Kordia: Avoid that own goal

Cybercrime is a business. And just like companies working on the right side of the law, the most successful cybercrime syndicates are innovating their operational model to generate more revenue per data breach.

Regardless of the industry, company size or brand, the challenges of identifying and qualifying cyber security risks into neatly labelled small, significant or ‘company ending’ categories are becoming much more complicated, as the threats and the consequential impact landscape changes.

Financially motivated threat actors will pivot and leverage their access to your systems and data to extract as much revenue as they can. The word ‘revenue’ emphasises the point that this is big business. The cybercrime industry is predicted to swell to an estimated US$10.5 trillion annually by 2025, making it the third largest economic force in the world after the US and China.

Ransomware, a type of malware that locks your digital networks by encrypting data and systems, is a good example of the evolution of cybercriminal behaviour. In a typical ransomware attack, cybercriminals hold a business hostage, only sending a decryption key if the victim pays a ransom fee.

This style of extortion model works a treat against companies with no data backups and recovery capabilities. For many years, targeted businesses of all sizes succumbed to the demands of hackers because, in many cases, it was their only option to resume normal operations.

However, with payouts eroding as organisations took business continuity and disaster recovery more seriously, as well as regulators and shareholders discouraging payments from an ethical standpoint, ransomware became less profitable.

Cybercriminals now turn to additional income streams enabled by their core skill sets, while continuing to milk the diminishing cash flow from ‘pay up or lose your data’ extortion.

A quick review of some of the most significant cyber incidents of 2022 and 2023 shows cybercriminals are leaning into less typical forms of extortion. One of the most concerning methods is where the company’s own data and assets are being weaponised against them, or their customers, for financial gain.

The 2022 attack on Medibank in Australia is a great example. The cybercriminals threatened to release sensitive, personal medical records unless the company paid a reported ransom equivalent to US$10 million. This fundamentally changed the impact of the breach not only on Medibank, but on millions of everyday citizens whose own data was now being used as ammunition to extort the company.

In a more personal example in Finland, hackers directly blackmailed patients of psychotherapy provider Vastaamo, threatening to release sensitive personal and medical information unless the victims paid up.

Another tactic to turn up the temperature is using industry regulators to catch out victims who would rather deal with the cyber incident behind closed doors.

This was the recent case with US financial software giant MeridianLink. It was unique in that a cybercriminal gang claimed it reported MeridianLink to the Securities and Exchange Commission (SEC), alleging violations of new reporting requirements issued by the regulator.

The key outtake is the risk profile isn’t static when it comes to cyber security – it’s constantly evolving. Businesses need to ensure they are continually assessing and addressing those moving goalposts by improving preventative measures and refining their response preparedness.

Even if you have a robust plan, if you don’t continually evolve it against your risk profile, chances are it won’t be fit for purpose in 12 months.

More and more organisations are improving their cyber maturity and regularly reporting on cyber issues from an IT perspective. However, many are yet to make similar progress in adopting mechanisms for evaluating potential financial, reputational and regulatory impacts.

Far too often, we see major incidents reflecting failures to accurately gauge risk. The data breaches in Australia with Optus and Latitude Financial encapsulate this.

In both cases, a significant portion of compromised content relates to former customers. This old data, which was not generating revenue for these companies, had become a liability – and clearly no one had mitigated the risk of retaining this information, should it be accessed or otherwise compromised in a cyberattack.

These cases highlight the role of a CISO. Expanding the conversation to other departments and functions using a risk-based approach is a starting point. But understanding information security risks needs to be done from the top-down to ensure appropriate allocation of resources to mitigate cyber risks.

Boards and directors are central to evaluating the regulatory and reputational consequences of failing to protect both personal data and delivery of services in the face of expanded cybercrime threat vectors.

To support this, the C-suite has a powerful role to play in ensuring information security and business continuity policies and procedures continue to evolve and reflect changes in the threat landscape against the context of the strategic and operational flows across the business.

Getting proficiency and advice from the lens of an information security expert can be invaluable in understanding your current risk profile and the trends and threats driving cyber security incidents. An expert consultant can also coach an organisation to upskill their evaluation and management capabilities, improving the home team’s score, while preparing effective response plans.

One thing is clear. Given the agility of business-savvy cybercriminals, business leaders must act now – before the next major cyber incident knocks you out of the game.