As Cybercrime Evolves, Organizational Resilience Demands a Mindset Shift

But attackers have adapted. We’ve seen an evolution in how they try to force their victims to negotiate. They first seek to destroy or corrupt backup data before the ransom demand is made.

Of the Australian organizations that experienced a cyberattack last year, 98% saw the malicious actors attempt to compromise their backup data. In 87% of cases, they were at least partially successful.

This tactic is designed to hamper recovery efforts, since up-to-date backup data enables a victim to rapidly restart operations from the latest ‘save point’ prior to the infection.

Data backups are so fundamental to cyber resilience that it’s the only measure in the Australian Signals Directorate’s essential eight to address recovery. While the other seven measures are all important, they relate to prevention before the fact, rather than recovery after an attack.

At maturity level one, the essential eight guidance recommends:

·  performing regular backups of important data, software and configuration settings with a frequency and retention timeframe in accordance with business continuity requirements

·  retaining backups of important data, software and configuration settings in a secure and resilient manner

·  preventing unprivileged accounts from modifying and deleting backups.

Organizations subject to the Security of Critical Infrastructure Act that use the essential eight model as the framework for their critical-infrastructure risk-management program must meet these minimum requirements. Realistically, they should exceed them and aim for maturity level three, which calls for immutable backups that cannot be deleted, modified or accessed, even by users with privileged accounts.

These measures help to ensure that if a ransomware attack denies an organization access to its data, shutting down its operations, it can recover rapidly by restoring from backups.

With resilient copies of critical data, services can be restored within a matter of hours rather than organizations facing the prospect of days, weeks or even months offline.

As cyber resilience increases, attackers have adopted different strategies—attacking backups, and data exfiltration.

Rather than encrypt data, malicious actors seek to steal high-value material like financial details, medical records, personally identifiable information and other sensitive information.

A ransom is then demanded on the threat of that data being published or sold to other attackers. This has played out recently with high-profile attacks against major organizations, including a law firm that reportedly had 4 terabytes of data stolen. Just under half of the data was reportedly published on the dark web in a bid to force the victim to negotiate.

These devastating attacks succeed for two reasons.

First, one of the greatest challenges organizations face today is data sprawl. Employees can work from anywhere and more applications and digital platforms to help them do so are implemented every day.

As workers disperse and platforms proliferate, sensitive data is scattered and duplicated across an immense digital footprint. How can you protect sensitive data if you don’t know what or where it is?

Second, too much faith has been placed in organizations’ ability to keep attackers out. A ‘digital fortress’ mentality has been pursued in an attempt to thwart 100% of cyberattacks and the convincing marketing of cybersecurity vendors has lulled many into a false sense of security.

That 100% safety target cannot be achieved.

If organizations shift their focus away from risk minimization and heavy investment in trying to stop every attack and towards cyber resilience to limit the impact of an inevitable breach, these intrusions will continue but their impact can be much less severe than has been witnessed in recent years.

The most sensitive data is typically highly formatted. Passports, drivers’ licenses, credit card numbers and the like all follow conventions. AI and machine-learning models can be trained to scour an organization’s digital footprint, locating all sensitive data so that appropriate protection and access protocols are in place before a breach occurs.

With such a strategy in place, if exfiltration occurs the data taken can be minimized to what you might find in the Yellow Pages rather than banking details, medical history and personal identifiable information.

As cyberattackers hone their tradecraft, Australian organizations need a shift in mindset. It is indeed true that it’s a matter of when not if a cyberattack will occur. Once that has been accepted, the way sensitive data is protected changes drastically. With investments in cyber resilience and armed with a well-defined and well-rehearsed recovery strategy, the impact of a ransom attack can be reduced from catastrophic to merely inconvenient.

Lisa Musladin is the public sector and strategic enterprise director for Australia and New Zealand at data security firm Rubrik. She was previously a director at the Australian Information Security Association. This article is published courtesy of the Australian Strategic Policy Institute (ASPI).