Cyberattacks are now a bigger risk than natural disasters, with Forbes estimating their growth at 350% year over year. Our predictions for 2021 include a greater risk for healthcare organizations as they continue to battle with COVID-19, which can cause not only ample distraction but also a potential endgame scenario where they are compelled to acquiesce with payment demands brought on by ransomware. With a number of back-office staff still working remotely, coupled with tempting objectives to force the issue such as disrupting the vaccine supply chain, expect that ransomware attacks will sharply increase due to the opportunities presented.
Opportunity is a key theme for threat actors regardless of the industry they target. While targeted attacks can and do happen, in our experience, the targeting initiative is often gained from the discovery of opportunities brought on by vulnerabilities or control weaknesses and generally bad cyber hygiene. Once the initiative is gained, they may set their sights on additional targets particularly if their reconnaissance efforts suggest a common vulnerability across multiple organizations, but it’s the initial opportunity that sets them off.
It is important to understand what motivates bad actors in the first place. This may seem obvious as their root objective is to gain. But what are they out to gain? And from whom are they setting to gain? And above all, why does it even matter? This is where the blatancy blurs into something less obvious. For instance, it’s easy to imagine that an actor would exploit a healthcare organization for a trove of privacy-related data to be sold later or a financial institution for bank account information, both of which lead directly to monetary gain. But what if I’m a simple nonprofit company that has neither to give? Does that mean I don’t have to worry about a cyberattack or consider myself a target?
Over my career, I’ve had a number of conversations with CEOs, chief financial officers, and even chief information officers who discount the cyber threat on the basis that they don’t think they have anything worth “taking.” The semantics analysis here may draw ire about nitpicking, but take is different from gain. Ransomware, on its own merits, has proven that an actor doesn’t need to take in order to gain. Yes, the take eventually comes from that situation, so let’s look at another example. Let’s say that I am a militant member of the opposite spectrum of social politics than what your organization subscribes to, and I don’t like your message. Without taking anything from you in terms of currency or commodity value, I decided that I’m going to cancel you and prevent you from carrying out that message. Yes, technically, I am taking away your platform, but more than that, I’m gaining satisfaction and I can extol my bragging rights among my circles as to what I’ve done.
Each bad actor has his or her own motivations, and those motivations are important to understand as you evaluate your risk for a cyberattack. While financial gain continues to be a key motivator, some attackers have political or personal motivations too. Therefore, anyone and any organization should consider themselves a target and take prudent measures to reduce the likelihood of occurrence.
Excluding the act of state-sponsored cyber warfare, the following summarizes the various threat actor motivations for cyberattack that should be considered as part of your risk management program:
- Street credibility. Some threat actors execute attacks purely to prove that they can do it. In August 2019, Paige Thompson “stole” consumer data from Capital One to ostensibly draw attention to herself and mental health issues.
- Hacktivism/denial of service. Hacktivists want to keep an organization from its daily operations, or communications, usually through a denial-of-service (DOS) attack. In May 2020, an anonymous attacker took down the Minneapolis Police Department’s website in support of the Black Lives Matter movement.
- Steal and use your data. Some attackers execute corporate espionage to gain market share. In July 2020, two Chinese nationals executed the theft of 11 years of intellectual property from a multitude of U.S. companies and government agencies.
- Steal and sell your data. Identities and credit cards are often sold on the dark web. In 2017, the private data of 148 million Equifax consumers was accessed by a threat actor. This was the sixth-largest data security breach in history at the time.
- Steal your central processing units and bandwidth. With the rise of cryptocurrency prices, there is an increase in cryptojacking or a bad actor may use your systems as a resource to conduct other attacks simply because he or she can. In 2019, 11 RubyGems language repositories were infected and exposed thousands of users to cryptomining code that benefited the attackers.
- Steal your money. Propagating fraud puts money directly in attackers’ pockets. In 2020, a single compromised email account of a user in the public retirement office of Puerto Rico led to a direct $2.6 million loss by redirecting payments to fraudulent accounts.
- Hold your data hostage. Ransomware and extortion are not slowing down in 2021. Between 2014 and 2020, over 100 million cases of ransomware were recorded, averaging an attack every 11 seconds, and were estimated to cost $20 billion by 2021.
- Insider threat. Employees steal important data that they have access to when moving to another company.
While each actor has different motivations, you can assume that bad actors are opportunists and will target any organization that contributes to their gain. In 2021, we expect organized crime to increase and more bad actors to find new ways to monetize their efforts.
For more 2021 cybersecurity predictions, check out our new eBook Cyber Security Predictions for 2021: Insights & Trends
Founder & Chief Customer Officer | Pondurance
Ron Pelletier is the original Founder of Pondurance, having started the company from his basement in 2008. Ron has over 25 years of cybersecurity advisory experience. He started his career as an officer in the U.S. Army, followed by nine years with Big Four firm EY. As a strong consensus builder and customer advocate, Ron is focused on evangelizing the Pondurance brand as well as customer success.