Peter Hacker about Cyber Extortion – An unparalleled threat potential

25. September 2018 – Peter Hacker

Business marketing is evolving and so are the risks to businesses. From big corporations to small business owners, most of today’s businesses harness the power of technology to increase sales, automate tasks, and integrate marketing data. However, along with the implementation of modern techniques, there’s a corresponding proliferation of hackers and cyber attackers. The annual cost to the global economy from Cyber Crime is already beyond 1 Trillion USD, growing exponentially annually. Organizations, enterprises and corporations seeking to thrive rather than merely survive recognize that it is crucial to evolve and respond proactively.

For many of us, it seems nearly every day a cybercrime makes front page news even one does not take into account attacks against individuals (high end wealth individuals, top executives and VIPs). Criminal cyber attacks is on the exponential rise across the world, and no business, family office, government office or non-profit organization should be considered safe from hackers. Perpetrators are relentless trying to breakthrough into a system, making several attempts, and only need to succeed just once to wreck havoc on the targeted. Amidst all these, is a notion that only corporations and governments are at risk from cyber attack. This results in lack of preparation that makes High profile Individuals and family offices an easier target when compared to other institutions or businesses.

Cyber attack trends should be considered critically important to Businesses and Individuals

While there are many areas to explore in terms of information security developments, I am convinced the following cyber attack trends should be considered critically important to Businesses and Individuals because of the threats they pose.

  • Ransomware: The most effective preventative measure to avoid Ransomware infections is to ensure all users are trained in a risk simulated environment in best practices on safe web browsing practices to avoid drive-by downloads and malicious advertising and content. Assuming prevention won’t solve the problem, the core focus should be on detection and response
  • Business Email Compromise: Users should be well trained and able to recognize phishing emails and to never click on links or download attachments in unsolicited emails.
  • Threats on Social Networking Sites: Social media platforms like Facebook, Twitter, and Instagram have been primary target of some hackers where they target high net worth individuals (HNIs) and their family members. Users are advised to be discreet about what they post, who (potential info stealers) they add as friends and try to keep their personal life out of social media.

One rampant form of malicious internet attack is Cyber Extortion. This is an attempt to damage, disrupt or gain unauthorized access on your system, with the main goal of extorting money from you or your business. A typical example is that of a high profile individual who downloaded an e-mail attachment that appeared to be from his secretary. The attachment contained Ransomware which, when downloaded, immediately encrypted files (crypto locker) on his personal computer. When he tried to access a file, a message appeared on the computer screen directing him to pay a ransom in Bitcoin in order to receive a decryption key. With the help of an IT expert and legal counsel, the threat was determined to be credible, and the ransom ($5,000) was paid. This investigation cost and ransom payment could be covered by so called Cyber Insurance. Many have been victims of this heinous act, and statistics foretell an increase in numbers in the coming years. However, there are ways to stop the attack and maintain the integrity of your business.

Know your data and risk environment

You will never know how much risk you are exposed to unless you fully understand the amount of personal information your business holds about customers or clients. More data equals more risk and certain types of data are more sensitive.

Create back-ups of everything: Should you or your business fall victim to cyber extortion, even if you lose all data saved locally on your computer, you might still have the means to recover the data and rebuild your digital infrastructure.

Stay up to date on your security software: There’s no better protection for data breach than preventing it from happening in the first place. Always update your security software, including malware and virus definitions, in a timely manner.

Consider DDoS upgrades – Distributed Denial of Service attacks are very common to degrade a business system. Add an extra level of protection for your systems to thwart DDoS attacks and impacts is an investment very well spent.

Know your country circumstances – Top Targeted DDoS Countries in the World are China, USA, Hong Kong, UK, Brazil, France, Germany, Japan, Canada and Saudi Arabia. Experience suggests that DDoS attacks durations should endure in 90% of the cases less than 3h.

Know your employees: It’s good practice to check the social background as much as feasible and previous work history of your employees to safeguard against cyber extortion and for other liability reasons. Many cyber attacks begin on the inside or through former insiders.

Cyber extortion is now a common occurrence around the world and will continue to occur exponentially as long as it works. I have seen it evolve at an exponentially accelerating pace at VIP, High Wealth Individuals, Family Offices, Large Corporate Entities and SMEs over the past two years, even ticking up in just the last three months again.

There is no ‘Golden Panacea’ but foreseeing such change is no longer something that can be left isolated to organizations, enterprises and corporations risks, audit, legal and IT-security teams or an Individual alone. Prevention won’t help in itself, but integrated response and control can make the difference between barely surviving and prospering. Cyber risk and crime might well be there to stay globally with a potential highly frequent and severe impact. There is no other comparable risk with such a dimension. Fact is cyber crime and cyber security risks cannot be prevented, but risk detection, mitigation, response and control can make the difference between barely surviving and prospering.

Focusing on threat intelligence, detection, response, control and education

If You – as individuals and businesses – want to stay abreast with all measures beyond prevention, focusing on threat intelligence, detection, response, control and education, safety is much broader ensured to a reasonable extent. To be proactively prepared, you must assess your readiness beyond physical IT security and feel first hand the consequences of decisions (as Individual or Board) and experience answers on fundamental cyber crime and cyber security questions such as:

  • Which attacks are most likely and what are the potential impacts?
  • What threat intelligence do we have at hand?
  • What are the different legal data privacy environments you are operating in globally, and what are the potential threats actor, incidents, breaches or scenarios?
  • Are there the appropriate capacities, capabilities and the right strategy to defend strategically and operationally against such attacks?
  • What are your fiduciary duties (if any) concerning cyber crime and cyber security exposure?
  • What are bespoke recovery solutions (IT Security and Insurance)?
  • What are potential pitfalls (incident circumstances, threat actors, sub-factors, regulatory)?

We have seen an exponentially increased number of prominent attacks across the world over the last 16 months that were made both against well-known and fast developing brands, industries, organizations and individuals. Contrary to the past, the implications were not just massive embarrassment, contractual, reputational and financial damages, but also CIOs, CFOs and even CEOs left as consequential loss of the cyber crime and/or cyber security breach. Even more, boards of corporations were battered by massive shareholder derivative lawsuits, sudden restructuring demands or emerging M&A bids.

To my mind, it is not just fundamental to understand and appreciate both risks and opportunities as Individual, and across the wider organization, but also stress-test in real terms and apply the actions on board and top executive risk committee level. Everyone – from VIP, High End Wealth Individual, Top Executive down to every employee – across an organization, enterprise and corporation should grasp the idea of such unprecedented risks and their consequences.

Peter Hacker

Global Expert on Cybercrime, Risk Management, Cybersecurity & Digital Revolution