Owner security

Trust in old vendors crumbles as ransomware spikes

Organizations are losing faith in traditional vendors as ransomware payment requests and extortion fees rise massively and organizations become slower to detect cybersecurity incidents.

These were among the findings of CrowdStrike Global Attitude to Safety Survey, conducted by the research firm Vanson Bourne.

The study of 2,200 IT decision makers and IT security professionals found that 66% of companies surveyed had experienced at least one ransomware attack in the past 12 months and more than half (57%) of companies did not ‘had no comprehensive ransomware defense strategy in the past 12 months. place.

Ransomware demands increase

Meanwhile, the average ransom payment increased 63% in 2021 to $ 1.79 million, from $ 1.10 million in 2020.

The fact that organizations are almost universally affected by “double extortion” has further increased the financial impact of ransomware attacks on these companies.

This is when the threat actors not only demand a ransom to decrypt the data, but also threaten to disclose or sell the data unless the victims pay more money.

The survey found that almost all (96%) organizations that paid a ransom were forced to pay additional extortion fees, costing companies an average of $ 792,493.

A symptom of a bigger change

Mohit Tiwari, co-founder and CEO of Symmetry Systems, explained that a growing number of attacks is primarily a symptom of companies moving from network perimeter defenses with a spongy environment to cloud-based workloads that are open to the Internet and where small errors in even internal company applications can be magnified.

“There’s no point blaming traditional vendors – new vendors don’t have a silver bullet either,” he said. “Instead, it’s more exciting to build cloud-ready security tools with open interfaces and open assessments. “

Recent attacks such as Sunburst and Kaseya have once again brought supply chain attacks to the fore, with 45% of respondents admitting to having experienced at least one supply chain attack in the past 12 months .

More than eight in 10 respondents (84%) said they feared supply chain attacks could become one of the biggest cybersecurity threats over the next three years.

“Supply chain attacks are just one vector: cloud permissions, insider threats, and application security attacks are other vectors that have led to major incidents recently,” he said. underlined Tiwari.

The problem with processes

From the perspective of Pathlock President Kevin Dunne, more apps than ever means more data than ever before, and you can’t be everywhere at once.

“It’s harder to implement effective and consistent controls across all of these applications for critical business processes, be it cash on purchase, payroll, expense approval and reporting, etc. . ” did he declare. “Applications are being used in a way that is possible but perhaps was not intended, so it expands the security models. “

For example, the early days of the Internet saw connecting operating systems that were never designed for a large-scale network. Some of these legacy apps fit the same bill when it comes to the processes they are asked to participate in.

Additionally, transactions and business processes (internal and external) include and require a parade of applications to function properly and legacy core applications often interact with special purpose applications to move a request / transaction through a workflow.

“The remote workplace requires these processes to be performed in seemingly endless new ways – from new source locations, new devices, through on-premises applications and in the cloud,” Dunne said. “Many fear that legacy applications cannot follow this logistical gymnastics in a secure and efficient manner. “

However, all of these applications, whether old or new, require effective process controls applied to reduce the risk and the resulting anxiety.

In fact, said Dunne, the access controls / orchestration applied to these “legacy” applications is an effective way to improve the security of these applications / systems, by limiting the scope of activities, if any, which would otherwise be unavailable natively.

He pointed out that “inheritance” could be an unfortunate descriptor of “widespread use”, especially in the case of vendors like Microsoft.

“The massive global adoption of a technology vendor like Microsoft obviously leads to frequent targeting; it’s a numbers game, ”he said. “Therefore, any attack, attempted or successful, is newsworthy, contributing to negative associations.”

Presentation of the human element

Heather Paunet, senior vice president at Untangle, a comprehensive network security provider for SMBs, added that the challenge for IT professionals is to find newer technology solutions that are easy to use, fast and reliable in order that employees can activate it once and forget about it.

“Former vendors will need to develop tools that keep ease of use and user interface in mind for employees who switch between the office and the outdoors,” she said.

Paunet pointed out that remote and hybrid working introduces the human element into cybersecurity.

“The bad actors were targeting VPNs because they knew that many companies, by quickly moving their employees to a remote working environment, were using older implementations of VPN protocols with exploitable security flaws,” she explained. .

She added that many of these legacy security products are designed for IT professionals, not the average employee, making it more difficult for remote and hybrid employees to fully utilize the tool.

For example, when working from home, employees found that with older VPN technologies, their connection speeds were slower. This caused them to turn off their VPN and thus reduce security when they connected to their corporate network.

“When choosing suppliers, companies will need to be more vigilant than ever before when considering how their business might be compromised,” Paunet said. “It is also important to do a thorough review of the suppliers. Look for any past exploits, when they were detected, and how quickly a fix was developed.