Cyber attacks are now a bigger risk than natural disasters with a Forbes estimated growth of 350% year over year. Our predictions for 2021 include a greater risk for healthcare organizations as they continue to battle with COVID-19, which can cause not only ample distraction, but also a potential endgame scenario where they are compelled to acquiesce with payment demands brought on by ransomware. With a number of back office staff still working remotely, coupled with tempting objectives to force the issue, such as disrupting the vaccine supply chain, expect that ransomware attacks will sharply increase due to the opportunities presented.
Opportunity is a key theme for threat actors regardless of the industry they target. While targeted attacks can and do happen, in our experience the targeting initiative is often gained from the discovery of opportunities brought on by vulnerabilities or control weaknesses, and generally bad cyber hygiene. Once the initiative is gained, they may set their sights on additional targets particularly if their reconnaissance efforts suggest a common vulnerability across multiple organizations, but it’s the initial opportunity that sets them off.
It is important to understand what motivates bad actors in the first place. Though this may seem obvious, as their root objective is to gain. But what are they out to gain? And from whom are they setting to gain? And above all, why does it even matter? This is where the blatancy blurs into something less obvious. For instance, it’s easy to imagine that an actor would exploit a healthcare organization for a trove of privacy-related data to be sold later, or a financial institution for bank account information, both of which lead directly to monetary gain. But what if I’m a simple non-profit company and have neither to give? Does that mean I don’t have to worry about a cyber attack nor consider myself a target?
Over my career I’ve had a number of conversations with CEOs, CFOs and even CIOs that discount the cyber threat on the basis that they don’t think they have anything worth “taking”. The semantics analysis here may draw ire about nitpicking, but take is different from gain. Ransomware, on its own merits, has proven that an actor doesn’t need to take in order to gain. Yes, the take eventually comes from that situation, so let’s look at another example. Let’s say that I am a militant member of the opposite spectrum of social politics than what your organization subscribes to, and I don’t like your message. Without taking anything from you in terms of currency or commodity value, I decide that I’m going to cancel you and prevent you from carrying that message out. Yes, technically I am “taking” away your platform, but more than that I’m gaining satisfaction and I can extol my bragging rights among my circles as to what I’ve done.
Each bad actor has their own motivations and those motivations are important to understand, as you evaluate your risk for a cyber attack. While financial gain continues to be a key motivator, some attackers have political or personal motivations too. Therefore, anyone and any organization should consider themselves a target and take prudent measures to reduce the likelihood of occurrence.
Excluding the act of state-sponsored cyber warfare, the following summarizes the various threat actor motivations for cyber attack that should be considered as part of your risk management program:
- Street credibility — Some threat actors execute attacks purely to prove that they can do it. In August 2019, Paige Thompson “stole” consumer data from Capital One to ostensibly draw attention to herself and mental health issues.
- Hacktivism / Denial of Service — Hacktivists want to keep an organization from their daily operations, or communications, usually through a Denial of Service (DOS) attack. In May 2020, an anonymous attacker took down the Minneapolis Police Department’s website in support of the Black Lives Matter movement.
- Steal & Use Your Data — Some attackers execute corporate espionage to gain market share. In July 2020, two Chinese nationals executed the theft of eleven years of intellectual property from a multitude of U.S. companies and government agencies.
- Steal & Sell Your Data — Identities and credit cards are often sold on the dark web. In 2017, the private data of 148 million Equifax consumers was accessed by a threat actor. This was the sixth largest data security breach in history at the time.
- Steal Your CPUs & Bandwidth — With the rise of cryptocurrency prices, there is an increase of cryptojacking, or a bad actor may simply use your systems as a resource to conduct other attacks simply because they can. In 2019, eleven RubyGem language repositories were infected and exposed thousands of users to cryptomining code benefiting the attackers.
- Steal Your Money — Propagating fraud puts money directly in attacker’s pockets. In 2020, a single compromised email account of a user in the public retirement office of Puerto Rico led to a direct $2.6 million loss by redirecting payments to fraudulent accounts.
- Hold Your Data Hostage — Ransomware and extortion are not slowing down in 2021. Between 2014 and 2020, over 100 million cases of ransomware were recorded, averaging an attack every 11 seconds and estimated to cost $20B by 2021.
- Insider Threat — Employees stealing important data that they have access to when moving to another company.
While each actor has different motivations, you can assume that bad actors are opportunists and will target any organization that contributes to their gain. In 2021 we expect organized crime to increase and more bad actors to find new ways to monetize their efforts.
For more 2021 cyber security predictions, check out our new eBook: Cyber Security Predictions for 2021: Insights & Trends