Key Point:  If you consider your cybersecurity defensive measures to be a one-time investment, that is what the criminals are banking on.

Most people enjoy improvements and innovations when it comes to consumer electronics, but the unfortunate truth is that cybercriminals are innovating and improving their techniques and tactics as well. These innovations include “getting a second bite from the ransomware apple” and using ransomware to cause “physical vulnerabilities at your business.” Hopefully the anecdotes below help to convince the decision-makers in your business to follow the Coast Guard’s motto Semper Paratus – Always Prepared.

The Ransomware Two-fer  

Ransomware originated as a means of denying access to your data, but hackers are now taking ransomware attacks to a new level. Lately, cybercriminals have not executed the ransomware attack immediately after they breach the network. Instead, the attackers wait until they have mapped the network and copied the valuable data for future use. At that point, the intruders initiate the encryption attack and demand payment to decrypt the files.

But once the ransom is paid, the cybercriminals add insult to injury by demanding a second payment in exchange for not publishing the same data your business just paid to recover. Sadly, this development reaffirms that any ransomware attack that penetrates your business network is an unauthorized access, and must be viewed not just a denial of access, but as a data breach that requires your business to act.

Katie Bar the Door – if the Malware Will Let You

Last month (December 16, 2019) the US Coast Guard published its third Maritime Safety Information Bulletin involving cyberattacks on the shipping industry. Ports and merchant ships have long been considered easy targets for ransomware gangs. In this recent case, the port facility was victimized by the “Ryuk” ransomware, which did more than simply encrypt data on the IT network. Alarmingly, the intruder was able to move laterally within the network and access the facility’s industrial control systems (ICS).

Through the ICS, the intruders were able to monitor and control cargo transfer processes and disrupt the facility’s camera and physical access control systems. Imagine the effects on your business if it could not lock or unlock its doors.  The maritime facility had to shut down its operations for over 30 hours to initiate repairs and recover its network.

The potential for cyberattacks to manifest themselves with physical consequences is not limited to maritime shipping. Since August 2018, the Ryuk ransomware has been used to extract money from a variety of lucrative targets in the public and private sectors. Recent victims include the city of New Orleans, health care providers in Texas, logistics companies in Europe along with other industry sectors.

Parting Thoughts

The National Conference of State Legislatures reports that as of 2019, twenty-five states had enacted laws applicable to the data security practices of private sector entities. The majority of these state laws require private sector entities possessing state residents’ personal information to develop and maintain “reasonable security procedures and practices.” These reasonable measures must protect that information from unauthorized access, disclosure, modification or use.

The reasonableness element cuts both ways. It allows for the security measures to be commensurate with the sensitivity of the personal information and the size and sophistication of the business. However, it also means that the standard of care is not fixed in time, but rather will evolve and advance along with technology, if only to keep up with the cybercriminals.