Gorodenkoff | iStock | Getty Images
The cybersecurity world faces new threats beyond targeted ransomware attacks, according to experts at the recent RSA cybersecurity industry conference in San Francisco.
Joe McMann, head of cybersecurity services at Binary Defense, a cybersecurity solutions provider, said the new battleground is data extortion and businesses need to shift gears to deal with the threat.
Traditionally, ransomware attackers encrypt or delete organizations’ proprietary data and demand a ransom before calling off the attack. McMann said hackers are now focusing on stealing customer or employee data and then threatening to release it publicly.
“By naming, by humiliating, by threatening reputational impact, they force the hand of their targets,” McMann said.
The International Data Corporation predicts companies will spend more than $219 billion on cybersecurity this year, and McMann said cybercriminals are constantly evolving their operations.
Hackers changed tactics after ransomware attacks brought an unwanted level of visibility to law enforcement and governments, and cybersecurity professionals became adept at solving decryption. Instead of crippling hospitals and pipelines, he said criminals have shifted gears to collect data and threaten companies with customer dissatisfaction and public outcry.
End of March, OpenAI documented a data leak in an open-source data provider that made it possible to see personal AI chat histories, payment information and addresses. The team patched the leak within hours, but McMann said once the data is available hackers can use it.
Chris Pierson, founder and CEO of Black Cloak, an executive digital protection company, said companies understand the growing threat of data extortion after public breaches. In the past year alone, he said Twilio, LastPass, and Uber all have faced attacks that have seen hackers target employees outside of corporate security protection.
“For example, the LastPass breach saw one of four key people targeted on his personal computer, via a personal public IP address, enter through an unpatched solution,” he said.
The hackers stole credentials “outside the castle wall environment, on personal devices”, he said, using that data months later as a way to gain access to the environment of the company.
He said the advent of home offices has accelerated the targeting of employees. As every business transformed into a digital world, employees naturally started working on personal devices.
Before the pandemic, Fortune 500 companies spent millions securing corporate devices and buildings, but employees aren’t as well protected at home. “As soon as a leader steps out of the building, uses their personal device, or their home network that they share with corporate devices, the attack surface changes,” Pierson said. Plus, digital fingerprints are easy to find online, he said. “40% of our corporate executives’ personal IP addresses are public on data broker websites.”
Pierson said it only takes one vulnerable device on a home network to open up the entire network.
Looking across the street at the RSA convention building filled with more than 45,000 industry attendees, Pierson said criminals always choose the path of least resistance.
“You don’t have to go through all the equipment that’s here at RSA to protect the real business; you go through the $5 cybersecurity home and get everything else,” Pierson said. “Cybercriminals target on a personal level because they know they can get the data, and there are no controls there,” he added.
Cybersecurity visibility is higher this year with an increased number of phishing attempts and scam messages happening daily for most people. And companies know that the new guidelines proposed by the SEC will add another layer of liability.
Once finalized, the rules would require state-owned companies to disclose data breaches to investors within four days and have at least one board member experienced in cybersecurity. Although a Wall Street Journal poll found that three-quarters of respondents had a chief cybersecurity officer, Pierson said companies were at RSA looking for guidance.
McMann said companies should focus on simple fixes first and not worry about AI chat breaches if they don’t use two-factor authentication on personal accounts. Criminals will try older methods like ransomware first before moving on to newer ones.
He said practicing cyberattacks has become as important as any other emergency drill. On a positive note, McMann said the success of cybersecurity professionals is why criminals are looking for new modes of attack.
“If your operations aren’t streamlined and efficient, if you don’t have the right people and processes in place, don’t worry about the rest,” he said. “There are a lot of fundamentals that are being ignored.”