about deception. It’s about deceiving somebody for financial gain. And once a person realises that they’ve been deceived, it comes with an immense sense of violation, betrayal, and loss of trust. Many victims talk about the fact that they find it difficult to trust people in their day-to-day lives moving forward, and they find it hard to start new relationships.” 

One of the most damaging aspects of a hack can be the response from other people. 

“There is a lot of victim-blaming that comes with cybercrime,” Dr Cross says. “Victims feel so ashamed and embarrassed about what’s happened, and there’s such a stigma associated with it, that they often don’t tell anybody about it. And that exacerbates it, because they suffer in silence. They’re not able to gain any support in the aftermath of what’s occurred, and it sends them spiralling downwards.” 

For many victims of cybercrime, dealing with the system in the aftermath of the crime can be as traumatic as the crime itself. 

“Our systems are not very well designed, and they certainly aren’t victim-centred,” Dr Cross says. “If my wallet gets stolen or my house gets broken into, I will generally go to the police to file a report in the first instance. But for the various types of cybercrime, there are a multitude of agencies that might be relevant to a victim’s circumstances. 

“They might need to talk to the police, but they might also need to talk to banks, consumer protection agencies, government agencies, perhaps even a private organisation. It can leave them feeling like they’re not being heard, and it creates a merry-go-round effect as victims are passed around from one organisation to the next. They sustain additional trauma, and frustration, and a huge sense of anger at not being acknowledged, not being listened to, and not being able to find anyone who can assist them with their personal circumstances.” 

In Australia, there is a central reporting mechanism for victims of cybercrime, but Dr Cross says that comes with its own challenges. 

ReportCyber is the online reporting mechanism for cybercrime in Australia, but from a victim perspective, you can see how that might not be ideal,” she says. “Victims who have been deceived or defrauded and lost money or data online are then directed to go online and provide all of their personal details and the details of what happened, and send that information into a black hole that doesn’t give them a personalised response and might not lead to any further interaction or communication.”

In a recent study on the police response to cybercrime for the Australian Institute of Criminology, Dr Cross and co-authors Dr Thomas Holt, Dr Anastasia Powell and Dr Michael Wilson found that community members are more likely to express confidence in the police response to cybercrime than the police themselves. 

They surveyed hundreds of officers in Queensland and New South Wales, as well as thousands of community participants, and found that police consistently reported lower confidence in their capabilities to investigate cybercrime – most likely because they’re more aware of the difficulties cybercrime presents for law enforcement in reality, with its technical complexity and cross-jurisdictional nature.

Adding to the frustration and stigmatisation that those who have fallen prey to cybercriminals can feel, police tend to prioritise their work according to a sense of ‘ideal victimisation’. Observations of police control rooms in the UK, for instance, have found that the perceived ‘blamelessness’ of cyber-harassment victims will influence whether or not police decide further investigation is warranted

All told, it can add up to a deeply unpleasant experience for victims of cybercrime who might be expecting their complaint to be taken more seriously than it is. 

“It’s frustrating for victims to go to the police, be told the police can’t take the complaint, and then be referred online to ReportCyber, when they’re expecting a different outcome,” Dr Cross says.   

The business impact 

The impact of cybercrime on businesses might be better understood than the psychological impact of cybercrime on individuals, but there’s still a lack of awareness about the reality of the situation. 

For one thing, it’s naive to think that the business impact of a hack is limited to money. This year in Australia alone, Victorian health operator Eastern Health was forced to postpone elective surgeries at four hospitals in Melbourne’s east because of a cyber attack, while Queensland health and community care provider UnitingCare Queensland, which runs numerous hospitals and aged care and disability services throughout the state, was suspended from the national My Health Record system after falling victim to a cyber hack, leaving patient records unable to be accessed online. 

Most jurisdictions require data breaches to be disclosed. In Australia, when a business covered by the Privacy Act 1988 has reason to believe a data breach has occurred, they have to notify the Office of the Australian Information Commissioner. They also have to notify any individual at risk of being affected, and let them know what the company is doing to mitigate that risk. 

It can take time for the true impacts of such a breach to reveal themselves. It was only this year, for instance, that National Australia Bank revealed it had paid $686,878 in compensation to customers exposed in a 2019 data breach, when personal account details of about 13,000 customers were uploaded online. 

The costs included the reissuance of government identification documents, as well as subscriptions to independent, enhanced fraud detection services for the affected customers. But that’s unlikely to be the full price of the breach for NAB – the bank also hired three cyber-intelligence experts to investigate the breach at the time, the names and cost of which remain unknown. 

The average cost of a cyber attack on a business is a matter of some debate. The Hiscox Cyber Readiness Report of 2021, which surveyed 1,709 firms around the world that tracked the cost of cyber attacks, noted a wide range of outcomes “that should send a chill down any CEO’s spine”. One in six of all firms that were attacked over the past year said the impact was serious enough to ‘materially threaten the solvency or viability of the company’. 

According to the Hiscox report, the median cost for all attacks on firms with under 10 employees over the last year was just over US$8,000. At the 95th percentile, however, there were firms suffering losses of US$308,000, with one German firm having to pay the equivalent of US$474,000 per employee.

For enterprise-scale firms, the median cost was US$24,000, but at the 95th percentile, firms were suffering losses of US$462,000. 

But those numbers pale by comparison with the Cost of a Data Breach Report 2021 from IBM and Ponemon, which studied the impacts of 537 real breaches across 17 countries and regions. Their report found the average cost of a breach currently sits at a staggering US$4.24 million, a 10 per cent increase from last year. Ransomware breaches were particularly costly, at an average of US$4.62 million. 

The IBM and Ponemon report took into account hundreds of cost factors, from legal implications and regulatory requirements to loss of brand equity, customer turnover, and the drain that managing a breach has on employee productivity.

Breaches were costliest in the heavily regulated healthcare industry (US$9.23 million), a logical result given the additional sensitivity of medical records, with less regulated industries such as  hospitality (US$3.03 million) sitting at the opposite end of the spectrum.

Lost business represented the largest share (38 per cent) of breach costs. Lost business costs include business disruption and revenue losses from system downtime, customer turnover, reputation losses and diminished goodwill. 

The average cost per record of personally identifiable information was US$180. Mega breaches involving at least 50 million records were excluded from the average, with a separate section of the report noting that they cost 100 times more than the average breach. 

The report found the average breach takes 287 days to identify and contain, with the cost increasing the longer it remains unidentified. When it comes to cybercrime, at least, time really is money.  

The report confirmed that costs accrue over several years. While the bulk of a data breach cost (53 per cent) is incurred in the first year, another 31 per cent is incurred in the second year, and the final 16 per cent is incurred more than two years after the event.

In 2019, a Deloitte report determined that up to 90 per cent of the total costs in a cyberattack occur beneath the surface. 

Traditional approaches to calculating the cost of cybercrime have focused on the theft of personal information, because the data is readily available and the costs are relatively quantifiable.

But the Deloitte report argued that ‘hidden costs’ – including the theft of intellectual property, the disruption of core operations and the destruction of critical infrastructure, as well as insurance premium increases, credit rating impact, the loss of customer relationships and brand devaluation – are the real killers when a cyber attack occurs. 

Dr Cross says communication in the aftermath of a breach is crucial for mitigating an attack’s impact. 

“The tone of communications is so important, in terms of how the attack impacts their reputation and how they can move forward from it,” she says. 

“Data breaches are not new. Sadly, they’re very common at this point, and we see them quite often in the media now. But there are companies who deal with them better than others, in terms of the way they communicate with victims and the way they communicate publicly about what’s happened. 

“I think it’s something that every company should anticipate and have a strategy for dealing with. Not if this happens, but when this happens, this is what we’re going to do. There have been some great examples of this – there was some very positive commentary around the Red Cross’ response to their breach, in terms of the way they immediately notified the affected individuals, took responsibility for it, and put forward their plan for what they were going to do in the future. 

“On the other hand, we’ve seen companies suffer data breaches and put out comms saying, ‘There’s nothing to see here, there’s no risk, nothing happened’. That’s not very helpful for the individuals who might have been affected, and it’s probably not true, either.” 

The IBM and Ponemon report found that organisations who had formed incident response teams and tested their incident response plans had an average breach cost that was US$2.46 million lower than organisations with no incident response team or plan in place. 

Dr Cross also recommends backing up data regularly, “so if you’re subject to a ransomware attack and your files are encrypted by an attacker, you don’t lose everything”. 

The use of strong encryption has also been found to be a top mitigating cost factor. By encrypting files, businesses can ensure that if and when they suffer a breach, any files an attacker gains access to will be worthless to them without an encryption key. 

The IBM and Ponemon report found that organisations using high standard encryption – at least 256 AES, at rest and in transit – had an average total breach cost of US$3.62 million, compared to US$4.87 million for organisations using low standard or no encryption. That’s a difference of 29.4 per cent. 

When you consider the real costs of cybercrime, it’s clear that every organisation has a strong imperative to protect their data – not just financially, but morally and ethically, knowing that every breached record has the potential to have a devastating impact on the individual who’s at risk of being affected. 

Ultimately, Dr Cross says victims of cybercrime are part of a hidden, but growing, epidemic.

“I think there needs to be greater acknowledgement of victimisation,” she says. “I spoke to a victim recently who lost a lot of money. She spoke to a staff member at the bank, and that staff member actually just took the few extra minutes to explain to her what had happened, how she’d been defrauded, and how she could protect herself in the future. 

“He didn’t make promises about how she could get her money back, he didn’t resolve the situation for her, but she felt a lot better having had that phone call with him. She felt like she had a better understanding of the situation, as opposed to many other victims who are explicitly blamed for what’s happened, told it’s their fault and told there’s nothing that can be done. 

“I think organisations can do a lot for victims of cybercrime just by listening to them, acknowledging what’s happened, and being truthful and upfront with them – not leading them on about the potential for some sort of international sting to take down the offender networks that might have been involved. 

“That’s what happens on television, but unfortunately, we know that’s not what happens in reality.” 

Decoded: Cybercrime jargon explained

Can’t tell your malware from malarkey? Do you think phishing is something you do with your mates on the weekend? If you’re sick of just smiling and nodding politely when the subject turns to cybercrime, you’re in luck – we’ve broken down the meanings of the most common cybercrime terms here.

Account harvesting: Collecting email accounts that are in the public domain or using software to collect email addresses that are stored on a computer. These accounts are often used later for spamming. 

Attack surface: The sum of the different points in a system that an attacker could potentially breach. Your attack surface is essentially your digital footprint, and the larger it is, the more chances there are that an attacker could find exploitable vulnerabilities in it. 

Back door: A means to access a system that bypasses the normal security measures. Back doors are sometimes created deliberately by developers as a troubleshooting tool, and sometimes installed as part of a cyber attack by criminals who return to exploit it later.

Black hat: A person who hacks into a computer system with malicious intent. Bad guys. 

Browser hijacking: Software that can modify a user’s browser settings without their knowledge or consent, often to inject unwanted content or advertising. 

Brute force: A process of attempting to crack a cryptographic key or password by systematically trying every possible combination until you find the right one. 

Business email compromise: When criminals use email fraud to target business, government and non-profit organisations. This can include impersonating businesses by using similar names and domains, or even impersonating specific co-workers by compromising their email accounts. From here, the criminal can raise false invoices or change banking details so that money is sent to their account, among other scams.

BYOD (Bring Your Own Device): An IT policy that allows employees to access a business’ systems and data using their own personal tablets, computers and phones, broadening that business’ attack surface. 

Countermeasure: Techniques, actions and procedures to minimise the threat of a cyberattack by using cyber security and other measures. 

Cryptographic key: A string of seemingly random characters that, when processed through a  cryptographic algorithm, can encrypt data to make it unreadable ciphertext, or decrypt it to make it plaintext. Just like a physical key, it’s used to ensure that only the people in possession of it can lock and unlock data. 

Dark web: The dark web contains websites that aren’t indexed by search engines, and are only accessible through specialised browsers and software. The dark web can be used for highly illegal activity, including extoring ransomware payments, by users who wish to remain anonymous. 

Data at rest: Data that’s stored in any digital form on a computer. 

Data in transit: Data that’s moving between locations, either through the internet or a private network. 

Denial-of-service (DoS) attack: A DoS attack crashes a user’s system or network, making it completely unusable. This is usually done by overloading the system with requests. 

Double extortion: A similar process to ransomware (see below), but the hacker will also threaten to publish the data publicly if the ransom is not paid. 

Encryption: The conversion of readable plaintext data into unreadable cyphertext. A strong security measure against cyber attacks, it makes data virtually useless to anyone who accesses it without the cryptographic key required to unlock it.  

Firewall: A computer security system that filters incoming and outgoing network traffic based on certain security rules. Firewalls are intended to prevent unauthorised users from accessing the network, although there are ways for attackers to bypass them.  

Grey hat: A hacker who uncovers security flaws using illegal or unethical means, usually without the owner of the system’s knowledge or consent. However, they don’t have the malicious intent of a ‘black hat’ hacker. Morally ambiguous guys. 

Incident Response Plan: A set of instructions on how to deal with a cyber security issue including preparation, detection, response and recovery. 

Keystroke logger: Software that covertly records and captures the keystrokes on a computer without the knowledge of the user. This can be used to collect confidential information, including banking logins and other sensitive passwords. 

Malvertising: Short for ‘malicious advertising’, it’s the injection of malicious software that can be used to gain unauthorised access to systems into legitimate advertising networks and pages. 

Malware: Short for ‘malicious software’, it’s any harmful computer program that can be used by hackers to gain unauthorised access to sensitive data in a server, computer or network. Worms, viruses, trojans and spyware are all classic examples of malware. 

Multi-factor authentication: An electronic authentication method that requires two or more pieces of proof to access a website or application. 

Phishing: Sending untargeted mass emails, social media and text messages to a large volume of people in an attempt to gain sensitive information, such as banking details and log-in credentials. 

Piggyback: Using a wireless internet connection that belongs to someone else without their knowledge or permission. 

Ransomware: Malicious software designed to encrypt files or restrict access to systems, rendering them unusable until a ransom payment is made. 

Social engineering: Psychological manipulation tactics used to get people to divulge confidential information or perform certain actions. Much of what people think of as ‘hacking’ is really just old-fashioned social engineering.  

Spoofing: Not as funny as it sounds, this is the act of disguising communication from a malicious source to impersonate a legitimate, trusted source. This can apply to emails, websites, text messages and phone calls. 

Spyware: Malware designed to gather data about you via surveilling your device, without your consent. This data is often forwarded to a third party who can use it for nefarious means. 

Trojan: Malware that’s disguised as legitimate software in order to gain access into a computer or network. You’ve heard of a Trojan horse, right? It’s that, but with software. 

White hat: A non-malicious user who ‘hacks’ into a computer or network to expose security flaws or evaluate security systems with the owner’s consent, so they can find their vulnerabilities. Good guys.  

Worm: Every bit as slimy as it sounds, this is malware that can self-replicate and copy itself across a network, without the need for host software or human intervention. 

Want to learn more? Visit cryptoloc.com/blog for more cybersecurity explainers. 

Blurred lines: How your employees’ home WiFi connection could be putting your data at risk

With society on a rollercoaster ride of lockdowns and social restrictions, working from home has become commonplace. But while most people have adapted to this new normal, corporate cybersecurity seems to be stuck in the pre-pandemic past – and cybercriminals are taking advantage.

With just over 40% of employees working remotely at least one day per week at the start of 2021, home networks are increasingly being used for professional purposes. It’s a societal shift that has significantly widened the attack surface for cybercriminals, and increased the risk of sensitive data falling into the wrong hands, as home WiFi networks tend to be a much easier target for hackers than the typical business network. 

That’s because home networks are less likely to be secured behind firewalls than office networks, and are often reliant on consumer-grade modems and routers that come with obvious security vulnerabilities. Worse yet, these routers are likely to be shared with private devices and consoles. 

Cryptoloc founder Jamie Wilson says that in the unavoidable rush to embrace working from home, businesses have been forced to live with these weaknesses, contributing to a recent spate of ransomware attacks

“The boom in remote working caused by COVID-19 has dramatically increased IT vulnerability, especially for businesses that haven’t tracked which of their devices are being used by their employees on home networks,” Jamie says. 

“In reality, they have lost control of the security of their WiFi connections. With employees operating across different networks in multiple locations, using the same devices for work and personal purposes without the benefit of their organisation’s security perimeter, the attack opportunities for cybercriminals grows exponentially.”

Fortunately, there are a number of things your employees can do to make their home internet connection more secure.

How to harden a home WiFi connection 

Change router passwords 

A router creates a network for devices, and has its own password. If a cybercriminal is able to gain access to a WFH employee’s router, it’s only a matter of time until they can gain access to your business’ data. 

Many routers ship with a default username and password, and because these passwords are often publicly available online, a cybercriminal can gain access to a router by simply working their way through a list of makes and models. It’s imperative, then, that employees change the password to something that will be difficult to guess. 

Router settings can usually be accessed by typing ‘192.168.0.1’ or ‘192.168.1.1’ into a browser. As well as changing the password, the SSID – the name of the wireless network – can also be changed, to make it more difficult for cybercriminals to identify. This probably goes without saying, but names, home addresses, and anything that could be used to identify your employee or your business should be avoided when resetting the SSID. 

Update firmware 

While most people know to regularly update devices like laptops and phones to get the latest security patches, routers are often overlooked. But exactly the same principle applies, and new firmware for routers needs to be updated regularly to address and close off security vulnerabilities before cybercriminals can exploit them. 

To make sure they’ve got the latest firmware installed, employees can log in to their router settings and check for updates. Some routers even have a button that can be pressed to automatically check if a more recent update is available. 

Disable remote management 

The remote management feature on a modem or router is intended to make it easier to access its settings from a remote location. Since most employees will never need to use this feature, and leaving it on makes it easier for cybercriminals to gain access to your network, it’s a good idea to disable this function and prevent outsiders from being able to tamper with it. 

Enable ‘guest’ networks 

If visitors need access to your employees’ home network, they should enable the ‘guest’ WiFi feature. This way, they won’t need to share their real WiFi password, and the guest user won’t be able to access the rest of their network or change their WiFi settings. 

Similarly, if your employees’ WiFi access point enables them to create multiple networks, then they should be encouraged to put their private devices on a separate network to the one they use for work – so that even if one of those personal devices is hacked, the work device will remain secure. 

Employees can also limit their network access to specific MAC (Media Access Control) addresses. To identify a MAC address, just open a Command Prompt and enter ‘ipconfig/all’. The addresses of the desired devices can then be added to the router settings, and only those verified devices will be able to connect to the WiFi. 

Utilise firewalls and VPNs 

Most companies have firewalls in place to protect their office network, but the same can’t be said for home networks. If it’s practical – and particularly if a WFH employee is going to have access to a significant amount of sensitive data – you could consider installing firewalls to protect your employees’ home WiFi systems. 

Similarly, if you have a secure corporate VPN (Virtual Private Network) that you use to connect devices to your network and authenticate information before it’s allowed through your firewall, make sure you specify that employees use this VPN on any devices that they use for work. 

Encrypt, encrypt, encrypt 

Most routers will come with an encryption protocol that employees can enable. If the router was made after 2006, it’ll likely be WPA2, which is still the strongest encryption protocol a router can provide. (If your employees are using routers from before 2006, they should probably strongly consider replacing them, anyway.) 

Encryption is important because it protects your data when the other protections you have in place fail, so that even if an attacker gets into your network, the data they find there will be of no value to them without an encryption key. 

Unfortunately, the built-in WPA2 protocol is relatively easy for a skilled hacker to exploit – so to ensure your data is truly secure, you should use Cryptoloc’s ISO-certified encryption technology.

Cryptoloc’s patented technology combines three different encryption algorithms into one unique multilayer process, ensuring that businesses and their customers can interact securely, with each piece of data assigned its own separate audit trail, and every user and action verified and accounted for. 

Cryptoloc’s technology also encrypts data while it’s in transit between networks, so your business can continue to flow smoothly and safely, no matter how many of your employees are working remotely on home WiFi systems.

Beware of public networks 

Working from home is one thing. But if your employees are using the free WiFi at a coffee shop, library or any other public place, that adds a whole extra layer of risk. 

These networks often require no password, and if your employee sets their device to remember the network, it will then automatically join any other network with the same name that isn’t password-protected. A hacker can easily set up a rogue network with an identical name, and use it to access your employees’ device. 

Of course, even that level of subterfuge may not be required – a cybercriminal could simply set up a free WiFi network with any legitimate-sounding name and use it to steal valuable information. 

Make sure your employees know not to let their devices automatically connect to free hotspots, or to remember networks their devices have joined. You should also make sure they have file sharing turned off, so their files can’t be accessed by other people on the same network. 

As a general rule, it’s best to avoid using public WiFi for work purposes altogether – no matter how tempting it is to take advantage of a freebie. 

Ultimately, securing your network while employees are working remotely will require a level of trust in your people to do the right thing.

“Organisations need to ensure that all of their employees are aware of the importance of timely patching, and regularly briefed on the latest techniques being utilised by cybercriminals,” Jamie Wilson says. 

“It’s every organisation’s responsibility to engage their employees with that training – because while it may seem time-consuming, it’s vastly preferable to the alternative.”  

The shift in cybersecurity: It’s time to stop focusing on your perimeter and start focusing on your data

It’s a sad fact of life in 2021 that cyberattacks are inevitable and data breaches are highly likely. So why are so many businesses focused on keeping cybercriminals out, instead of limiting what they can do once they get in? 

Most enterprises are aware of the need to protect themselves from cyberattacks, and employ some form of perimeter security to that end, whether that’s in the form of network firewalls, anti-malware software, intrusion detection and prevention systems, or all of the above. 

Over time, and in line with the WFH explosion, that perimeter security mindset has expanded to endpoint security – the practice of securing network-enabled devices like desktop computers, laptops and mobile devices from attack. 

But despite these efforts to keep bad actors out of their environment, businesses are falling prey to cyberattacks with alarming regularity. A recent Australian Institute of Criminology report estimated the total annual economic impact of cybercrime in Australia at $3.5 billion, while the FBI reported a 400% increase in cybercrime after the onset of COVID-19. 

A report into the economic impact of cybercrime by McAfee and the Center for Strategic and International Studies (CSIS) found the global losses from cybercrime had reached almost $1 trillion by the end of 2020, while the number of groups launching ransomware attacks grew month on month throughout 2020

Cybercrime is spiralling out of control, despite significant investments in perimeter security – and there’s a simple reason for that. 

The limits of perimeter security 

The reality is that you can have all the protection mechanisms in the world in place, but one human interaction can bypass all of them. 

That’s not to say perimeter security isn’t important. Of course it is – there’s no point making a cybercriminal’s life any easier for them, and perimeter security certainly plays a role in reducing risk. It’s just not the be-all and end-all that some businesses might think.

The ever-increasing interconnectivity of networks, and the sharing of information across them, is providing cybercriminals with more opportunities to seize data, as this data is often less secure while in motion (i.e. actively moving from one location to another). 

And while networks have become more secure, social engineering – the old-fashioned art of the con, exploiting human error and psychology – remains the most effective way to bypass an organisation’s defences. 

Social engineering is less of a hack, in the traditional sense, than it is a trick. A phishing email is a social engineering scam, for instance. And as the world becomes more connected, and more information about a business’ employees becomes available online, it becomes easier for attackers to trawl for details that will make these tricks more compelling and convincing. 

Once an attacker finds their way into your infrastructure through a careless or compromised user on the inside (or even, for that matter, a malicious user like a disgruntled employee), perimeter security is powerless to do anything about it. 

Cybersecurity expert Mathias Gaertner, Director of the Technical Advisory Board at the Australian Computer Society (ACS), says perimeter security fails to take into account the human factor

“With ransomware, it’s usually the user who invites in the intruder through clicking a link in a phishing email that installs spyware,” he said. “This constitutes a breach which a firewall can’t work against.

“It’s like a castle with a moat, but everyone inside has the freedom to do whatever they want within those walls.” 

Cryptoloc founder Jamie Wilson agrees that perimeter security has its limitations

“Think of it like a house,” he says. “The perfect home security system has got CCTV cameras, bars and security screens on the windows, double deadlocks on the door, a massive fence and maybe even a couple of vicious dogs. Those are your perimeter controls.

“But the weakest link in that security system is the person who’s already inside the home, and is scammed into letting a criminal walk through the front door. Well, it’s the same with an employee who opens a phishing email, or connects to the wrong IoT device – before you know it, the cybercriminals are inside your system, and your perimeter controls that were supposed to stop anyone from getting in can’t protect you.”

As soon as an attacker can convince a user to do something for the attacker’s benefit, they’ve effectively bypassed whatever perimeter security controls an organisation might have in place – but there is still a way for that organisation to take back control. 

Beyond perimeter security 

Ultimately, the key to overcoming the limits of perimeter security is to put data security first.

After all, your data is your bedrock – it’s the reason you have perimeter security controls in place in the first place, and it’s what cybercriminals are after when they attempt to breach those controls. 

Cybercriminals are increasingly utilising a tactic known as ‘double extortion’. Not only do they force organisations to pay a ransom to unlock their encrypted files, but they also threaten to leak the data in those files if the ransom isn’t paid.

Compliance requirements, such as the European Union’s groundbreaking General Data Protection Regulation, have also highlighted the role of data privacy, and the need for organisations to place a greater emphasis on data security. 

But too often, businesses overlook or neglect the role of data-centric protection in a comprehensive security solution. 

Essentially, it’s a matter of changing your mindset to focus more on the outcome of a cyberattack (the loss of data) than the method of attack (such as a perimeter breach).

It’s the data breach, not the unauthorised access to your network, that will truly cost you – not just in terms of whatever it costs to recover that data, but also because of the reputational hit your business will take, and the potential legal ramifications you could face in the form of lawsuits from aggrieved customers and fines from regulators.   

Obfuscation techniques, such as Cryptoloc’s patented three-key encryption technology, will enable you to protect your data when perimeter security and the other controls you have in place fail. Cryptoloc’s technology also encrypts data while it’s in transit between networks. 

Encryption renders stolen data worthless to anyone who gains access to it without authorisation. Even if an attacker breaches your perimeter and gets into your network, what they find there will be of no value to them if the data is securely encrypted.  

“If the intruder is within the network or firewall, but the data is encrypted,” Mathias Gaertner says, “it makes that data useless to them.” 

It’s also important to back up your data as often as possible, so that it’s easily recoverable in the event of a breach and you won’t be beholden to a cybercriminal to get it back, and to track changes, in case a cyber attacker has had access to your system for some time. 

With Cryptoloc Cloud, for instance, you can see exactly who accessed your data and when, with every user and action verified and accounted for. You can then safely access any version of your content at any time. 

Having control over that data – choosing who has access to it, and knowing what they do with it – is the only way to secure your system in the event of a perimeter breach. 

There’s no doubt that investing in perimeter security is worthwhile. But to truly reduce your risk and combat the threats posed by today’s cybercriminals, securing your data should be your top priority.

Why encryption is a must for business owners

How valuable is your data? Can you afford to lose it? If not, it’s time to consider the role that encryption can play in protecting your systems from ransomware and other forms of cybercrime.

Cybercrime is increasing at an alarming rate, targeting both businesses and individuals, with a recent Australian Institute of Criminology report estimating its total annual economic impact in Australia at $3.5 billion. And the more complacent people are about the risks of data theft, the easier targets they become.

Mathias Gaertner is a world-leading expert on cybercrime. Mathias is a Cyber Security expert serving as external Data Privacy Officer for over 30 companies across Europe, and he was a Lecturer of Information Science for 16 years. As an Expert Witness for Systems and Applications of Information Technology for the German Government, Mathias argues encryption is an effective way to protect data against ransomware attacks and unwelcome intruders. 

“Encryption is a way to make sure that only the people with the correct decryption key can access your data,” he says. “Encryption helps to mitigate the risk of an attack or intrusion.

“If someone intrudes in your computer, they can see all of the files. However, if the files are encrypted, they can still see the files, but not the content of those files. And if the person can’t see the content of the file, they can’t make use of it. It doesn’t necessarily protect against stealing the files, but it makes that data unusable for others.”

Debunking the myth

Gaertner says it’s a myth that passwords, firewalls and other forms of perimeter security are sufficient protection against a cyber attack.

“The paradigm needs to change,” he says. “For the past 20 years we have been teaching people that this type of security is sufficient. But perimeter security doesn’t take into account the human factor.”

Gaertner says social engineering activities – ‘hacks’ achieved through human interactions – are what most often lead to people unwittingly inviting intruders into their network, leaving them vulnerable to ransomware.

“With ransomware, it’s usually the user who invites in the intruder through clicking a link in a phishing email that installs spyware,” he says. “This constitutes a breach which a firewall can’t work against.

“Perimeter security does not take into account intrusions from inside the firewall or network. But even if the intruder is within the network or firewall, if the data is encrypted, it makes that data useless to them.”

“It’s not a question of if you will be hacked, but a question of when”

For some cybercriminals, access to intelligence is the target. This is especially true of places like research labs, where there may be sensitive data or patented ideas stored within the network. 

“Gaining intelligence about someone’s work, patent or research can be a cyber criminal’s main interest,” Gaertner says.

But even if you’re not running a research lab, or another type of business that would seem to make an obvious target for cybercriminals, Gaertner says encryption is a must. 


“If you have data that is worth protecting, you should protect it with reasonable means,” he says. “Encryption helps mitigate against a successful attack against your systems. 

“It’s not a question of if you will be hacked, but a question of when. But even if you are hacked, the attacker shouldn’t be able to access your files if they’re encrypted.” 

After all, there’s often little rhyme or reason to where cybercriminals attack. The recent Microsoft Exchange attack, for instance, saw hackers take advantage of an identified attack vector to compromise at least 30,000 email systems, including schools, hospitals, city councils and businesses. 

The goal was to smash and grab as much data as possible before the vulnerability was closed, regardless of where the data came from, and make sense of it later. 

“I don’t see there being any businesses that shouldn’t use encryption,” Gaertner says. “It is easy to obtain and maintain, and the downside of not using it is significant.” 

How important is your data?

When choosing the level of encryption your business requires, Gaertner says it’s essential to consider what’s stored in your files, and what that could be worth to someone looking to either steal the intellectual property or place a ransom on the data. 

“The more important the information, the harder type of encryption you should use,” he says. “You have to find the right balance between the different types of encryption. There is everything from encrypting on a file level, where every file has its own password to access it, down to an encrypted disk that’s decrypted when the computer boots. You should consider how much security you need by how much worth there is in your data.” 

If you decide your data isn’t important, you’d better be sure about it – because even your employees’ personal information could become a target.

“Each business owner needs to think about the personnel intelligence stored in their data,” Gaertner says.

“All the information about their employees’ personal details – contact details, bank account numbers and addresses – can also be compromised, and people can have their identity stolen. Without using a suitable method of encryption, you, as a business owner, made it possible for that data to be stolen.

“You have to be able to understand the ‘what if?’ scenario. It’s like insurance: an intruder in the network may not be an everyday occurrence, but by using encryption, you are insuring yourself against the worst case scenario if there is a breach.” 

 

The new cartels: Who’s behind the rise in cyber crime?

Forget the Hollywood stereotype of the lone hacker living in his mother’s basement and plotting his revenge against the world. Today’s cyber criminals are organised, sophisticated and sometimes state-sponsored. 

US officials have confirmed the world’s worst kept secret – that hackers tied to the Chinese government were responsible for the massive Microsoft Exchange hack earlier this year, thought to be one of the largest cyber attacks in history. 

Hackers contracted by China’s Ministry of State Security are believed to have gained access to the email systems of tens of thousands of private users and public entities, including schools, hospitals and city councils. 

Microsoft blamed the attack on state-sponsored hackers operating out of China at the time, but it’s taken until now for the US and its global allies – including Australia, the UK and the EU – to formally accuse and publicly condemn China for the attacks. 

Of course, the Microsoft Exchange breach is just part of a recent uptick in cyber crime, which has seen a 200 per cent increase in reports of ransomware to the Australian Cyber Security Centre in recent months. 

So how did cyber crime become such serious business, and who’s behind the malware that’s enabling it?

The rise of ransomware

Ransomware – a form of malware that encrypts the victim’s files, enabling the attacker to demand a ransom for their return – has come a long way since the early days of the AIDS Trojan in 1989. 

The first known instance of ransomware, the AIDS Trojan hid files on the user’s hard drive and only encrypted their names, not the files themselves. It displayed a message demanding a payment of US$189 to the ‘PC Cyborg Corporation’ in return for the repair tool – which was actually completely unnecessary, because the decryption key could be extracted from the code of the Trojan itself. 

Hackers tied to the Chinese government were responsible for the massive Microsoft Exchange hack earlier this year.

Dr Joseph Popp was identified as the author of the AIDS Trojan and charged with blackmail. A Harvard-trained evolutionary biologist who collaborated with the AMREF Flying Doctors and consulted for the WHO in Kenya, Popp had actually organised a conference for the Global AIDS Program the same year he created the AIDS Trojan, and later promised to donate the profits from the AIDS Trojan to fund actual AIDS research. (He was ultimately declared mentally unfit to stand trial.) 

Much like low-rise jeans, trucker hats and velour tracksuits, it wasn’t until the early-to-mid 2000s that ransomware really began to take hold. Trojans known as GPCode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began using more sophisticated encryption schemes – by June 2008, GPCode was using a 1024-bit RSA public key, which would have taken computers at the time roughly two million years to crack. 

The decentralised and anonymous nature of Bitcoin made the digital currency an instant favourite with cyber criminals, which led to the creators of CryptoLocker (no relation) collecting roughly US$27 million with their ransomware. A string of copycat variants with names like CryptoLocker 2.0 and CryptoBlocker followed, all with roughly the same MO – the victim would have three days to pay a bitcoin ransom, or the files would be deleted. 

These early ransomware techniques all relied on the desire of victims to get their files back to motivate them to pay the ransom. But the current ransomware technique du jour, ‘double extortion’, puts a twist on the formula. In a double extortion attack, the criminals don’t just encrypt the victim’s data, but they also copy it to a server of their own. 

That way, even once the victim pays the ransom to decrypt the data, the criminals still have their copy, and can demand a second ransom – a double extortion, if you will – by threatening to leak it publicly. 

Ransomware group REvil were the first to use the double extortion tactic in June 2020, when they began auctioning off data stolen from a Canadian agricultural production company that refused to meet their ransom demands. But since then, a number of ransomware groups have adopted the tactic. 

Gangs of New Dork 

Particular ransomware strains have traditionally been associated with particular ransomware groups, who would dissolve after a few big scores and then re-emerge with a new name. 

But now, according to a recent report by cyber risk analytics provider CyberCube, these groups have evolved into cyber ‘cartels’ that operate much like the mafia, collaborating as affiliates to infiltrate their targets’ networks. They share resources, pass on stolen data and attack information, and have even developed a Ransomware-as-a-Service model, sharing their wares with lone scammers in return for a slice of their profits.  

Under the Ransomware-as-a-Service model, newcomers to the ransomware scene don’t need to have the know-how to develop their own malware, so even the most technically challenged cyber criminal can get amongst it. They’re not likely to pull off big scores on their own, but the relatively small amounts they extort from individuals add up – a new Australian Institute of Criminology report estimated the total annual economic impact of cyber crime at $3.5 billion in Australia alone, with $1.9 billion lost by individual victims. 

High-profile cyber gangs include: 

Rogue nations 

Cyber gangs are one thing – but it now appears that at least some of these gangs are on the payroll of rogue governments, and operating at their behest.

The United States took the unprecedented step of formally attributing the Microsoft Exchange attack to hackers affiliated with China’s Ministry of State Security this month, and charging four Chinese nationals – three security officials and one contract hacker – for their role in it. 

Pulling no punches, US Secretary of State Anthony Blinken directly accused China of fostering an ecosystem of criminal contract hackers to carry out state-sponsored activities and extort businesses for their own financial gain. 

“These contract hackers cost governments and businesses billions of dollars in stolen intellectual property, ransom payments, and cyber security mitigation efforts, all while the Ministry of State Security had them on its payroll,” Blinken said. 

The US was joined by allies Australia, Canada, Japan, the United Kingdom, New Zealand and the European Union in calling out the Chinese government.

The working theory is that hackers working at the behest of Chinese intelligence learned about Microsoft’s vulnerability in early January. When they learned that Microsoft intended to patch or close the vulnerability shortly, they shared it with other China-based groups, helping them hack Microsoft like a sinister version of Clippy the Office Assistant. This effectively escalated the attack from your typical espionage operation to a smash-and-grab raid. 

US Secretary of State Anthony Blinken directly accused China of fostering an ecosystem of criminal contract hackers.

By the time Microsoft closed the vulnerability in March, about a quarter of a million email systems around the world had been exposed, and at least 30,000 had been compromised, including schools, hospitals, cities and pharmacies. 

According to a memo released by the White House, hackers linked to China are still “aggressively” targeting US and allied defence and semiconductor firms, as well as medical institutions and universities, with the intent of stealing their data. 

This isn’t the first time China has been linked to these sorts of shenanigans. Australia’s decision to name and shame China comes after Prime Minister Scott Morrison warned that a state-based actor was behind a series of cyber raids on hospitals, councils and state-owned utilities in June 2020 – but although Australian security agencies believed China was behind those attacks, Morrison stopped short of identifying them then. 

One nation that’s probably happy to see China under the spotlight is Russia, which has tended to get the most attention for these types of attacks. DarkSide, the group that extorted a US$4.4 million ransom from the Colonial Pipeline Company in the US, is believed to be based in Russia, although it’s unclear if they’re actually state-sponsored or if Russia simply serves as a ‘safe haven’ for hackers. 

Russian hackers are generally considered to have a looser connection to official Russian intelligence agencies than their Chinese counterparts, although sanctions were recently placed on Russia for the infamous ‘Sunburst’ attack on US software company SolarWinds. 

The attack affected thousands of governmental and private organisations around the world, and while its full impact is yet to be calculated, it’s been reported to have cost cyber insurance firms at least US$90 million.  

While China and Russia get the bulk of the publicity, they’re far from the only governments to have been involved in malicious cyber activity. But when nations are involved, the line between cyber crime (bad) and espionage (good?) often becomes murky. 

After being accused of cyber crime by most of the free world, China responded with an official statement that called the US “the world champion of malicious cyber attacks”. 

“It is well known that the US has engaged in unscrupulous, massive and indiscriminate eavesdropping on many countries, including its allies,” the statement read. 

“Australia also has a poor record, including monitoring the mobile phone of the president of its biggest neighbour country, not to mention acting as an accomplice for the US’ eavesdropping activities under the framework of the Five Eyes alliance

“What the Australian government has done is extremely hypocritical, like a thief crying ‘stop the thief’,” the statement continued.

At roughly the same time that the US accused China of the Microsoft Exchange attack, a new investigation dubbed “the Pegasus Project” revealed the extent of Israeli technology firm NSO Group’s involvement in targeting thousands of heads of state, activists, journalists and dissidents around the world. 

Their Pegasus spyware, which is licensed to foreign governments by the Israeli Ministry of Defence, is said to have enabled human rights violations on a global scale, including the murder of reporter Jamal Kashoggi by agents of the Saudi government with a bone saw in the Saudi Arabian consulate – a scenario that sounds like a cross between Clue and Cards Against Humanity.

Pegasus infects iPhones and Android devices, allowing operators to extract messages, photos and emails, record calls and secretly activate microphones and cameras. 

Of course, you don’t have to be a head of state, a CEO or a crusading reporter to be concerned about cyber crime. The purpose of these attacks is to steal data – and if you’ve ever been a customer or a client of a targeted organisation, then that includes your data. 

For instance, the intent of the Microsoft Exchange attack might have been to gather intelligence, but there was little rhyme or reason to who was targeted. The method was simply to hack as many people and organisations as possible in a short time frame and make sense of the data later. 

So while Xi Jinping may not harbour a personal vendetta against you, the collateral damage of an attack like this could see your personal data and private records leaked for the world to see, leaving you open to identity theft, phishing attacks, or worse. 

The rise in cyber crime, then, is everyone’s problem – no matter who turns out to be behind it. 
Recognised by Forbes as one of the 20 Best Cybersecurity Startups to Watch in 2020, Cryptoloc has developed the world’s strongest encryption technology and the world’s safest cybersecurity platform, ensuring clients have complete control over their data. For more information, visit cryptoloc.com.

Tough new cybersecurity rules on the way for Australian businesses

Australian businesses could be made to meet minimum cybersecurity requirements and face tougher penalties for cyber attacks under new rules proposed by a government discussion paper – and it’s not a moment too soon.

Home Affairs Minister Karen Andrews unveiled the discussion paper, Strengthening Australia’s cyber security regulations and incentives, earlier this week. The paper reveals the government is considering a number of cybersecurity-focused reforms to help deliver on last year’s Cyber Security Strategy.

“We cannot allow [cyber] criminal activity to become a significant handbrake on our economic growth and digital security,” Ms Andrews said.

“I want to make sure Australian businesses – big and small – are secure, and consumers are protected.”

New rules

The paper is focused on incentivising Australian businesses to invest in cybersecurity, and reveals the government is considering making company directors personally responsible for cyber attacks, in the same way that they can be held personally liable for breaches of workplace health and safety.

“It is widely accepted that cyber security risks are an increasingly important set of risks that most large businesses, including those established in the corporate form, need to oversee and manage,” the paper reads.

“However, there is no explicit requirement that cyber security forms part of many existing obligations, including those applicable to directors.”

The paper flags the introduction of clear minimum expectations on businesses to manage cybersecurity risks, and proposes legal remedies for consumers when businesses fall victim to cyber attacks.

The paper also raises the possibility of a cybersecurity code being added to the Privacy Act, and the introduction of mandatory expiry dates for Internet of Things devices.

The paper says both mandatory and voluntary requirements are being considered, and flags that while a mandatory standard may be “too costly and onerous” for businesses, a voluntary system could lead to lower compliance.

Even a voluntary approach would see new cybersecurity standards written into the ASX’s corporate governance rules and practices, so companies that chose not to adopt them would be forced to explain why to their shareholders.

The cost of cybercrime

The discussion paper was revealed on the same day as a new Australian Institute of Criminology report that estimated the total annual economic impact of cybercrime in Australia at $3.5 billion, including $1.9 billion lost by individual victims.

The report follows a string of ransomware attacks on high-profile Australian businesses over the last 18 months, including Nine Entertainment, Toll Holdings, BlueScope Steel, and Lion Dairy and Drinks.

Cryptoloc founder Jamie Wilson says this trend will continue without government intervention, and welcomes the introduction of new technical standards – including a requirement for multi-factor authentication – to help protect Australians’ data.

“I believe businesses have a moral obligation to protect their customers’ data,” he says, “but the reality is that, left to their own devices, most executives aren’t going to take cybercrime seriously until they fall victim to a catastrophic attack and their data is compromised. That’s when they’ll turn around and say, ‘We’ve got to do something because it’s happened now and it will happen again’.

“That’s too late and it’s not good enough. We can’t wait for attacks to happen. We have to get on the front foot and treat cybersecurity the same way we treat workplace health and safety. There was a time not that long ago when many businesses took a laissez-faire approach to health and safety, and now it’s everyone’s number one priority, because they have to comply with strict legal obligations.

“We need to see these types of expectations being applied to cyber security. It needs to be a basic policy, for instance, for businesses to start securely encrypting their data, and this needs to be driven from the top down. We need to see the government putting forward cyber practices and policies to protect people – because we can’t wait for businesses to police themselves.

“At the same time, there’s a need for the government to educate businesses and the general public alike about the impact of cybercrime, to illustrate why these measures are necessary.

“My advice to business owners is that you shouldn’t wait until these new rules are introduced to start taking cybersecurity seriously and putting procedures in place to reduce your exposure. You need to start educating your employees now about the importance of timely patching for all of your organisation’s software and devices, and you need to be securely encrypting your data, so you can have complete control over who has access to your information and your customers’ information.

“My company, Cryptoloc, has developed the world’s safest cybersecurity platform by combining three different encryption algorithms into one unique multilayer process, with each piece of data assigned its own separate audit trail – and in today’s landscape, that’s the level of protection required to prevent hackers from exploiting vulnerabilities.”

The new cybersecurity standards will be co-designed with industry. Submissions on the discussion paper are being accepted until 27 August 2021.

How to explain cyber risks to your leadership team

When it comes to communicating cybersecurity risks to boards and executive leadership teams, IT professionals need to learn a whole new type of programming language.

As businesses rapidly digitise virtually every aspect of their operations, the potential fallout of data breaches and ransomware attacks has exponentially increased. But while everyone now understands that cybersecurity is important (at least in theory), not everyone at the top of the org chart is particularly tech-savvy.

A recent Accenture study, for instance, analysed almost 2,000 directors at more than 100 large banks and found that only 10 per cent of board directors and 10 per cent of chief executive officers on boards had any IT experience, and a third of the world’s biggest banks still have absolutely no board members with professional technology experience.

Jamie Wilson, Executive Chairman and Founder of Cryptoloc, says he sees far too many leadership teams taking a laissez-faire approach to cybersecurity, particularly as businesses migrate to the cloud.

“When you push your operations to the cloud, you’re using third-party providers, and that opens you up to a whole lot of vulnerabilities,” he says. “What I often see is that people don’t take enough time to investigate those third-party solutions – they just trust that their cloud provider is secure, and they’re actually not.”

Establishing a common language with high-level execs to educate and advise them about cyber risks can be a significant challenge, but it’s often the only way to get the resources you need – so here are a few ways to get the board on board with cybersecurity.

Don’t bury your message in technical jargon

The technical jargon that tends to be beloved by IT departments can make it difficult for organisations to have the necessary conversations about cybersecurity.

To avoid falling down a rabbithole of detailed technical explanations and giving yourself a front-row seat to a room full of executives with their eyes glazed over, outline cybersecurity risks in terms of the damage a cyber attack could do to the smooth operation of the business, not to systems that nobody outside the IT department is likely to have a grasp of.

“You’ve got to remember that these are not necessarily technical people,” Jamie says. “You have to be able to explain the problem to your grandmother, and put it in terms that she’ll understand.”

When explaining the importance of encryption and the risks posed by social engineering scams like phishing, for instance, Jamie says he likes to “paint a picture of a house”.

“What does the perfect home security system look like? You’ve got CCTV cameras, you’ve got bars and security screens on the windows, you’ve got double deadlocks on the door, you’ve got a massive fence and you’ve got a couple of vicious dogs. Those are your perimeter controls.

“But the weakest link in that security system is the person who’s already inside the home, and is scammed into letting a criminal walk through the front door. Well, it’s the same with an employee who opens a phishing email, or connects to the wrong IoT device – before you know it, the cybercriminals are inside your system, and your perimeter controls that were supposed to stop anyone from getting in can’t protect you.

“In that situation, you have to rely on your internal controls, which include encrypting and backing up your data so you don’t lose any sensitive information in the event of an attack.”

Use the language of risk management

Your typical board member might not be able to configure a firewall, but they do understand their fiduciary responsibilities and the ever-present language of risk management.

To capture their attention, focus on actual risks to business operations, the likelihood and repercussions of those risks, and the cost of mitigating those risks compared to the cost of doing nothing.

You could enlist the help of a risk management professional who’s well-versed in couching risks in those terms for executives, but if that’s not possible, make sure you clearly prioritise the risks for the board, instead of presenting them with an amorphous jumble of possible scenarios.

As noted in a recent ISACA white paper on reporting cybersecurity risks to boards, “Presenting a full slate of risk scenarios to the board is not beneficial until the scenarios are ordered and prioritised using quantitative measurement that is in a familiar format for executives.

“The members of board committees are adept at managing financial measurements. The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk.”

One sticking point here is that many businesses simply don’t understand what’s at risk, because they don’t understand the value of their digital assets.

“Before you know it,” Jamie says, “the board is saying, ‘well, let’s do something’, because they know it’s their duty to do something, but they’re doing it without understanding the implications.”

Telstra’s ‘Five Knows of Cybersecurity’ provide a guide to the five things organisations must know to effectively manage their risk:

  1. Know the value of your data.
  2. Know who has access to your data.
  3. Know where your data is.
  4. Know who is protecting your data.
  5. Know how well your data is protected.

If you can answer these five questions for your leadership team, it will underscore just how  crucial cybersecurity is to your organisation and highlight what needs protecting.

Give them solutions, not problems

Board members didn’t get where they are by wallowing in problems that can’t be solved. They expect solutions and they expect results, so when you talk to them about cyber risks, make sure you also talk to them about your plan to prevent, detect and mitigate those risks.

Of course, they don’t want or need to know every technical detail – “that’s information overload,” Jamie cautions. But they do want and need to know their business is going to keep operating in the face of cybersecurity challenges.

Be upfront about the costs, and don’t shy away from the fact that cybersecurity is an ongoing investment. While it’s obvious to you that security solutions need to keep pace with changing digital infrastructures and systems, it might not be obvious to an exec who’s expecting a quick set-and-forget fix.

To give yourself a benchmark that you can share in relation to how your company performs against its competitors, align your solution with widely-used certifications and frameworks – Cryptoloc’s patented encryption technology, for instance, is ISO-certified.

Make your company’s adherence to best practices a selling point, so that cybersecurity spending stops being something that your leadership team is grudgingly forced to commit to and starts being seen as the worthwhile investment that it is.

In today’s business landscape, you’ll find that most boards are willing to be convinced of the importance of cybersecurity – but it’s up to you to sell them on the right solutions.

Brisbane cybersecurity company Cryptoloc nabs three awards at the Global InfoSec Awards

Cryptoloc has taken out three awards in the coveted Global InfoSec Awards held during RSA Conference 2021, awarded by Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine:

  • Editor’s Choice in Email Security and Management
  • Next-Gen in Encryption
  • Cutting Edge in Self-protecting Data Security

“Cryptoloc is immensely proud to be recognised for our work in relation to data security, managed file transfer and encryption,” said Jamie Wilson, founder and MD of Cryptoloc.

“Unfortunately the prevalence of cyber-attacks, like ransomware and malware is such that for business owners and individuals it’s no longer a matter of if they will be attacked, but when. Subsequently organisations and individuals need to investigate how they can ensure they don’t become a victim should an attack occur.”

Wilson says compromised emails represent the single biggest exposure for businesses and individuals alike, but this risk can be greatly mitigated through the implementation of a secure managed file transfer solution as an alternative to email.

“Solutions that specifically focus on data security like encryption will ensure that in the event of a cyber attack, the hackers can’t get access to the data,” he says.

“This eliminates any potential disruptions to business operations which themselves can cause prolonged downtime, damage to brand reputation and significant costs to the business in the form of lost sales and penalties.

“At Cryptoloc, we have focused on tri encryption, where each and every file is encrypted uniquely and should you have an attack your data is secure and able to recover without the stress of having cyber criminals within your system for months without you knowing.”

Gary S. Miliefsky, Publisher of Cyber Defense Magazine, said: “Cryptoloc embodies three major features we judges look for to become winners: understanding tomorrow’s threats, today; providing a cost-effective solution; and innovating in unexpected ways that can help stop the next breach.”

See the full group of winners here. 

About Cryptoloc

Headquartered in Brisbane, Australia, with offices in Japan, US, South Africa and the UK, Cryptoloc ensures that businesses and their customers can interact securely, with each piece of data assigned its own separate audit trail, and every user and action verified and accounted for. Cryptoloc’s patented technology combines three different encryption algorithms into one unique multilayer process that can be deployed across a wide range of applications, including file storage, document management and counterfeit prevention and detection solutions. Recognised by Forbes as one of the 20 Best Cybersecurity companies to watch in 2020, Cryptoloc’s ISO-certified technologies can be deployed to develop and build virtually any product where data security and integrity is critical. Safe guard your reputation and futureproof your business with the world’s safest digital platform.

About CDM InfoSec Awards

This is Cyber Defense Magazine’s ninth year of honoring global InfoSec innovators. Our submission requirements are for any startup, early stage, later stage or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at www.cyberdefenseawards.com

About the Judging

The judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature and other market variables. CDM has a flexible philosophy to find more innovative players with new and unique technologies, than the one with the most customers or money in the bank. CDM is always asking “What’s Next?” so we are looking for Next Generation InfoSec Solutions.

About Cyber Defense Magazine

With over 5 Million monthly readers and growing, and thousands of pages of searchable online infosec content, Cyber Defense Magazine is the premier source of IT Security information for B2B and B2G with our sister magazine Cyber Security Magazine for B2C. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission
is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and special editions exclusively for the RSA Conferences. CDM is a proud member of the Cyber Defense Media Group. Learn more about us at Cyber Defense Magazine

The Rise of Ransomware: Understanding the Surge in Cyber Extortion

Ransomware is on the rise, and it’s not slowing down. Cryptoloc founder and chairman Jamie Wilson explains the perfect storm of conditions that have combined to allow ransomware to run rampant – and how organisations can protect themselves.

For most of the world, the past 12 months have been defined by COVID-19. But for cybersecurity professionals, it’s the rise of ransomware that has set off alarm bells. Of course, these two scourges are not mutually exclusive.
Now, there’s nothing particularly new or novel about the concept of ransomware – the practice of locking a victim out of their own files and demanding a ransom for their decryption dates back to at least the mid-2000s. What is deeply concerning, however, is how frequent and impactful these cyberattacks have become.

Ransomware on the rise

Ransomware attacks dealt unprecedented damage to organisations in 2020. The FBI reported a 400 per cent increase in cyberattacks after the onset of COVID-19, while a report into the economic impact of cybercrime by McAfee and the Centre for Strategic and International Studies (CSIS) found that company losses due to cyberattacks had reached almost $1 trillion in the United States alone by late 2020.

Whereas a typical ransomware attack against an individual may once have netted the attacker a few hundred dollars, increasingly savvy cybercriminals now target organisations, extracting hundreds of thousands of dollars from each ‘successful’ attack and helping to drive small and medium-sized enterprises out of business.

One attack in 2020 against German IT company Software AG came with a staggering $20 million ransom demand. Another German attack took a terrible toll in September, when a woman in need of urgent medical care died after being re-routed to a hospital further away while Duesseldorf University Hospital dealt with a ransomware attack.

A report by defence think tank the Royal United Services Institute (RUSI) and cybersecurity company BAE Systems found that the number of groups launching ransomware attacks grew month on month throughout 2020, and that most of these groups are now utilising a tactic known as ‘double extortion’ – not only do they force organisations to pay a ransom to operate their systems and unlock their encrypted files, but they also threaten to leak the data, intellectual property and other sensitive information in those files if the ransom isn’t paid.

Cybercriminal group Maze is thought to have been the first to employ the double extortion tactic in late 2019, and it’s since been used in attacks against major companies like Travelex, CWT and Garmin.

Consider the impact an attack like this could have on, for instance, a travel agency – not only could they be locked out of their own booking system, but they could face further consequences if the client details they have on file, including passports and driver’s licenses, are leaked.

Further complicating matters is the uncertainty about how long a cybercriminal might have been in your system. It’s one thing to back up your files every seven days, for instance, but if they’ve had access to your system for months, that’s redundant – and makes recovery close to impossible.

The perfect storm

There are any number of factors that have led to the surge in ransomware over the past 12 months, from the increasing ease of its use to the changes in the workplace caused by COVID-19 and the frequency of ransom payments.

The aforementioned report by RUSI and BAE Systems points to how easy it has become for cybercriminals to acquire and utilise ransomware, exemplified by the rise of ransomware-as-a-service. Even low-skilled cybercriminals can now pay a fee to nefarious operations like REvil for pre-packaged ransomware that they can use. Shady operators can even employ the services of ‘initial access brokers’, who sell access to pre-compromised corporate networks.

It’s long been known that ransomware attacks exploit human weaknesses as well as technical vulnerabilities, and the boom in remote working caused by COVID-19 has presented cybercriminals with plenty of both. The FBI attributed the sharp spike in cyber crime in 2020 to ill-secured virtual work environments and a reliance on email and makeshift IT infrastructures.

It’s a free-for-all that led to a dramatic increase in risk, as businesses caught flat-footed by the pandemic lost track of which devices were being used by their employees, and had no control over the security of their Wi-Fi connections. With employees operating across different networks in multiple locations, using the same devices for work and personal purposes without the benefit of their organisation’s security perimeter, the attack surface for cybercriminals grew exponentially.

Once an attacker compromises an employee at home, it’s just a matter of waiting for them to connect to the corporate network. From there, they may as well be plugged into a computer inside the office.

Often, organisations will feel they have no choice but to pay the ransom – and the more organisations that give in, the more that ransomware is normalised and incentivised. And while taking out a cyber insurance policy might seem like the responsible thing to do, it further encourages payment, turning ransomware into just another standard operating cost.

It should be noted, too, that the rise of ransomware is inextricably linked to the rise of cryptocurrencies like Bitcoin – a secure, essentially untraceable method of making and receiving payments favoured by cybercriminals for its anonymity.

I’ve seen organisations faced with the difficult choice of whether or not to pay the ransom firsthand. While there is momentum behind a push to make ransom payment illegal, it’s entirely understandable that victims would feel they have no choice but to pay up – especially when sensitive personal data or medical records are at stake, or, as in the case of Duesseldorf University Hospital, a life hangs in the balance.

Consider, too, initiatives like the General Data Protection Regulation (GDPR), which places the possessors of personally identifiable information at greater risk of substantial fines if that data is leaked, and it’s clear that ransomware is a legal and ethical minefield that can only be successfully navigated by steering well clear of it in the first place.

An end to ransomware

With ransomware posing an increasingly serious threat to all organisations, it’s essential to take precautions – but not everybody is getting the message.

McAfee and CSIS surveyed nearly 1,000 organisations late last year and found that only 44 per cent had cyber preparedness and incident response plans in place. Worse yet, just 32 per cent of respondents believed their plan was actually effective.

The obvious first step, especially in light of the remote working boom, is to ensure timely patching of all your organisation’s software and devices. While this won’t guarantee protection against attack, it will minimise your exposure.

Education is a key component of this. Organisations need to ensure that all of their employees are aware of the importance of timely patching, and regularly briefed on the latest techniques being utilised by cybercriminals. It’s every organisation’s responsibility to engage their employees with that training – it may seem time-consuming, but it’s vastly preferable to the alternative.

Above all else, though, is data. Organisations need to control who has access to their data, and know exactly what they do with it. My company, Cryptoloc, is dedicated to protecting that data – which is why we’ve developed the world’s safest cybersecurity platform.

Our patented technology – developed in collaboration with an elite team of cryptographers, mathematicians, data scientists and software developers – combines three different encryption algorithms into one unique multilayer process. It can be deployed across a wide range of applications, including file storage, document management and delivery, and counterfeit prevention and detection solutions. Our clients can send fully encrypted documents straight from Microsoft Outlook, and develop and build their own products on our secure digital platform.

Our ISO-certified technologies ensure that organisations and their employees, contractors, clients and customers can interact securely, with each piece of data assigned its own separate audit trail, and every user and action verified and accounted for.

Better yet, our ‘Zero Knowledge’ protocols mean we know nothing about the data our clients store with us. Our escrow encryption key recovery process ensures their data is theirs and theirs alone, and can only be accessed by the people they choose.

No other platform has ever been able to guarantee the same protection as Cryptoloc – and in today’s landscape, that’s the level of protection required to prevent attackers from exploiting vulnerabilities and installing ransomware.

Ransomware will only stop when ransomware is no longer profitable, and that will only happen when organisations stop falling victim to ransomware attacks. They have to have absolute certainty that they control their data – and in doing so, they can control their future.

This article first appeared in Cyber Defense Magazine