As the world rushes to a more digital future, international experts highlight a likely consequence: that reality would become an expanding playground for cybercriminals.
Last year, many office workers contemplated if a return to a physical workspace would be possible in 2021. Now, with countries suffering a third or even fourth wave of COVID-19 infections and disrupted rollouts of vaccines, working from home is likely here to stay. “As the current pandemic has shown, with very few exceptions, numerous jobs can be efficiently done with no traditional physical workplace,” Michael O’Malley, vice president of strategy at the security solutions and application provider Radware, told TechRepublic, a specialized portal.
The risk is that cyber threats are outpacing security updates for most online communication and work tools. Cybercriminals have also become bolder as opportunities to attack increase. They “want to monetize every attack,” wrote Alexander Ivanyuk, senior director of product and technology positioning at the cybersecurity company Acronis, in the “Cyberthreats Report 2020.”
Those threats affect all internet users from individuals to multibillion-dollar multinational corporations. “During the pandemic, we witnessed an increase in phishing attacks, especially against the collaboration tools and file-sharing services that gained popularity as employees worked from home,” Ivanyuk wrote.
State of risk
The need to protect information stored on digital devices or the web is not new. Many companies, websites and online service providers now require more complex passwords that include capital letters, numbers and special characters, such as $, # or %. The aim is to make them harder for cybercriminals to crack.
Meanwhile, instant notifications when using an online service from different devices ensure that owners know when their accounts are being accessed without their permission. For example, many Egyptian banks send text messages whenever there is a transaction, allowing account holders to react quickly in the event of breaches.
Yet the cybercrime threat is growing. The Acronis report estimated that in 2019, 31% of companies worldwide were breached at least once a day. “Microsoft patched close to 1,000 flaws in its products in just nine months,” it said, adding that the average lifespan of a computer virus is 3.4 days before it mutates.
The diverse scope and global nature of cyberattacks mean they affect companies differently based on their sector, location and timing. “It’s difficult to get a proper grip on cybersecurity by the numbers, especially when every other day brings news of a new breach,” wrote Chris Brook, an editor at Data Insider, a specialized platform for tech experts, in a December 2020 blog on Digital Guardian. Each attack “sees millions upon millions of records exposed.” He estimated the cost of each data breach at between $1.25 million and $8.19 million.
“The average cost of a data breach [which includes emergency data patches, delayed work, and new security protocols is] up 1.5% from the year prior and factors into a 12% increase over the past five years,” cited the annual “Cost of a Data Breach” report by IBM and Ponemon Institute. With protection software, the average cost of a breach is cut in half, while hiring an incident team can drop that figure to $720,000.
According to the IBM-Ponemon report, the Middle East has the second-highest average cost per breach at $5.97 million, after the United States at $8.19 million. The region had the highest number of vulnerable records per attack at about 38,800.
Corporations under fire
The number and severity of cyberthreats increased noticeably last year as more companies shifted operations and business models online amid pandemic lockdowns. “Business meetings migrated to telecommunication apps like Zoom, Webex and Microsoft Teams, which became the new standard,” wrote Ivanyuk. “Office workers were sent home, often in a rush and without proper support, resorting to their own equipment to perform their work.”
Remote work was a boon for cybercriminals, noted the Acronis report. “Security threats are rampant,” said Ivanyuk. “Not only do home machines often lack effective cyber protection, but many users also don’t regularly apply the latest security patches … leaving their machines vulnerable.”
The media group Vice.com reported in April 2020 that hackers were selling IDs of private Zoom meetings for $500,000 apiece. Cybercriminals also used those IDs to “disrupt the participants by playing videos or loud music,” noted the report.
Ransomware, where programs attack company servers and encrypt data in exchange for money to decrypt the data, has also been on the rise since last year. “Stories of organizations crippled by ransomware regularly dominate the IT news headlines,” noted U.S. cybersecurity firm Sophos’ report “The State of Ransomware 2020.” “Six- and seven-figure ransom demands are commonplace.”
Those attacks are common and usually succeed at encrypting valuable data. “In the last nine months [of 2020], we saw about 50 new ransomware families emerge,” said Ivanyuk. “The trend with new groups … is to go after profitable corporations. More and more of these groups are active in the ransomware-as-a-service field.”
The Sophos report estimates more than half the companies in the world were attacked by ransomware in 2019. “The criminals succeeded in encrypting data in 73% of these attacks,” it noted. Nearly 60% of companies store their data in the cloud (Google Drive, Azure and Alibaba, for example). The rest relied on private servers or the cloud, or a combination of the two. “A clear takeaway: No data is safe, and you should ensure data stored in the cloud is as well-protected and backed-up as data stored on-premises,” said the Sophos report.
It appears, however, that attackers are less successful at securing ransom payments than at encrypting their targets’ data. Only 26% of ransomware victims paid to retrieve the data, while 1% paid but failed to retrieve it. On the other hand, 56% of those infected used backups to recover ransomware-encrypted data. Nearly all the rest got it back by tracking down the hackers. Sophos noted, “94% of organizations whose data was encrypted got it back,” while the remaining 6% didn’t pay and lost the data.
In response, cybercriminals are becoming more aggressive. “Modern ransomware families not only demand a ransom for deciphering the data, but also for not disclosing stolen confidential data to the public,” noted Ivanyuk. To ensure exposure of that leaked data, ransomware developers create their own platforms. “About 20 different ransomware groups have created dedicated pages for data leaks hosted on the … underground network,” according to the Acronis document.
In addition to compromising organizations’ secrets, leaked information invariably will lead to “reputation loss, follow-up attacks and various fines,” explained Ivanyuk. “The leak of customer data might be punishable under privacy regulations … and paying the ransom could be an offense under [other] regulations.”
A further complication for companies that fall prey to ransomware is that the cost of recovering data doubles if they pay the ransom, compared to using backups or other means to retrieve the information, according to “The State of Ransomware 2020” report. The document contends the cost of restoring stolen data from backups or counter-hacking the cybercriminals is the same. But if the organization also pays the ransom, “the average cost to remediate a ransomware attack is $1.45 million” in case the ransom is paid versus $732,520 if the company doesn’t,” it said.
“More open and free” communication among cybercriminals gives them a significant advantage over security firms and financial institutions, said Krista Tedder, director of payments at the cybersecurity firm Javelin. Acronis’ “Cyberthreats Report 2020” also highlighted that cybercriminals are increasingly automating their attack process: “Big data analytic tools and machine learning allow them to find new victims and generate personalized spam messages.”
Meanwhile, companies fail to protect themselves, with data backups taking hours, and many organizations continue to rely on humans or dated technologies to detect threats and attacks, noted Ivanyuk.
Perhaps the simplest solution to averting a crisis is insuring sensitive data. “Cybersecurity insurance is now the norm, with 84% of organizations reporting they have it,” according to “The State of Ransomware 2020” report. However, only 64% of those with insurance have coverage for ransomware attacks, despite the significant threat they pose.
Companies will likely have to increase investments in security beyond the office to include the homes of employees working remotely. “Cybercriminals realize that [hacking] employees is the gateway to companies’ data,” wrote Ivanyuk.
In addition, organizations must extend protection to their outsourced functions, including suppliers, managed service providers (MSPs), and the cloud. By attacking the cloud or a single service provider, the cybercriminal can affect hundreds, if not thousands, of clients.
Javelin published a report in October titled The Escalation of Digital Fraud stressing that companies must protect themselves by consistent ongoing investment in cybersecurity, rather than focusing on milestone investments every few years. The longer a company relies on the same technology the report noted, the more likely it is that criminals find ways around it.
BOX BOX BOX
Government plans to safeguard the country from cyber threats amid fast-paced digital transformation.
By Tamer Hafez
Egypt’s quick march toward digital transformation required a national strategy to protect businesses, the public and the government. According to information from the Cabinet’s Information and Decision Support Center, cybercrime in Egypt increased 190% from 2012 to 2017. The IDSC didn’t publish a dollar value for those losses, as most of those crimes targeted news websites, altering their content.
The proliferation of digitalization and cybercrime will provide the backdrop for the International Conference on Cybersecurity Studies scheduled for Dec. 13-14 in Cairo. The conference will bring leading scientists, researchers and scholars together to exchange and share experiences and research on all aspects of cybersecurity studies.
Currently, Egypt is in the final year of the National Cybersecurity Strategy, which started in 2017. Under it, the government created the Egyptian Supreme Cybersecurity Council, chaired by the minister of information and communication technology, which reports directly to the Cabinet. Board members include representatives from the ministries of defense, foreign affairs, interior, and petroleum and mineral resources, as well as three independent experts from the private sector.
One of its main tasks is to “develop a national strategy to face and respond to the cyberthreats and attacks and oversee its implementation and updating,” said the council’s blurb on their website.
Among the council’s first decisions was to introduce a cyber and information technology crimes law, ratified in 2018. The law imposes a jail sentence of up to five years with fines ranging from EGP 10,000 and EGP 20 million. It also puts all social media accounts with 5,000 or more followers under surveillance. The law stressed tracking websites publishing fake news and the proliferation of rumors, noted the blurb.
In 2020, the presidency ratified a data privacy law, which forbids the collection and use of personal data without owner consent. The new law expands on previous data privacy regulations in the Banking, Civil Status, Consumer Protection and Telecommunication Regulation laws. According to an analysis by Sharkawy & Sarhan Law firm, the law identifies two categories of data: personal data – such as names, voices and pictures – and sensitive data, which includes medical conditions, biometrics and financial information, religious affiliation and political opinions.
Similar to cybercrime laws, sanctions under the data privacy law include jail time and fines ranging from EGP 50,000 to EGP 5 million. “Settlement out of court will still require the accused to pay double or triple the minimum sanction stipulated under the law for the relevant violation,” noted Sharkawy & Sarhan.