This blog post originally published in 2018.
Last week I introduced you to the Millennial Mobster and talked about The Internet Age of Criminals. I explained that the typical hacker is not who our media portrays in films and on television. In fact, these global gangsters and gangs responsible for the massive crimes committed online each year, run highly organized, extremely sophisticated organizations that are sometimes backed by their own foreign government.
These criminals don’t operate the way you would expect criminals to function. Instead, they behave like a sophisticated business. They are not huddled in the basement of abandoned buildings. Instead, they are in well-lit buildings. They are fully functioning business with Human Resource Departments, Benefits, Payroll and Customer Service Departments.
Cybercriminals conduct Research and Development, and they’re continually improving and changing their techniques. So, when you look at cyber risk compared to other risks impacting your organization, like fire or flood, for example, it’s completely different. There are only a few ways that fires and floods get started. But, with cyber risk, things evolve virtually every day. It’s much more difficult, though not impossible, to mitigate, prevent and control. Let me tell you about another example.
A Decision You Don’t Ever Want to Face
Earlier this year, Hancock Regional Hospital in Indiana was hacked with ransomware, a growing digital extortion technique used by these Millennial Mobsters. The attack left the hospital unable to keep their doors open and serve patients fully. Hancock’s encrypted computers were accessed through an outside vendor’s account and quickly infected the system by locking out data and changing the names of more than 1,400 files to “I’m sorry.”
The CEO of the hospital had to choose whether he was going to pay the 55 thousand dollar ransom or attempt to get back control of his computers. The ransomware purveyors started off asking for 500 dollars, but those numbers quickly escalated ten times, and then 100 times until reaching 55 thousand.
Hospital executives had to weigh the cost of the ransom with the cost of recovering from an attack like this which would easily cost millions of dollars, reduced patient care, and a logistical nightmare.
Unfortunately for our online community, the CEO decided to pay the ransom. Now, I’ve never been in a situation like this, so I hesitate to say that he was utterly wrong in every way, but to me, it was like casting 55 thousand votes for more attacks online. More attacks that cause loss of data, loss of time and money, reduced customer satisfaction, and so much more.
Cybercrime is much like the flu virus which is constantly mutating. Each year we try our best to put a vaccine together, but that vaccine has different amounts of efficacy. We get the flu shot knowing that we might still get the flu. But we usually get the shot anyway because it’s part of staying healthy, our physical hygiene if you will.
The same holds true for our lives and business online. If we are going to defend ourselves from malicious cyber activity, we need to practice great cyber hygiene. We need to have the equivalent of a flu shot and wash our hands multiple times a day to protect ourselves from germs and to protect other people from germs.
As much as cyber risks are innovating all the time, your defenses have to innovate all the time too. Which means that cyber risk management isn’t something that you just buy, it’s something that you have to do all the time.
Next week I’ll talk about this more as we continue this series on the Anatomy of a Hack.