We have a trio of reminders this week on the perilous state of corporate cybersecurity, with ransomware becoming an ever-more sophisticated threat and business ERP systems still persistently vulnerable to attack. Compliance professionals should take note, since effective strategies to combat ransomware depend on a strong compliance function.
First is the latest alert from the Cybersecurity and Infrastructure Security Agency, which acts as a clearinghouse of information about cybersecurity threats and how corporations should respond. CISA published an advisory this week reviewing how the ransomware threat grew in 2021, and the picture is ugly:
- U.S. law enforcement observed ransomware attacks in 14 of the 16 designated critical infrastructure sectors, including the defense industrial base, emergency services, food and agriculture, government, and IT sectors.
- Ransomware is now such a lucrative business model for criminal gangs that they’ve expanded to offer “ransomware-as-a-service” to other, less technically sophisticated criminals.
- Some attackers have begun developing code to attack industrial systems that control physical assets (turbines, manufacturing equipment, heating systems, and so forth), rather than sticking with business information systems.
- Criminals are stepping up their attacks against managed service providers (that is, the businesses that run your IT systems for you), as well as the software supply chain. They are also increasing their attacks that happen on holidays and weekends.
In other words, the ability to launch ransomware attacks is proliferating rapidly, and the attackers themselves are getting better at launching attacks against your most critical assets at the most inconvenient times, when you’re most likely just to surrender and pay the money.
Second, we have a report from CyberSaint, a cybersecurity risk management firm, that just published a meta-analysis of other recent studies on ransomware, including surveys of some 5,400+ IT executives around the world. Its “State of Ransomware” report found that nearly half of respondents in the education and retail sectors had suffered a ransomware event. Figure 1, below, shows a sector-by-sector breakdown.
CyberSaint also charted out which industries were more likely to pay the ransom demand; that’s in Figure 2, below. As you can see, the oil & energy sector and the local government sector were both most likely to pay the ransom, even though both sectors suffered fewer attacks than other sectors overall. Across all industries, average ransom rose from $12,762 in Q1 2019 to $220,298 by Q1 2021.
Food for thought as your senior leaders develop policies about when and whether to pay ransomware, as well as business continuity plans to keep you going when the attacks do happen.
Why Is Ransomware Happening?
That brings us to our third item of the week: a warning from cybersecurity firm Onapsis that it has found three vulnerabilities in Internet Communication Manager (ICM), a component used in multiple SAP business applications. SAP promptly issued security patches for all three — but if a company fails to implement those patches, attackers could then exploit those weaknesses to cause all manner of mischief, including:
- theft of sensitive data;
- financial fraud;
- disruption of mission-critical business processes;
- ransomware; and
- halt of all operations.
We should note that these vulnerabilities, and the cybersecurity threats that arise from them, are not new. Onapsis has been flagging them in SAP and Oracle for several years, and the Log4j vulnerability that caught so much attention this winter is another example that affects Java applications.
It is true that most ransomware attacks happen through phishing scams, where the attackers send bogus emails to your employees trying to dupe them into downloading malicious software. Still, unpatched ERP software systems are another critical cybersecurity issue, because criminals know these vulnerabilities exist and make a company easy pickings if the attackers can find an unpatched system. So companies need policies and procedures in place to assure that they are implementing their own security patches promptly; and to assure that their third parties are doing the same.
That’s why I keep saying compliance functions will play an increasingly important role in effective cybersecurity: because effective cybersecurity will be about managing the behavior of employees and third parties, more than about implementing technical controls.
For example, the specific act of implementing a patch is quick and simple; the trick is in knowing that the patch exists, knowing which corporate devices need the patch, and assuring that all your third parties have implemented the patch too. Plus, as I mentioned before, most ransomware arrives via a phishing attack, which doesn’t involve patching at all. It involves unwitting employees, which means you need strong policies and procedures for employee training, access control, and account provisioning.
And if companies don’t master those dimensions of modern cybersecurity, just re-read those first paragraphs about the spread of ransomware. That’s your fate if you can’t keep up with the threat.