McAfee has released a report that showcases a massive increase in security exposures in 2014. One of the more interesting is ransomware, and this risk also suggests bigger problems with digital currency. This is thanks to virtual currency, which McAfee argues will be at the core of these attacks. Ransomware is software the user is tricked into installing to address a security problem that then takes control of a system, disabling part or all of it until the firm that has released the product is paid a ransom. While McAfee is focused on system security, its prognosis suggests kidnappings and blackmail will also increase sharply for much the same reason.
The anonymity of virtual currencies protects those in illegal businesses. In fact, I think this currency should also increase employee theft, shoplifting and burglary for the same reasons. Given that Bitcoin is already being used to fund assassinations, this trend suggests that many digital currencies aren’t long for this world (governments tend to respond poorly to anything that dramatically increases the chance a politician will get shot). It also suggests that you’ll need to prep for a sharp increase in crimes against the company.
What Changed with Digital Currency
The typical difficulty with blackmail, kidnappings or theft is how to get paid without getting caught. Electronic transactions can be traced, and even the most secure organization, as we’ve seen from the NSA leaks, can be breached. Cash has to be laundered and casual criminals generally don’t have the resources to fence the goods or protect themselves against being caught, largely because most currencies can eventually be traced.
However, virtual currencies are (or were) untraceable. Even if that may no longer be true, the belief is already making folks far more bold in their criminal activities than they otherwise would be. Because currencies like Bitcoin naturally appeal more to techies and not traditional criminals, at least so far, the most likely attack vectors are electronic, which probably goes to why McAfee focused on ransomware.
Why IT Needs an Action Plan
The exposure is twofold. First, the likely initial increase in attacks will focus on IT’s protected assets, and the likely attackers will be people who are, or have been, connected in some way to IT. The likelihood that a current or ex-IT employee could be at the center of the attack raises the profile for the exposure far higher for the IT executive than other attacks typically would. As a result, IT should review its processes and ensure they are adequate to this kind of a threat.
Suggested Changes
Employees should be reminded to not install anything on a company machine that hasn’t been approved and vetted. Part of this reminder should be a review of ransomware and the risks connected to it. Data monitoring should be tightened. Executives should be reminded that blackmail is likely to increase and they should be encouraged not to do anything they could be blackmailed for because electronic tracking has also improved sharply.
Layoffs and firings should occur without warning and the affected employees should immediately have their access revoked and be walked off the company site so they don’t express their dissatisfaction with theft (or violence). You might also consider warning employees that any event involving virtual currency and the employee could lead to investigation and/or termination. In fact, given the connection between digital currency and illegal activity, employees using the currency could find themselves under investigation through other avenues, which could make it a problem if they needed security clearances or were seeking preferred TSA status anyway.
Wrapping Up: Death of Digital Currency?
Until a digital currency is backed by a substantial government, it has a high risk of being killed as a funding mechanism. However, given that it is being used for activities that could hurt or implicate IT, policies likely should be changed to prevent this damage and to keep employees from being tempted or falsely implicated. It is becoming a career killer but far from the only new risk you’ll have to face in 2014. McAfee’s report is only the tip of the iceberg. I expect 2014 will bring a number of surprises in security and that’s never a good thing.