With millions of people working remotely in North America due to the pandemic, the number of vulnerabilities in IT systems has increased exponentially. As a result, cyber crime grew significantly during the pandemic. In a 2021 CEO survey by KPMG, CEOs rated cyber security risk as the top threat.
Ransomware has exploded into the consciousness of North American business, with high profile cases like Colonial Pipeline, creating gas shortages in the Eastern US, but most ransomware attacks never become public knowledge.
The US Treasury has tied $5.2 billion in bitcoin transactions to US ransomware payments. Global estimates are $20 billion and are predicted to grow more than 20X over the next 10 years. But the ransom paid, however, is only the tip of the iceberg in terms of cost to organizations. According to McAffe, cyber crime is a $1 trillion a year problem globally.
Cyber security is one of the fastest growing areas of IT, which in turn has resulted in there being more than three million unfilled cyber security positions globally.
“There are only two types of organizations, those that have been hacked, and those that don’t know they have been hacked.”
This used to be one of my favourite sayings of John Chambers, when he was CEO of Cisco.
i3 columnist Jim Harris with Cisco CEO John Chambers at CES in 2014
Most cyber attacks begin with phishing. What is phishing you ask? You get an email from your bank telling you that your account has been hacked and urging you to immediately change your password, providing a convenient link to the login page. When you login you are actually not logging into the bank, you’re on the hacker’s site which looks like the bank and you’re providing them with your account and login details.
Then there’s spear phishing. That’s where the hackers research you – and the email you received is far more customized and sophisticated. John Podesta, Hillary Clinton’s campaign chair in her 2016 presidential run, was the victim of spear phishing. All Clinton’s emails were leaked as a result – arguably costing her the election. Podesta even reached out to an IT staffer to ask if he should reset his password, and the staffer replied that it was legitimate.
Finally, there are whaling attacks. That’s where your CEO or another senior executive in your organization emails you and instructs you to urgently change your password or download a file and open it.
Ransomware, phishing, cyber crime . . . what can organizations do to reduce risk? Here’s the top ten strategies:
Top Ten Risk Reduction Strategies
1. Training, training, training
2. Multi Factor Authentication (MFA)
3. Password Management
4. Automatic Updating of Software
5. Antivirus & Antimalware software
6. Backups. Both cloud based and on prem
7. Steps to Protect Against Identity Theft
8. Use of AI to detect irregular behaviour on the network
10. Ongoing training
The Human Factor: Training
While IT professionals will have a bias for technological approaches to mitigate cyber risk, there needs to be more focus on the people aspect. “A chain is only as strong as its weakest link.” So goes the expression. Every person in your organization must be trained in cyber security awareness. And the training needs to be ongoing.
A CEO told me how every single employee in his company had been trained to identify phishing threats. Two weeks after the education sessions, the training company ran a phishing exercise and 20% of employees keyed in their login and password. So training must be ongoing. Additionally, any third-party, such as a supplier, who can login and access your systems must also have ongoing training.
During the pandemic hospitals have been shut down by ransomware. Cyber crime has become deadly business. So now business will have to take it very seriously indeed.
Jim Harris is the author of the Blindsided which focuses on disruptive innovation. It is published in 80 countries worldwide and is a #1 international bestseller. You can follow him on Twitter @JimHarris or email him at firstname.lastname@example.org