Cart

Attacking the cloud: one silver bullet won’t fix your security

type
Article
author
By Sonia Yee, Senior IoD Writer
date
26 Apr 2023
read time
4 min to read
white spiral black background

“There is an enormous amount of money flowing through the market,” says Kordia’s Peter Bailey, Cyber Security Regional Business Manager, referring to the statistics released in 2020/21 reporting on figures earned from cyber crime, which exceeded more than a trillion US dollars in revenue over a one-year period.

“Over the last couple of years, we've started seeing cyber-attacks being a lot more organised in terms of the different ways hackers are looking to monetise them,” he says.

Cyber criminals today are strategising more carefully, and looking for different ways to access cash - the main driver for the attacks.

“A lot of people still think of cyber crime as being focused on the technical aspect, but that's just the tool to get to the money. As the focus of cyber criminals becomes more financial, we're seeing their techniques and approaches change,” says Bailey.  

According to Kordia’s New Zealand Business Cyber Security Report 2023 phishing is still one of the most common forms of attack in an environment where AI is now being used to generate authentic looking emails targeted at staff, and in some instances, sent directly from a company CEO’s email address.

While there is greater emphasis on companies making staff aware of the risks, including learning how to spot fraudulent emails, attackers are thinking of every vulnerability that might lie within a company. And the more vulnerable, the more money there is to be made.

Businesses are increasingly moving data and applications to the cloud, and while the cloud can offer some protections, the shared model of cyber security means that it isn’t necessarily safe from attacks. With directors being pushed to increase their knowledge in and around tech and innovation, there is now an imperative to invest in data protection and security. But it isn’t a one size fits all approach.

So who is attacking the cloud and how should a board look to mitigate risks?

“We talk about what's called ‘defense in depth’ where one silver bullet is not going to fix your security,” says Bailey, who suggests boards see it as a risk that can be mitigated - one that will always be a constant, much like health and safety. 

“You're never going to get rid of that risk completely, but you need to decide what level of risk you're willing to tolerate. And then you need to decide what you're going to put in place to mitigate it.”

For boards, that means identifying the most important asset and determining whether it is your customer data, or your portfolio of financial information.

Bailey refers to hospitals and patient data as an example of what needs to be prioritised in adding additional layers of security. He says the board should look at what the company is doing to ensure their data is protected, especially if hosted in the cloud.

The next step is to find out who the cloud service provider is and assess how well they are protected, including having an understanding of what that company will do if it is attacked to ensure the infrastructure has been set up for minimal risk. 

“Attackers might get some of the data, but not all of it. And that’s why the board should be asking questions about those main assets.”

Rather than seeing cyber security as a “one size fits all” exercise, Bailey says boards need to understand the potential impacts of a cyber attack on each part of the organisation and start prioritising layers of protection. For example, critical data or systems will need the most investment, while other areas with lower risk attached may need less controls, if the risk is deemed acceptable by the board.    

“When there is a bigger ‘attack weapon’ boards are often blindsided because they didn't realise that kind of threat existed, and its overall impact on their business.”

This is where companies find themselves scrambling to recover.

Kordia’s report found 44% of businesses would consider paying a ransom to a cyber criminal. So how much money is likely to be demanded from companies, and who is at risk?

Bailey says he has seen reports of attacks over the past few years where ransoms of a few thousand dollars have been demanded, which saw targeted businesses blackmailed via a compromised website.

“If you’re a very small company, it’s transactional,” says Bailey.

“If you’re a small independent business and you’re being asked for five grand to reinstate your website, it’s very tempting to just pay and be done with it. In fact, it might be cheaper to pay that money to a cyber criminal, rather than pay for an IT expert locally to try and reinstate your systems.

“However, we strongly advise businesses not to pay – there’s no guarantee that cyber criminals will actually stay true to their word, and if they know you’re willing to pay, they target you again.”

Bailey says more sophisticated cyber criminals targeting bigger organisations will work their way up to the millions and cites Medibank and Optus in Australia who experienced huge attacks with ransoms in the millions in order to unlock stolen data.

“You get different groups going after different demographics. There are groups who will target smaller businesses and will treat it as quite transactional, whereas the groups going for the big money will keep pushing and pushing to try and get access to that cash,” he says.

All businesses are vulnerable

The type of threat depends on the business. For larger organisations, time and energy has been poured into crafting the attack. But SMEs and smaller one-to-two-person businesses are also vulnerable with attackers taking a more scattered, drive-by approach.

“There are lots of different campaigns that cyber criminals might run, and if they decide to do a New Zealand campaign, they will hit as many New Zealand businesses as they can through a software-based campaign,” he says, as an example of the type of organised attacks.

Vigilance is needed for all sized businesses to ensure they won’t be targeted and that includes not running old software or reusing passwords, and making sure staff know about phishing emails.

“It’s good basic hygiene of IT to make sure you're not the first cab off the rank because if someone's looking to do an attack, they'll move on to someone who's an easier target.”

Bailey says boards need to have a plan in place if an attack occurs, including having an expert on hand to help them through the process.

Where ransoms are concerned, the board and executive team should discuss the circumstances under which they would pay a ransom.  Not feeding into criminal activity is advised, because the attackers may up the ante and demand more money.

He also emphasises the need for organisations to have a clear communications plan, rather than hiding the event, which will eventually reach the media.

“For most companies, it's either never happened to them, or has happened on the odd occasion, it can be very confronting,” says Bailey. 

Related content