Now that digital currency like Bitcoin is widely available (Bitcoin is used to make electronic transactions which are difficult to trace), various complex and dangerous forms of cyber extortion are emerging. These include:
- Public release of sensitive data – threatening to release confidential information publicly;
- Malicious destruction of systems – changing/deleting information;
- Ransomware – holding encrypted data hostage until money is paid;
- Denial-of-service attacks – business systems are targeted and attacked.
Large enterprises may be able to withstand these types of attacks better than smaller organizations. However smaller organizations, especially those with a lot of personal client information, are at greater and escalating risk of cyber extortion. This begs the question, why? The answer is simple. Most businesses are not as well prepared as they think they are, and should be. Therefore they are paying ransoms and encouraging greater creativity by the cyber extortionists1.
Before your organization becomes another cyber extortion victim, what can you do to reduce the risk and minimize damage when a serious incident occurs?
All types of businesses are now being targeted for digital extortion. Those at greatest risk are the smaller, less aware and less prepared businesses. Therefore these businesses need to take simple, straight forward steps to protect themselves. These include:
- Educating every employee, from the senior executives and business leaders on down, about cyber risk, how to protect electronic business assets,and how to keep the risk to a minimum;
- Reviewing overall business security policy to ensure proper policies and protective controls are in place;
- Regularly reviewing the security posture of the organization’s network via an independent and trusted third party.This excludes a review by the organization’s own IT advisors. It must be done in an unbiased fashion by IT security specialists.
Companies need to realize:
- They hold data that can easily be held by a hacker for financial gain;
- Businesses are not as well protected as they might think they are;
Hackers are getting bolder, and would not think twice before changing or destroying data.
Most employees have heard of technical hacking terms like spear phishing, spam, malware, denial of service, zero day attack, and the like. But what do they really mean from a cyber risk perspective, and how much should organization’s be concerned about them? These are important questions because everyone is very busy and our lives are cluttered with much noise.
However, according to Symantec’s 2015 Threat Report[i] :
Every day, personal banking details are phished by fake emails and websites. Computers infected with malware are used to send out spam or contribute to distributed denial-of-service (DDoS) attacks. Perhaps the most unlucky see all their files encrypted and their computer made unusable by ransomware.
If your organization has ever had a critical file compromised, encrypted, and been held for ransom, then all of these terms are probably not noise but rather part of your normal language now. This is because all of these actions can cause serious and sometimes catastrophic consequences to any company. And the part about being delivered right to your door every day is absolutely true. The defenses that IT folks establish to protect their company do repel thousands of attempts daily. The problem is, only one needs to get through, and when that happens, the organization will quickly understand why terms like spear phishing and zero day attack need to be well understood and planned for by every business.
Knowledge is power. Ensure that every employee in the organization is cyber risk aware and understands the basic rules for navigating the public Internet safely.
Companies need to realize:
- Attempts to breach every organization are occurring constantly;
- It only takes one successful attempt to wreak havoc within a company;
- The solution for this problem is simple, cost-effective, and involves ensuring every employee receives effective cyber risk awareness training.
[i] Internet Security Threat Report, Symantec, April 2015, Symantec Internet Security Threat Report.
This is one in a series of related short essays about the unrelenting cyber stresses every person and every organization now faces. The first essay, titled Cyber Risk, Security & Privacy (CRSP) – Waterloo Region’s Vibrant New Business Cluster, appeared in the December, 2014 issue of The Triangle.
Today’s modern living is now completely dependent on reliable, available, and secure global communications. One critical component supporting the security aspect of secure communications is encryption. Without effective mathematical algorithms that ensure the transmission of messages that can only be understood by the receiver, the world would be in deep trouble.
A Looming Problem
The global body of knowledge continues to grow at an astounding rate. One relatively recent development is the emergence of a new approach for computing and cryptography. This approach is far different than traditional digital computing which uses electronic transistors to store and retrieve zeroes and ones. It is called quantum computing and is leading to a looming problem that could hit us before the world is ready to handle it.
As Tim Moses, a security expert at Entrust Inc., explained in a 2009 report:
Recent years have seen significant advances in both quantum computing and quantum cryptography. Reports have hinted at radical implications for the practice of computing in general and information security in particular.
Certain well-known problems in the fields of modeling, optimization and cryptography have proven intractable using the classical model of computation. But, using a model of computation that exploits quantum mechanical phenomena, solutions to these problems become possible. If and when quantum computers of sufficient size become a reality, secure information systems based on [conventional] cryptography will require an overhaul.[i]
As quantum computing matures, traditional approaches for encrypting the world’s sensitive communications may be at risk. Where would we be if an organization or state developed the ability to render current secure communication methods obsolete and we didn’t have an available solution with which to replace them?
How the CRSP Sector in Waterloo Region is Helping to Address this Problem
The University of Waterloo’s Institute for Quantum Computing, led by Dr. Michele Mosca, is addressing this issue by performing quantum cryptography research and developing quantum computing tools.[ii] One of the Institute’s goals is to develop novel approaches and tools for securing communications before traditional solutions become obsolete. In other words, by being at the forefront of new technologies like quantum cryptography, we will be able to develop new means and algorithms, using quantum phenomena, to counter the looming obsolescence of traditional digital encryption algorithms.
For more information about this leading edge research, refer to endnote 3 below.