This article is part of Panther’s new Future of Cyber Attacks Series which features interviews with cyber security experts, thought leaders, and practitioners with a goal of better understanding what organizations can do to prepare themselves for the future of cyber attacks.
The following is an interview we recently had with Bill Lawrence, Chief Information Security Officer, SecurityGate.io.
Cyber attacks have increased in severity, frequency, and consequence over the past 12 months. We’ve seen hackers attack the networks and control systems that operate in the water and wastewater systems sector in attempts to tamper with the safety of the water supply. We’re also seen how ransomware attacks that cripple the IT side of a business can lead to decisions to order shutdowns of their operations, which is what happened with Colonial Pipeline and JBS Foods.
Those two companies (and many others) either chose to or were extorted to pay the ransom to unlock their systems and restore operations, in the multi-million-dollar range. While the FBI was able to get some of the money back in Colonial’s case, this is a rarity rather than a rule. Also, an organization that has a solid operational technology (OT) security program can still be totally affected by ransomware locking up the business side. Doing a continuous series of risk assessments that covers IT, OT, and how they interrelate to each other can help drive down risk and increase security.
So far, cyber attacks continue to skirt the line demarking actual destruction of critical infrastructure, at least beneath a level that would equate to an act of war. But the continued convergence of IT/OT technology and practices will increase the potential of unintended consequences here, even if the cyber criminals intended to hit IT only. Their tactics for ransom demands are growing; JBS reportedly got hit by a “triple extortion” threat: 1) pay money for a decryption key, 2) pay money so the exfiltrated data isn’t leaked, and/or 3) pay money or customers and partners get attacked too.
Training – taking time and effort throughout an organization to help staff recognize the signs of phishing or other cyber criminal behavior will pay off. Humans are very often the weakest link so neglecting cyber training here is like neglecting safety training in high school shop class.
Ransomware protection – there are many good technical providers that offer those services, so find out what you have or do not have, and make sure you are protected from this primary threat to your business. And maintain backups for your “crown jewels” in terms of IP and things that make the company run – then break them out, often, to see that you can rebuild and restore from those backups. Else they are useless.
Insurance – do you have a cyber insurance policy? Do you know the definitions the provider uses for data breach versus cyber extortion? What needs to be reported, collected, or executed with the provider to ensure your company qualifies? And, although it hasn’t happened in the US – yet – read up on what happened with AXA policy holders that were ransomware victims in 2021.