A year ago many US experts were fixated on the threat that foreign actors might try to hack the US presidential election. No one foresaw a pandemic coming that would force businesses to shift overnight to a very different way of working, and unleash a tsunami of ransomware and other attacks against corporations, tech services, hospitals, and schools.
While the US election mechanics were carried out smoothly, within just a few weeks it was disclosed that hackers, believed to be working for Russia’s intelligence service, had compromised computer systems at the US Treasury, the Department of Homeland Security, and many other American agencies and corporations.
Impossible to predict? Not exactly. The seeds of 2020’s cyber trends are plain to see. Ransomware has surged and become the weapon of choice due to the potential financial gain and the ability to access tools and techniques more readily. In parallel, increased digitization, interconnectivity, and large-scale seamless supply chains have widened significantly the cyberattack surface for corporations, tech services, and government. The attack on US agencies is believed to have been executed by an intrusion into a little-known supplier of computer network monitoring systems.
Looking ahead, our analysis of trends and vulnerabilities leads us to predict five big areas of cyber activity in 2021.
The Massive Inside Job
Insiders pull off some of the most damaging cyberattacks because they can have access to particularly sensitive data, such as material business information, and their malicious activity is much harder to detect than that of an intruder. Notably, insider events accounted for 40 percent of the 5 billion records stolen or compromised in 2018. The Panama Papers scandal stemmed from an insider at a Panamanian law firm who leaked to journalists a decade’s worth of documents, providing evidence of systematic tax evasion.
The pandemic has all the ingredients for such a situation. At extremely short notice, massive numbers of employees switched to remote working. This changed ways of communicating and connecting – and, critically, the way data was accessed and shared. That challenged typical controls, such as how to spot someone using a phone to capture displayed information, and stressed legacy surveillance capabilities. For example, remote computer access late in the evening that likely would have triggered an alert suddenly became commonplace under lockdowns for parents catching up on work after dealing with the family. Other pandemic-induced stresses, ranging from furloughs, layoffs, and pay cuts to more general financial anxiety, could cause employee discontent, a potential motivation for an insider to exploit their role in the organization.
Companies aren’t helpless in the face of this threat. They need and many will have a dedicated program that combines technology with organizational discipline to protect crown jewels, heighten surveillance and management of high-risk individuals with privileged access, and regularly test controls and processes. Yet such exploits will happen. With this in mind, the potential for a massive insider event being exposed in 2021 remains.
Supply Chain Breakage
Complex and expansive supply chains often have participants deeper and less visible than many appreciate. As the saying goes, you’re only as strong as your weakest link. Increasingly that means third-party vendors, where vulnerabilities may be identified only when it is too late.
Compounding the risk, more and more service providers are relying on the same families of underlying technology, such as software and cloud computing. While commonality can be good for interconnectivity and the sourcing of skills, the associated systemic risk should not be ignored or underrated. The latest shocking cyber event, described by the US government as ”the hack of the decade,” occurred after bad actors hacked a supplier of network monitoring software over several months, enabling them to access select government agencies and corporations across the firm’s 18,000 customer base.
In an increasingly digitized economy, reliance on third parties will continue to grow. Bad actors understand the nature of these dependencies and will take advantage, likely going after the least prepared and most vulnerable links in whichever supply chains would be most lucrative to break.
Advanced Persistent Threat
Big companies may have strong defenses, but that doesn’t make them immune from attack. Whether motivated by political aims, social activism, or financial gain, certain well-organized groups will persist in repeatedly trying ever more devious and creative techniques to break into corporate databases.
Perpetrators of such advanced persistent threats prefer social engineering because it is easier to hack a human than an organization. Such attacks can be as simple as leaving a malware-infected flash drive or memory stick in a parking lot for an unsuspecting employee to pick up, to typosquatting, where a website is cloned and the URL or domain name is only one or two characters different from the official website, to getting familiar with assistants to corporate executives or literally impersonating the cable guy to gain access to on-premises technology.
Hackers can even use a basic cyberattack as an opportunity to become smarter. In one recent case, a corporation suffered a breach and called in legal expertise to help. The bad actors then hacked into the dialog and data of the legal firm so they could learn how the corporation behaves during an attack. Corporations, especially household names and institutions where reputation matters and lives are at stake, need to be increasingly vigilant.
Ransomware attacks that use malware to encrypt an organization’s data and make financial demands have become the weapon of choice under COVID. Hijacking the digital systems that are critical to staying in business during the pandemic can generate multimillion-dollar payoffs.
These kinds of attacks are getting easier to mount because many techniques and attack tools are cheaply available online and require little technical expertise of criminals. Major corporations and large-scale organizations have the skilled resources to deal with such attacks, but many smaller organizations lack the capacity to defend themselves. Bad actors will therefore be motivated to go after this much more vulnerable population. While the size of the ransom ask might be small, the attacks will be much more frequent, making micro ransomware as much of a bane of modern living as robocalls.
Mitigating this growing wave of cyber threats requires diligence and education. According to a recent report, 45 percent of employees do not know how to respond to a ransomware attack. This needs to change. With even a rudimentary knowledge of the options available, an organization can be better prepared. And knowing to call upon websites like nomoreransom.org can make a big difference when faced with a situation where data or IT systems are being held hostage.
Personal Data Breaches
The pandemic has generated no shortage of misery and economic damage, but it has also fostered a proliferation of data capture. Whether people are entering an office building or restaurant or going for an appointment with a dentist or doctor, they increasingly need to have their personal identification card or driver license scanned, and often their temperature and photograph taken, with little knowledge of how or whether the data is to be stored or secured.
Where people may have been exposed to coronavirus, even more data is collected for contact tracing. Increasingly, wearable tracking devices are being deployed in work, social, and sports situations such as US college basketball games. These devices track precisely where a person has been, for how long, and where they were relative to others. While these innovations can help contain COVID-19, the hasty nature of assembling and connecting this new tech brings new risk. As Arthur Hicken, aka the Code Curmudgeon, reminds us through his IoT Hall of Shame blog, developers typically prioritize functionality and features before cyber safety.
These trends increase the risk of events like the 2018 hack of personal and health information on more than a million Singaporean hospital patients. Organizations using such technologies need to ensure that they are exceptionally diligent in the protection of such data and that they know what to do should personal information be exfiltrated or tampered with.