Pull no punches against the ransomware gang
PA Consulting’s cyber security expert, Budgie Dhanda, discusses the surge in ransomware attacks and how the cyber security sector can fight back.
The article discusses how ransomware attacks are growing in both frequency and seriousness, and how big breaches, such as Kaseya’s in July, are becoming a concern for the UK.
Budgie says that big players assume there’s always somebody trying to get into their network, so they maintain a high level of vigilance and enforce good cyber hygiene. But both vigilance and hygiene tend to diminish the further down the supply chain you look.
Attacks come from many directions. Some individuals see gaining unauthorised access as a challenge; attacks with criminal purpose “will always be there.”
Budgie explains: “What we’re seeing is criminals setting up as full-blown businesses in an industry where you can find someone to produce specific malware, or bespoke denial-of-service attacks if you know where to go on the ‘dark web’.”
He goes on to say that state actors sometimes have their own resources, but many also use criminal groups, where political and commercial aims overlap.
Budgie adds that tools to protect people “are getting better and more sophisticated, but it will always be a cat-and-mouse game. New vectors will almost certainly rise.”
Primes and large tier-1s will normally spell out in contracts the measures they require of supply chains to protect their entire ecosystems. In Budgie’s view, this could unwittingly expose vulnerabilities.
“There’s a good chance the lawyers drawing up the contracts won’t fully understand cybersecurity – certainly not the current risks. So, even if a supplier has met every condition in their commercial agreement, a business could still be exposed.
“Launching one of these attacks is less dangerous than robbing a bank and simpler.”
Budgie agrees that with the advice to never pay a random. There’s no guarantee you’ll get your data back; you’re dealing with criminals, after all.
However, he adds, they usually keep their end of the bargain because – perverse though it may be – purveyors of malware have reputations to uphold, too, and reneging on a contract can be bad for business.
How to build cyber resilience
According to Budgie, the defence and security landscape is “dominated by SMEs, many of whom don’t know what good cyber hygiene is. But it’s not difficult and there is a lot of good advice out there.”
In his experience, many SMEs feel they don’t have the time or resources to invest in cyber security, or fear what they’ll find – and the cost of fixing it.
“A lot of it is basic stuff,” he says, starting with an up-to-date antivirus and regular backups.
Password security is another widely recognised element: “A few years ago, we were told to change passwords every few days. That may have generated more uncertainty and made the advice less likely to be followed.
“Today, off-the-shelf password managers will do the job for you.”
The article concludes by saying that there are teams at firms, such as PA Consulting, that can help you prepare and exercise for an attack, addressing any gaps that such preparation highlights – making you more resilient.