On February 4, 2016, hackers pulled off an extraordinary feat; a watershed moment in the history of cybercrime. Cybercriminals launched a massive attack on the Bangladesh Central Bank.
They had targeted to steal approximately $1 billion from the bank’s coffers but got away with $101 million, that was quickly reduced to $81 million after $20 million was reversed. The hackers locked the bank’s system for a while, thus giving time for the loot to be wired from the Federal Reserve Bank of New York all the way to Rizal Commercial Banking Corporation in the Philippines.
We are all grateful for the universal access to information that Internet has provided since the 1980s. The increasingly ubiquitous nature of Internet, and all the emerging technologies associated with it, has in many ways been a blessing to mankind. However, alongside its benefits, there is the dark side to the Internet of Things. Shortly after the Internet was officially born in 1983, a good number of words had not seeped into the Internet space.
Words such as phishing, vishing, smishing, cybercrime and cybersecurity. Now, hackers are all out to compromise IT systems, for small and large corporations. There are three different types of hackers; the white, grey and black hats.
The white hats are friendly and would with the permission of the concerned parties focus on spotting vulnerabilities in IT systems and would proactively warn the parties in return for a reasonable reward. The grey hats, though not malicious, may from time-to-time hack into a system without permission. Cybercrime is committed by the black hats.
Their names often reveal the malevolent nature of their intentions. The big ones go with such names as Dark Overlord, DarkSide and Evil Corp. They have the passe-partout to cause IT related havoc in corporations. The bottom line is; there is no immunity against cybercrime. Your IT system is either secure or insecure. No shades of grey. And once secure, there is no guarantee that it will always be secure.
The black hats would break into systems with malicious intent, cripple systems and exploit vulnerabilities for improprietous gain. For them, money trumps all boundaries, be they moral or legal. They would swoop on a system, deploy a virus, typically malware, encrypt or lock the system and block bona fide users from accessing it.
The virus is called ransomware because hackers who thrive on the darknet would only grant access to users once a ransom is paid, which could stretch into millions of dollars in the case of large corporates. Corporations invest millions of dollars year after year on software for powerful firewalls to avert potential for data breaches.
Notwithstanding that, manipulative hackers always seem to be a step ahead, creatively embracing new technologies and expending their energy and resources into perfecting their ‘prestigious’ craft.
Normally a three-step process is followed. Step one; hackers would target a company, invade its system, spot and exploit the vulnerabilities. Step two; they would compromise the system, render it ineffective and in some cases, they would embarrass the targeted company by indefinitely shutting down the operational technology network, and would even threaten to release sensitive information on customers or on weaknesses in operational processes. Information that would harm the reputation of the company and in the case of listed companies probably compromise the share price and market capitalisation. Step three; cybercriminals would demand a hefty ransom.
Initially, given that paying the ransom would only embolden the hackers to carry out more attacks, the victim would resist paying the ransom. However, their failure to operate would force them to budge and engage hackers in some form of negotiation. Eventually, the victim would pay the ransom and the hackers would unlock the system.
How pervasive is hacking? It is bad enough to be labelled a global crisis. Some of the companies that have been hacked have not been too keen to announce that for at least two reasons. Firstly; they should have known about the vulnerabilities of their systems and proactively strengthened them before they were hit by hackers.
Secondly; they would not want to expose the weaknesses in their processes for fear that this could soil their good name and compromise their profitability. In such cases, the ransom would be paid in silence after several heated management and board meetings. If you have never been attacked, do not be lulled into complacency. Even cloud-based environments are not immune. The COVID-19 global pandemic has exposed many companies. While remote working certainly has its advantages, it has unfortunately given hackers a platform for launching security breaches.
Curiosity about COVID-19 has also led to employees opening emails sent by hackers to compromise their systems. According to Forbes, “Cybersecurity experts predict that in 2021, there will be a cyberattack every 11 seconds, costing the global economy $6.1 trillion.” Remember, information of this nature might be an unimportant set of statistics until it hits home; when your company is held hostage.
Where data is encrypted, decryption keys required for accessing information do not come cheap. Such keys are normally priced in bitcoins and depending on the greed of the hacker and the market capitalisation of the company, they could cost anything from tens of thousands to millions of dollars. Last month, Colonial Pipeline, the operator of the largest fuel pipeline in the United States was forced to fork out 75 bitcoins to DarkSide. The hackers smiled away with an equivalent of $4.4 million.
How can we protect ourselves from cyberattacks? The scale of cyberattacks and their increased complexity over time warrant the attention of management and the board. Gone are the days when a firewall would be installed and forgotten for the whole year.
More than ever before, IT staff and indeed all employees need to be careful. Vigilance is the only antidote to hacking. Systems have to be checked for vulnerabilities and bolstered hebdomadally or fortnightly. The management team and directors of the board have to ensure that sufficient funds are reserved for proactively ringfencing IT systems and raising the security profile of the IT infrastructure. Advice from IT personnel on investing in required platforms has to be taken seriously and implemented.
Disciplined adherence to vital IT protocols is also essential. Ransomware is normally deployed through phishing; scam emails sent to staff from hackers, often in the form of an invoice or a report. These are highly instrumental in blowing IT fault lines. Employees have to be trained on how to identify phishing scams and advised to rein in their curiosity for the benefit of their companies.
Defaulters have to be held accountable. A deliberate culture of zero tolerance to phishing has to be instilled in management and cascaded to the lowest of staff. The security around cloud software and remote working has to be reinforced with a view to neutralising cyberattacks. Cybercrime has to be an important part of the risk register and fortnightly reports have to be shared with executive team and quarterly updates availed to the board.
Shareholders have to take keen interest in the resilience of IT systems of companies they have invested in. Without necessarily veering off into operational issues, they should from time-to-time seek assurance from management that the company is on top of their game in their war against hacking.
Remember, it would take only one strike to bring a company to its knees. Persistent vigilance cannot be reduced to frivolous corporate palaver, it is the only thing that can deliver the holy grail of cybersecurity.