We live under the perception that we are safe. We think that with a press of button (well, three of them—as in 911), we can get timely help when we need it and that someone is looking out for us. But with the reduction in funding to law enforcement and ever more capable crooks, that perception is false. Whether you are in charge of security for your business or worried about your home, kids, parents, spouse or just yourself, you need to readjust your perception. We are pretty much on our own—particularly when it comes to cybercrime—and if we don’t step back and think through this, pretty soon someone we love is going to get screwed out of a lot of money, our companies’ networks will be compromised, or our own bank accounts will be made much thinner as a result.
We already knew ransomware was a growing problem last year when a large brokerage house was breached as part of a CryptoWall/Cryptolocker ransomware attack. What is fascinating about this is that we all focused on the breach, the part where customer data was sent to some unknown third party, and not on the part where the firm’s files were encrypted and locked. In short, not only was data transmitted, but the firm no longer had access to customer data for itself.
This was a serious issue but at least it looked like law enforcement could do something. But apparently that was not true. This last week, police departments were hit by this class of malware; this time it was Megacode, and they had to pay a ransom to unlock their data. In this case, they paid a nominal fee of $300 to get their information back. And apparently this is happening quite often.
There was one ransomware occurrence in Maine, another in Chicago, and one in Massachusetts. And these are just those that were reported. How many thousands of cases each year don’t make the papers? Some are comparing the proliferation of these ransomware attacks to roaches on a kitchen floor at night.
Now there are several problems with this, not the least of which is the fact that they paid a ransom. The ransom may have gone to terrorists (which could violate federal law), but they had no realistic alternative path. Even worse, the ransoms may fund additional attacks. One police department’s payment may be the foundation funding for the next police department’s attack.
It’s gotten so bad that some security firms are already calling it a pandemic. But when law enforcement can’t even figure out what to do when the crime is committed against them, they’ll be no help if the crime is committed against you.
The use of scams has been up as well. Ever since switching to AT&T, I’ve been getting an increasing number of robocalls. I expect that you, your employees and your family have been seeing the same thing. While most seem to be focused on selling me solar energy projects—which is kind of sad, given that my roof is already covered with solar energy panels—some are attempts to scam me out of money. This week, I got a call from a guy who said that he was from the U.S. Treasury, which was going to sue me for some reason. Even though I knew it was a scam, I wasted 15 minutes that I’ll never get back asking for badge numbers, supervisors and documentation when I should have just hung up on the guy.
Whether this was an attempt to get passwords, or just to get me to call a number that would have run up charges on my phone bill, I’ll never know because I did eventually hang up. But I went to the U.S. Department of Treasury, figuring I could at least report the scam artist, only to find that they are aware of the problem and have no funding to deal with it. But the sheer number of scams that they are aware of is frightening. The IRS has an even longer list of scams that they apparently aren’t doing much about either.
What You Can Do
First, you need to make sure that folks are aware of the problem. The best offense—particularly if you can’t depend on law enforcement—is a strong defense, and keeping people from installing apps or falling for scams should be far higher on the priority list than it currently is. If you or one of your employees gets caught up in a scam, it could be a career ender. Even if it isn’t, though, your co-workers likely won’t let you live it down.
Consumer Reports is actually very active in studying cybercrimes and it provides some personal advice on how to deal with at least the scam part of the problem. This includes making sure phones are on the do-not-call list, reporting incidents to the FCC, and also reporting them to the FTC. You may also want to consider institutionally supporting the consumer effort to deal with the cause of the robocall problem and at least signing the petition like I did.
There are also employee programs set up to help employees to stop being part of the problem and start becoming a part of the solution. One SAS offering by Wombat Security technologies looks particularly interesting. Dell has a program connected to its SecureWorks effort that also appears comprehensive and besides, Dell is a much stronger brand.
Some still argue against this type of security training, suggesting that the money would be better spent on technology instead. Their argument that people still make mistakes after being trained is valid, but rather than invalidating the training, it suggests that you need to regularly test and reinforce it or otherwise it will be a waste of money.
You also need to have policies in place in regard to what happens during and after an attack. If an employee thinks they are being phished or that they have accidentally executed a malware payload, who do they report it to, what process do they follow, and what does the person that they call do next?
Often mistakes are made because the people who know what to do aren’t engaged until it is too late for them to do anything. Making folks at least aware of who to call if they have screwed up and letting them know that it is in their best interest to make the call (and not just hope nobody finds out that they made a mistake) goes a long way toward limiting the damage. Without a policy, though, you are taking an incredible risk.
It is clear that we have little true protection against cyberthreats from either local or federal government, and this is something that the government has been lax at mitigating. We need to adjust our world view to one where we really can no longer depend on law enforcement for cybercrimes. While we can hope that this will change someday, depending on law enforcement after a cyberattack is currently a largely wasted effort. Only with a combination of policies, training and technology can you assure the safety and security of your firm, family and agency in what is becoming a very dangerous electronic world. Personally, after researching all of this, the life of a Luddite seems strangely attractive.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+.