It has been impossible to ignore the constant spam of news articles detailing the epidemic of malicious attempts at data disruption and theft. While the cybersecurity risks of ransomware, malicious data extraction, and business e-mail compromise have been top of mind for professionals in heavily regulated industries for some time now, data from 2020 and the first half of 2021 compels an alarming new conclusion: cybercriminals are no longer a problem just for banks, health care organizations and oil pipelines to worry about. Businesses from a wide range of previously untargeted industries are now squarely in the cross-hairs of malicious threat actors.
As tracked and reported by Kroll, the year 2020 saw a 140% rise in reported cyberattacks due to a combination of remote work, the new generation of ransomware, and the sophistication of a modern supply chain attack. The increased cyber risks brought on by the pandemic likely came as no surprise to those in heavily regulated industries, such as financial services and healthcare, who have been focused on data protection and risk mitigation for years. However, 2020 and 2021 have shown that cybercriminals are eager to exploit new vulnerabilities in less-prepared industries. The reported increases are eye-popping: food and beverage (1300% increase in reported attacks), construction (800%), agriculture (600%), utilities (400%), recreation (200%) and entertainment (33%).
Historically less impacted industries are far less prepared to detect and handle the maturity and complexity of the modern day cyberattack. No longer content to attack information technology systems in the traditional sense, cyber criminals are finding weaknesses in a business’s operational technology systems, including exploiting vulnerabilities up the supply chain. Emerging extortion techniques are particularly effective against these industries. Threat actors will exfiltrate sensitive data for a shakedown, and if the business won’t pay, the threat actor will directly contact journalists, clients and vendors to apply pressure. Suffering from a lack of sufficient insurance coverage or liquid resources, a business may not be able to handle an extended mitigation and remediation process or the loss of its reputation in the market. Gambling on a ransom payment to a cybercriminal may be viewed as the only way to survive.
This puts the affected business between a rock and a hard place. Paying a ransom to a threat actor for the return of data or for a decryption key carries significant risks all its own. In addition to a business having no guarantee that a payment will result in the desired outcome, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisory in September 2021 warning that paying ransoms may violate OFAC regulations. OFAC has made clear that payments made to entities or individuals on OFAC’s Specially Designated Nationals and Blocked Persons List will result in strict civil liability. A business may not know, or may be intentionally misled, about who is behind the attack on their systems. In OFAC’s view, it wouldn’t matter if a business had no idea that it was paying money to a state-sponsored cyberterrorist group.
Despite all of the attention cyberattacks, ransomware and security incidents have received in recent times, it is now harder, not easier, for a business to manage these threats. Therefore, the best defense is a good offense. Engaging in tabletop cyber-attack exercises, developing a robust incident response plan, strengthening vendor and customer management programs, and revisiting cyber-insurance coverage are now all but required to manage cyber risk in the modern day, no matter what industry a business trades in.