Here we go again… but do we care?

By Dr. Guy Bunker @guybunker

Cyber crime blogThere is, yet another, news story about hacking and financial theft and this time it is an alleged $100m that was stolen. However, do we actually care? Or, is it just becoming so commonplace that when asked, in the words of Rhett Butler in Gone with the Wind, the response is “frankly my dear, I don’t give a damn”?

If we, as citizens, don’t take the nature of these crimes seriously, then there is a probable response that the organizations that are responsible won’t either. The result will be a rapid decline into chaos whereby the financial penalties will ultimately end up coming back on us as individuals – rather than as it is at present - where the financial institutions bear the burden of the financial loss.

The new generation of cyber-attackers are becoming increasingly sophisticated in their attacks. It is not just about trying one attack vector and hoping for the best, they have multiple vectors and approaches with a view that at least one of them will work. In this latest attack there were multiple attack vectors used to infect systems which then downloaded multiple types of malware, from key loggers and RATs (Remote Access Trojans) to ransomware.

We live in an interconnected age where the network is always on and attacks can happen from anywhere and there are benefits for the attacker whether you are at work or at home, meaning you need to be vigilant at all times. For the attacker, getting hold of critical information from a home-users’ device or from a corporate one can both lead to financial gain.

It is unfortunate that there is not a silver bullet and a single security solution that will fix all the problems – but the fact is there isn’t. In fact, while the attacks become more refined, and the solutions become more sophisticated to deal with them, the person in the middle is increasingly becoming the weakest point. Organizations need to put out regular updates to their staff to keep them aware of what is going on and how they can spot an attack, or a potential attack. When (and it is ‘when’ not ‘if’) the attack occurs, the individual needs to know what they should do – particularly who they should contact. There also needs to be assurance that there won’t be blame put upon them (don’t shoot the messenger) otherwise it will drive the problem underground and potentially make the situation worse. Information security needs to happen in an organization from the top down as well as from the bottom up.

So, what should be in the update relating to this particular attack?

Dear employees,

You may be aware of the recent stories in the press around a massive cyber-attack which has resulted in an estimated $100m of fraud being committed. The perpetrators of this attack sort information of both a personal and a financial nature. As an organization we take the threat to the critical information we hold very seriously, so we would ask you to be on the lookout for the following:

  • Email attachments from people you don’t know – don’t open them. They may contain malware / ransomware which could steal our information.
  • Links and URLs in emails or in social media messages which come from people you don’t know, or seem out of character for the vendor – these can also contain malware.
  • An application suddenly wanting to install itself on your device and you don’t remember explicitly requesting something to be installed.
  • If the anti-virus application reports an issue (such as the definitions are out of date) then get it fixed, rather than ignoring it.
  • If there are operating system (OS) or application patches being requested, then please install them.
  • If you are confronted with a ransom message demanding money – don’t pay it. (Whether you are at home or work... this will just open the door to more financial fraud.)

If you do come across anything that you think could be an attack, I would urge you to call our IT support on {insert name / extension number here} and report your concerns. The earlier we know about a potential problem, the sooner we can resolve it.

Thank you for your time and vigilance,
{insert the CEO’s name here}

This is obviously not an exhaustive list of things to watch out for. It is better to make the message short – and ensure that it is read, rather than too long and people give up before they start. Security stories are frequent, so there is always the ability to send out another email, with some more pointers. Raising the awareness of security in the organization will have as much effect on improving the risk posture as putting in a security application. Knowledge is power.

There are many security adages, but for this attack the one that springs to mind (and with a little paraphrasing); the cyber-attackers just have to be lucky once; we need to be lucky all the time. We cannot afford to become complacent over security attacks; it is in our interests both as individuals and as responsible corporate citizens to take action to improve the situation – today.